Security Policy

Posted on 2005-03-02
Medium Priority
Last Modified: 2013-12-04
Hello Sir.

After performing a Business Risk Analysis related to ICT, our company HM, encourages its departments or companies to enforce the following 8 policies as summarized below:

1.      Personnel Security Policy: To ensure that a high level of integrity and satisfactory staff conduct is achieved and maintained and to promote an awareness of security matters. Abiding to HM ICT policy must be should be a condition of employment and security training or awareness session be conducted regularly.

2.      Information Sensitivity Policy: To specify the information at varying sensitivity levels and adopt the adequate protecting. Confidential information may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the HM Confidential information in question.

3.       Server Security Policy: To register servers and related hardware within the corporate enterprise management system. To clearly identify the responsible person for backup procedures and maintenance of hardware and operating version. To perform access control to the physically secured location of the server.

4.      Data Security Policy: To establish data security controls over computers consistent with the criticalness, confidentiality, and privacy needs of the data processed. To backup critical files on a removable media located in a remote site. To perform accurate data entry and ensure integrity of process.

5.      Internet Usage Policy: To ensure that employees use the sole Internet link manage by the Security Management Authority for the purpose of HM business only. The standard for properly using company e-mail is like using the official company letterhead or memos. Mass emailing, on-line gaming, browsing of indecent web sites, commerce for personal gain and downloading of music, images for personal use are strictly forbidden.

6.      Antivirus Policy: To enable this function on every workstation and server. To use only antivirus technology that has been approved by Harel Mallac & co. ltd.

7.      Password Policy: To ensure that users have strong password that are changed regularly at least every month. At no time a user should disclose his password to a third party or insert it into email messages or other forms of electronic communication.

8.      Telecom Policy: To ensure that the Departments use Telecom links only to get connected to the HM Group Corporate network. Departments must obtain approval from the Security Management Authority before introducing any new telecom equipment to HM Group network.

Please provide me a detailed help how to proceed in building up a Group Policy which will englobe all the above 8 features.

Also, i'll be using Windows on all platforms, can you provide me a tool which will help me to provide security at the level.

thanking you
Question by:VASHINEE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1

Expert Comment

ID: 13439020
Wow, all that for 70 points.  Sounds like you need more than just help.
LVL 18

Expert Comment

ID: 13439589
Sorry, but you can't just create group policies and think that all your problems will be solved. What you have described involves much, much more than just setting up a few group policies.

You need to take a serious look at your environment and the above 8 things ONE by ONE and come up with a solution...not just a group policy.

Also, looks like you'll need to create written policies.......guidelines for your users and documentation of what is being done....this is a big part of doing a risk analysis.....everything needds to be documented.

My comments:

1-3: These involve lots of written policies and management decisions baded on what kind of data you have, your staff, etc.

4.     Data Security Policy: For the backup part of this...you need to come up with a backup plan....how do you backup data? For instance...all of our critical data is stored on our server.....I use a tape backup on the sever with a GFS (grandfather, father, son) method to ensure I have daily, weekly, monthly, and yearly backups including backups of the system state of the sever. Do a google search on backup or diasaster recovery plans or grandfather father son backup method and you'll get lots of information.

5. Internet Usage Policy: This is a written policy that you need to come up with and your users would sign that they agree to this policy. If users then go against the policy, have in place from management what the consequences would be.

6. You need a corporate antivirus solution. This is standard in a business environment today. You need a enterprise software that allows you to centrally manage from your server all of your clients. Updates should get pushed out automatically and atleast weekly virus scans should be forced.

7.  Password Policy:  If you have a 2000/2003 domain then this is easy to setup. Just enable password complexity requirements and set a max age and min. pw requirement. There's lots of information online about this.
LVL 18

Expert Comment

ID: 13439669
What you have described are common responsibilies of anyone in a systems anaylst/IT management role. Most of it is just simply best practice and common security practices that anyone in IT should be takiing to ensure the integrity of their network.

These tasks are ones that I performed as soon as I started my job since there was no IT staff in my organization before me. I had never done these things before as I was right out of college....however, a big part of IT is RESEARCH....read and research and learn for yourself. If you have specific questions then that's where places like EE come into play.....but we can't tell you how to do your job......you know your network and environment better than any of us so you know what is best.

If you've been in IT any length of time then you should be already familar with the basics of a lot of these things and you should realize that there is no easy fix or one simple solution that will implement security. That is your job.......that is my job....that is one of the things that allows us IT people to have jobs....because you can't just click and button and bam....everything is secure.
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

LVL 24

Expert Comment

ID: 13441000
Try http://www.experts-exchange.com/Security/Q_21334200.html
security policy  asked by Affno on 03/01/2005

Ex: SunBow

1) privacy

1a) User must protect company: good quality passwords, do not divulge secrets, do not run strange unauthorized programs

1b) Company must protect employee: good networking, do not divulge personal information, do not constrict access to information and tools
LVL 24

Expert Comment

ID: 13441044
>  can you provide me a tool which will help me to provide security

This is best a do it yourself.

The company has to desist the urge to go to stores shopping for vaporwares and actually hire a person, a human, (a resource/tool), and pay them to enforce policy.  When that is not done or indefinitely deferred, there are no inhuman tools to be purchased that can do it all.
LVL 24

Expert Comment

ID: 13441119
> After performing a Business Risk Analysis

this sounds also more theoretical than practical (business)

> 7.     Password Policy: To ensure that users have strong password

The OS is not bad at that.

What you need is to not ask the user to try to remember hundreds of passwords to get any work done, and change them every other day.

Reduce the quantity, Increase the quality

Expert Comment

ID: 13441386
7)  Password Policy:

Enforce password history:                                                                               5 passwords
Maximum password age:                                                                                64 days
Minimum password age:                                                                                 1
Minimum password length:                                                                              8 characters
Passwords must meet complexity requirements:                                                Enabled
Store passwords using reverse encryption for al members in the domain:            Disabled

I work for a large defense contractor and this is what we set ours to.  Password complexity will need alphanumeric characters, 1 number and at least 1 uppercase character.

This should be a good policy to use for you.

Author Comment

ID: 13446947
i totally agree with all yr comments from each of you.
i did only 2 days in this company, and also new in the job market.

i wanted to ask you, whether is there a link where i can read about enforce policy, so that i will be in a better way to design some group policies on hardware issues.

thanking you again.
LVL 18

Expert Comment

ID: 13448740
The SANS Institute is a leading IT security group that provides information and training to IT professionals. They have lots of informations, tips, sample policies, etc.

LVL 18

Accepted Solution

luv2smile earned 280 total points
ID: 13448744
Here is the direct policy link at SANS


Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month14 days, 7 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question