There are security related rules and restrictions we have, applicable on all employees. We trust you, but it's better to have some rules than none at all, just in case you inadvertently step across what we consider the line. It is at least important to state explicitly what we consider as "the line".
Most of these restrictions are common-sense things, as you will see. However, not everyone sees common sense the same way, therefore in critical matters like information security and confidentiality, a written statement helps. As we wrote the list of points, we realised that the list had become fairly long, and this depth of material is best maintained as a carefully and clearly written note. It's more than mere common sense.
In order to understand these policy decisions, we must distinguish between "production systems", where people do their normal office work and store their personal and official data, and "lab systems", where people perform experiments with hardware and system software. Security restrictions apply to the "production systems". Lab systems can be formatted by an engineer at will, and loaded with (legal) software of his choice. Lab systems and production systems are kept in physically separate networks, connected by a carefully controlled firewall. This is necessary to maintain two very dissimilar systems with different sets of security demands in the same office.
The list of points about IS security are:
- Protect your username and password: You will not share your password with anyone. You will keep a password which is not easily guessable. Yes, it will be considered your fault if someone uses your "abc123" password and misuses the systems.
No masquerading: You will not access any system while logged in as someone else, unless you are doing it in the presence of, and with the full cooperation of, that someone else. In other words, if a colleague logs in and then asks you to try out a command to help him out of a technical problem, that's fine. If a colleague logs in, goes for a cup of coffee, and you run commands from his shell prompt without his knowing, you're breaking this rule.
No security subversion attempts: You will never make any attempt to guess any other colleague's password, or subvert system security of the production systems in any way, even for a joke. You can try password-cracking tools and techniques on a machine in the lab, where no employee has any production data.
No misuse of supervisor privileges: If you have root access or admin privileges on any production system, you will not use these privileges to read any file or change any setting which gives you access to the data of a colleague.
Report vulnerabilities you find: You will report, by email to security-holes@starcomsoftware.com, any security vulnerability that you find on production systems. This includes any password of any colleague which you have accidentally guessed. You will also inform the affected colleague about this vulnerability. This also applies to improper permission settings on any directory used by your colleague to store his individual data, or any known vulnerability of any system software which will allow you to breach access control restrictions in production systems in any way.
Report inadvertent supervisor access: Only one or two designated employees are supposed to have legitimate administrator privileges on production systems. Others do not have such privileges. (This was one of the key design goals of our office IS infrastructure, incidentally, when it was designed in November 2000. This continues to be one of the key desirable attributes of this infrastructure. And this is quite common in well-managed corporate environments; many companies do not permit their own laptop-using officers to get administrative access to the laptops they use.)
If you find that you or any other non-designated colleague have such privileges directly or because of some indirect access path, you must immediately report this by email to security-holes@merceworld.com. Note: Production systems includes all diskless computers and desktops too, not just servers. Production systems also include all external servers administered by our company on the Internet (e.g. pub1).
Production LAN is controlled area: The production systems are on one IP subnet (10.1.1/24), henceforth called the "production subnet" or "production LAN", and the lab systems are on another (10.1.2/24). The production subnet is controlled, i.e. you cannot add a new computer to this subnet, or change the IP address of any computer on this subnet, without official clearance in writing. You are free to do what you want on the lab subnet. (This is quite common in tightly-controlled corporate environments, incidentally. In AZB Bombay, even managing partners of the firm cannot connect their personal laptops to the office LAN and access production servers.)
No access to inappropriate material: You are not permitted to access pornographic Websites or any other server which is inappropriate for business use. Here, we will classify inappropriate sites into two levels of seriousness. One level includes pornographic sites, or any other sites which may have content which is unethical, embarrassing, or harassing to colleagues. These include sites which deal with discussions on destabilising the sovereignty or integrity of any country, sites which promote religious, political, racial or other hatred or xenophobia, or sites whose content may be construed as sexual harassment by any member of the company. If you are found accessing such sites from office infrastructure or while in office, you may lose your job.
The second level includes sites which are not upsetting, embarrassing, or harassing to colleagues, but which are inappropriate for business use. Cricket commentary sites and film gossip sites are in this category. You should not access such sites, though the penalty for violating this rule will usually be less severe than for accessing the Level 1 prohibited sites.
No access to systems by outsiders: Outsiders/visitors will not be allowed to use the computers in the office unless (i) they need to do so for something which is part of the official work of the company (the necessity restriction), AND (ii) they are accompanied by an employee who takes responsibility for what the visitor is doing (the supervision restriction). Any such access by a visitor must be in the constant physical presence of a supervising employee at all times. Reasons like "Oh, he just wanted to check his Yahoo mail account, so I gave him my browser and went for a smoke" will be treated as highly irresponsible behaviour of the employee. Remember, while he is at your X desktop or shell prompt, he can at the very least inadvertently delete files, whose absence you will notice months later.
The necessity restriction may be waived by you at your discretion for official visitors who have come to our office for a long visit (e.g. for a day-long meeting) and they want to check their email using a Webmail interface. But the supervision restriction will never be waived.
All restrictions applicable to you will automatically be applicable to any visitor under your supervision. Common sense, we thought.
The Big-Brother clause: Your activities on office IS infrastructure may be monitored by authorised personnel of the company.
Monitoring may include tracking which Websites you visit, monitoring the contents of emails you send and receive, and the contents of files created, downloaded or stored by you on any office computer. Such monitoring may be done as part of automated monitoring processes using computerised tools, or as part of special manual and detailed examinations if there is adequate grounds to suspect any unprofessional or unethical conduct.
Respect software licence terms: You will respect the terms of all software licences that you work with. This means, among other things, that you will not make illegal copies of copy-protected software available in office, or bring to office such illegal copies of software from outside.
Internally developed software is controlled information: As a follow-up to the previous point, all software developed in the company as part of any official assignment or project by you or any other colleague is under the control of the company. This means that you do not have the freedom to make copies of even a single line of such code and pass it on to anyone outside the company, without written permission. This restriction applies strictly; you cannot share code with friends even to discuss an example in an engineering discussion without such permission.
Demo copies of products we develop are also under the control of the company; the decision to give or not give a demo copy to an external entity needs to be governed by complex strategic factors in many cases. You do not have the freedom to distribute demo copies to your friends unless explicitly authorised to do so, and authorisation must be separately sought for each such recipient.
Any material hosted on our company's public Website and linked directly or indirectly from the main pages of the Website is considered public; you may distribute such material to all and sundry. This means that when we start hosting demo copies of our products on our public Website and linking to them from the main pages, you can freely forward copies of such software to anyone you like.
Confidentiality of all official information: All information you read in official printed matter, official emails, all files stored on office servers, and all messages in the Usenet messages that you see on the company's internal Usenet servers is confidential information. This too is common sense for some of us, but may not be common sense for you.
All confidential information must be kept confined only to those colleagues who need to know it and who have legitimate official access to it. Not all members of the company have legitimate access to all official information within the company. No confidential information must be shared with any outsider without written permission.
Non-disclosure of confidential information includes non-disclosure of the existence of such information. If we are working on a tender document, not only are the contents of the document to be kept confidential, the very existence of that document is also to be kept confidential.
Official information includes all information that you learn about the company's clients, as part of your work. Such information is by default strictly confidential till you are told otherwise. Even the network architecture of a client and the type of OS they run on their mail servers, for instance, is confidential information.
Working off-site: While working at client sites, you often access your company email messages and receive information from colleagues on various matters. Sometimes you check mail from cybercafes. It is important that such information should not be left lying on computers belonging to our client. It is also important that extra precautions be taken to protect your account passwords while logging into your email account from client sites or cybercafes.
Client's security policies: When our officers are posted at client site, then the security restrictions specified here become applicable for our client's data, users accounts and servers. For instance, you will not make any attempt to subvert the security of a client's information systems, or masquerade as an employee of the client, etc. In addition, you will treat all information available at client site but not explicitly given to you as off-limits information. A document lying on a table at client site is not to be touched, unless someone explicitly indicates that you should touch it. In particular, given our line of business, email messages at client sites are not to be read unless they are addressed to you.
Forwarding of company email: Many of you would like to forward a copy of your company email account to some external Web-based email account. This is a serious security risk. Any account used as a repository for official email must be treated with the same care as company IS infrastructure. You must ensure that no one but you can access that account. All issues related to confidentiality of information and non-guessable passwords apply to that email account too.
We do not want you to forward your company email to such public email services. They are not known for their security, and the hacker underground trades lists of millions of such accounts and passwords among themselves, to be used for identity theft. Remember that identity theft for an employee of our company could result in direct monetary loss to him, because the intruder may be able to break into your Citibank Suvidha account with some dexterity and effort.
If you feel that there is some important official reason why you deserve this right, then please let us know and we will grant permission on a case-by-case basis. Till then, this is off-limits. If you are already forwarding your email to such an account as on date, switch it off now.
Laptops: Laptops owned by employees, i.e. "personal" laptops, but brought into the office and connected to the production LAN, form a special case which is discussed separately. Special restrictions apply to these computers, since they pose a severe vulnerability window for corporate IS.
Not limited by hour, day, or date: These restrictions are not limited to office hours or working days. You will not be forgiven if you browse pornographic Websites from office at nine in the night, just because it was "outside office hours and no one else was there."
Personal laptops in office
Laptops owned by employees and never brought into the office or connected over any network (e.g. the Internet) to the production networks are truly personal. They are not in the purview of the company's IS security policy.
Once they are brought into the office, they must follow the guidelines of the company's policies. In that sense, they no longer remain purely "personal". (This is like the case for clothes you wear to official meetings. If you wear certain clothes only when you are off-duty, the company has no opinions on what you choose to wear or not wear. However, the company will have clear opinions about what constitutes acceptable dressing for official meetings, even though the clothes belong to you.)
Restrictions about personal laptops connected to the company's production networks are meant to ensure that your security practices on your laptop do not weaken the IS security of the company. All restrictions which are applicable to your use of the company's computers are applicable for personal laptops brought to office. In addition, some extra responsibilities also apply, because the laptop is now in your personal care and responsibility.
These include, but are not limited to, the following:
- Ask for permission first: You will ask for permission, in writing, before connecting your personal laptop to the office production network the first time. When asking for permission, you will state whether you have read and understood the IS security policy of the company, and whether you take responsibility for ensuring that your laptop will comply with them.
Physical security: You must never leave the laptop accessible to others in your absence. All information on your laptop can usually be stolen if its HDD is removed or it is booted from a CD.
IP address: Your laptop will be assigned an IP address and subnet mask for connecting to the production LAN. You will never set any other IP address on your laptop while connected to the production LAN.
Password security: Password security now extends to the laptop. The root password for your laptop and those for all non-root accounts must be known only to you. They must not be easily guessable.
User account control: You must create a user account on the laptop with the same username as the one given to you on the official systems. This must be the account which you use for normal work, and you must login as other users only for brief and special requirements. This normal working account must not have supervisor or root privileges.
No security subversion tools: You will not install, let alone run, any LAN-snooping tools, password cracking tools, or security vulnerability exploiting tools on your laptop. Even if you have the best of intentions, the mere availability of such tools allows spyware or malware to probe the production LAN once such spyware has compromised your laptop.
Secure your laptop: You will ensure that all security precautions are in place to prevent any intruder from connecting to your laptop when you are connected directly to the Internet. You will keep all security patches applied and up-to-date on your system software. If you are running MS Windows on your laptop, you must activate automatic updates from Microsoft Update, so that all mandatory patches are downloaded and installed automatically. If you are running MS Windows on the laptop, you must have an anti-virus system installed and ensure that it is checking for updates to signature database every day that it is used. You will follow all practices of secure system administration while administering your laptop, because you are its system administrator. This includes exercising caution before loading any software of unknown antecedents onto the laptop.
No pirated software: If you load pirated software on your laptop, the company is not liable for consequences, hence in theory, the company may choose to not comment on this issue. However, if your personal laptop is connected to the office laptop, then you will not load any pirated software on it because pirated software often contains security holes and backdoors deliberately inserted in it.
Confidentiality of laptop contents: Since you are bringing your personal laptop to the office production LAN, it is expected that you will carry files and email messages related to official work on this laptop. Therefore, you will be responsible for maintaining the laptop in the same secure manner as you would maintain any confidential information. If this is not done, loss of the laptop's hard disk drive may result in breach of confidentiality, and you will be held responsible. Therefore, theft of your personal laptop will be viewed far more seriously by the company than a mere matter of monetary loss.
One of the most security-critical pieces of information on laptops are private keys for secure access to remote servers, including client servers. Loss of such keys can mean total loss of access security to those servers. You will ALWAYS ensure that all private keys you keep on your laptop are protected by non-guessable passphrases. In these respects, losing a live laptop is far more critical than losing a briefcase full of confidential documents.
No outsider access: All restrictions about outsiders/visitors not being permitted free access to office IS infrastructure will be extended to your laptop. Remember, once your laptop has been granted permission to connect to the office production LAN, it is governed by the company's IS security policy.
No objectionable/inappropriate content: All restrictions about storing data on office computers which are inappropriate or objectionable for business use will apply to your laptop. Do not store pornographic, racially offensive, or other Level 1 objectionable material on your laptop; do not access such material on any network or servers. Level 2 non-official material like cricket scores and film gossip are of course okay, provided you do not access such sites even from your personal laptop while you are connected to the production systems at office.
One factor which has not been explained above is the oft-repeated reference to "us". We have asked you to take permission from "us". You have seen statements like "We will not accept this." Who is this "We"? In the case of the company's current structure, it is the management. This comprises Shuvam, Kishan, and Shraddha. If in doubt, or if you need to discuss something which is bothering you and does not fit into any standard operating procedure, just approach one of us and talk. We'll sort things out one way or other.
This document constitutes the IS security policy of our company. Your continued status as employee of this company implies that you accept all the clauses here and agree to abide by them.
This document, like all other policies of the company, is subject to discussion and debate. Please post feedback and comments and let's thrash out any grey areas or contentious issues.
This is a good write up on
This is a good write up on the IS and security policies. How do we check whether the IS policies are violated? Here check does not mean trying to find each and every day if someone has defaulted on this and peeping on everyone's shoulder. But once in a while one needs to be in a position to check whether the policy is followed. How do we do that?
-Shraddha
Do an IS audit
IS audits are precisely for the purpose you described.
I found IS policy almost
I found IS policy almost complete and very good. I think some more point can be added regarding organization resource misuse. Like someone would never use the mailing system to send a fake mail to other just for fun, or we should even not allow long chat with friends wasting his time.
I think this copy of IS policy should be attached with the joining letter to every new comer. So that he or she would never have a chance to say "ohh sorry, I have just joined and I didn't know the policy at Starcom."
Regards,
Hemant
Sending email with fake
Sending email with fake sender address is covered in the clause on "No masquerading". And waste of office resources for chatting is not a security issue... it's a professional performance issue. I think it should be kept out of the security policy document.
About passing it on to every newcomer, I agree 100%. However, I would suggest that we do it slightly differently. We should print out a brief note, email it to each employee (this will be Pushpa's job), and then ask him to read the email, print it, sign it, and return the signed copy to Pushpa. This email will carry the URLs of various key pages on the Drupal site. This way, we will save paper, and we'll teach the newcomer to look for documents and updates periodically on Drupal. Basically, if a soft document kept online will do, let's avoid hardcopy.
account of storage media issued
Please add a clause which should apply to storage media often issued by tech support from the office i.e. cds, hard disks. Currently if we need a cd we ask the admin department and take it. When books from the libraries are issued and our signature is taken, a similar method should be followed along with putting in a reason for issuing the media.
It's a process issue, not a policy one
This suggestion is valid, but probably does not figure in IS policy. We will implement it.
If you notice, I have not included any remarks like "You must change your password once every six months." This is a process, not a policy. The policy states that you must keep your password unguessable. If I want to prescribe process to implement the policy, I will probably have to create a second "Standards and Procedures" document. In fact, even the existing policy document has lots of process-type clauses. I think those are best moved out of here, into a process document.
But not to miss your original point: please issue instructions to admin about media control register, and escalate to me if it's not followed.
demo copies of products
In case of giving demo to client what should be the time period for which the licence of a product is to be provided?
This is a BD decision
The question is valid, but we'll let the BD decide this. Till they decide, we can go ahead with a default decision of 3 months.
Both suggestions done
They made good sense, so I added them into the document. Thanks.
Can you verify that I've covered them adequately?
Shuvam
Data confidentiality to emails forwarded to public mail sites
Mail forwarding to public mail site shall require permission.
Access to account on public mail sites where official mails
are forwarded to access from outside is also potentially risky. Access to outsiders to such account is also not advisable. Precautions for setting password shall apply
here too.
regards,
Kishan
Please extend data confidentiality clause for client data
Dear Shuvam,
Excellent. Please extend data confidentiality clause
for information and access at client site and abide
by security policy at client sites.
regards,
Kishan