Security Policy

Hello Sir.

After performing a Business Risk Analysis related to ICT, our company HM, encourages its departments or companies to enforce the following 8 policies as summarized below:

1.      Personnel Security Policy: To ensure that a high level of integrity and satisfactory staff conduct is achieved and maintained and to promote an awareness of security matters. Abiding to HM ICT policy must be should be a condition of employment and security training or awareness session be conducted regularly.

2.      Information Sensitivity Policy: To specify the information at varying sensitivity levels and adopt the adequate protecting. Confidential information may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the HM Confidential information in question.

3.       Server Security Policy: To register servers and related hardware within the corporate enterprise management system. To clearly identify the responsible person for backup procedures and maintenance of hardware and operating version. To perform access control to the physically secured location of the server.

4.      Data Security Policy: To establish data security controls over computers consistent with the criticalness, confidentiality, and privacy needs of the data processed. To backup critical files on a removable media located in a remote site. To perform accurate data entry and ensure integrity of process.

5.      Internet Usage Policy: To ensure that employees use the sole Internet link manage by the Security Management Authority for the purpose of HM business only. The standard for properly using company e-mail is like using the official company letterhead or memos. Mass emailing, on-line gaming, browsing of indecent web sites, commerce for personal gain and downloading of music, images for personal use are strictly forbidden.

6.      Antivirus Policy: To enable this function on every workstation and server. To use only antivirus technology that has been approved by Harel Mallac & co. ltd.

7.      Password Policy: To ensure that users have strong password that are changed regularly at least every month. At no time a user should disclose his password to a third party or insert it into email messages or other forms of electronic communication.

8.      Telecom Policy: To ensure that the Departments use Telecom links only to get connected to the HM Group Corporate network. Departments must obtain approval from the Security Management Authority before introducing any new telecom equipment to HM Group network.

Please provide me a detailed help how to proceed in building up a Group Policy which will englobe all the above 8 features.

Also, i'll be using Windows on all platforms, can you provide me a tool which will help me to provide security at the level.

thanking you
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wow, all that for 70 points.  Sounds like you need more than just help.
Sorry, but you can't just create group policies and think that all your problems will be solved. What you have described involves much, much more than just setting up a few group policies.

You need to take a serious look at your environment and the above 8 things ONE by ONE and come up with a solution...not just a group policy.

Also, looks like you'll need to create written policies.......guidelines for your users and documentation of what is being done....this is a big part of doing a risk analysis.....everything needds to be documented.

My comments:

1-3: These involve lots of written policies and management decisions baded on what kind of data you have, your staff, etc.

4.     Data Security Policy: For the backup part of need to come up with a backup do you backup data? For instance...all of our critical data is stored on our server.....I use a tape backup on the sever with a GFS (grandfather, father, son) method to ensure I have daily, weekly, monthly, and yearly backups including backups of the system state of the sever. Do a google search on backup or diasaster recovery plans or grandfather father son backup method and you'll get lots of information.

5. Internet Usage Policy: This is a written policy that you need to come up with and your users would sign that they agree to this policy. If users then go against the policy, have in place from management what the consequences would be.

6. You need a corporate antivirus solution. This is standard in a business environment today. You need a enterprise software that allows you to centrally manage from your server all of your clients. Updates should get pushed out automatically and atleast weekly virus scans should be forced.

7.  Password Policy:  If you have a 2000/2003 domain then this is easy to setup. Just enable password complexity requirements and set a max age and min. pw requirement. There's lots of information online about this.
What you have described are common responsibilies of anyone in a systems anaylst/IT management role. Most of it is just simply best practice and common security practices that anyone in IT should be takiing to ensure the integrity of their network.

These tasks are ones that I performed as soon as I started my job since there was no IT staff in my organization before me. I had never done these things before as I was right out of college....however, a big part of IT is and research and learn for yourself. If you have specific questions then that's where places like EE come into play.....but we can't tell you how to do your know your network and environment better than any of us so you know what is best.

If you've been in IT any length of time then you should be already familar with the basics of a lot of these things and you should realize that there is no easy fix or one simple solution that will implement security. That is your job.......that is my job....that is one of the things that allows us IT people to have jobs....because you can't just click and button and bam....everything is secure.
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

security policy  asked by Affno on 03/01/2005

Ex: SunBow

1) privacy

1a) User must protect company: good quality passwords, do not divulge secrets, do not run strange unauthorized programs

1b) Company must protect employee: good networking, do not divulge personal information, do not constrict access to information and tools
>  can you provide me a tool which will help me to provide security

This is best a do it yourself.

The company has to desist the urge to go to stores shopping for vaporwares and actually hire a person, a human, (a resource/tool), and pay them to enforce policy.  When that is not done or indefinitely deferred, there are no inhuman tools to be purchased that can do it all.
> After performing a Business Risk Analysis

this sounds also more theoretical than practical (business)

> 7.     Password Policy: To ensure that users have strong password

The OS is not bad at that.

What you need is to not ask the user to try to remember hundreds of passwords to get any work done, and change them every other day.

Reduce the quantity, Increase the quality
7)  Password Policy:

Enforce password history:                                                                               5 passwords
Maximum password age:                                                                                64 days
Minimum password age:                                                                                 1
Minimum password length:                                                                              8 characters
Passwords must meet complexity requirements:                                                Enabled
Store passwords using reverse encryption for al members in the domain:            Disabled

I work for a large defense contractor and this is what we set ours to.  Password complexity will need alphanumeric characters, 1 number and at least 1 uppercase character.

This should be a good policy to use for you.
VASHINEEAuthor Commented:
i totally agree with all yr comments from each of you.
i did only 2 days in this company, and also new in the job market.

i wanted to ask you, whether is there a link where i can read about enforce policy, so that i will be in a better way to design some group policies on hardware issues.

thanking you again.
The SANS Institute is a leading IT security group that provides information and training to IT professionals. They have lots of informations, tips, sample policies, etc.
Here is the direct policy link at SANS

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.