Implementation of an Organization-Wide Security Plan
Implementation of an Organization-Wide Security
The purpose of this security plan is to establish security requirements to have a controlled access to the information resources.
This plan applies to all users of information assets including employees, employees of temporary employment agencies, vendors, business partners, and contractor personnel.
Definition of some of the common terms:
Authentication: is the process of determining whether someone or something is, in fact, who or what it is declared to be
Availability: Ensuring that authorized users have access to information and associated assets when ...view middle of the document...
A formal record of all registered users must be maintained. This record must be checked periodically for unused, redundant, or expired user accesses or accounts, or incorrect privileges.
Accounts that are inactive for a maximum period of 90 days must be disabled, after verification for a valid cause.
User accounts of personnel quitting must be removed immediately after their termination of job.
All privileges to the users must be assigned through a formal authorization procedure and must ensure that no privileges are assigned before the completion of the authorization procedure.
All privileges must be allocated as and when required on a need to know basis.
Detailed records must be maintained for all privileges allocated.
User Password Management
All users must change their temporary password on first login.
In case of forgotten passwords, temporary passwords should be issued only after positive identification of the user.
Users should not store password on a computer or at a place, which has public access.
Review of User Access Rights
All user access rights must be reviewed every 6 months.
Review of all special privileged access rights must be carried out at an interval of 3 months.
All users must follow the Password Policy.
Unattended user equipment
All users must enable password-protected screen savers on user desktops, portable computers/laptops, and servers.
For mainframe computers, users must log off after completion of their tasks.
Network access control
Policy on use of network services
Access to networks and network services must be specifically authorized in accordance with the organization User Access Control procedures.
Access to networks and network services will be controlled on the basis of business and security requirements, and access control rules defined for each network.
Network connection control
A Service Policy Table must be formulated for each service that is allowed through each firewall.
All external connections by business partners and customers must be documented..
Network routing control
Appropriate routing control mechanisms must be deployed to restrict information flows to designated network paths within the control of the organization.
Network routing controls must be based on positive source and destination address checking mechanisms.
Security of network services
The organization must obtain detailed descriptions of the security attributes of any external services from external Network services providers
Security attributes description must establish the confidentiality, integrity, and availability of business applications and the level of controls (if any) required to be applied
Operating system access control
Terminal log-on procedures
The terminal logon procedure must...