Cavisson Information Security Policy
“It shall be the responsibility of the IT staff to provide adequate protection and confidentiality of all corporate data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorized members of staff, and to ensure the integrity of all data and configuration controls.”
The purpose of this policy is to establish standards about the physical and environmental security of the information belonging to Cavisson Systems (“Cavisson”) and its clients. In order to ensure the continued protection of the personal, confidential and RESTRICTED information, the IT team has established these policies. This protection may be as simple as a lock on a filing cabinet or as complex as the security systems in place. The protection required needs to be appropriate to the level of information held and the consequential risks of unauthorized access. No service should fall below the baseline security standard level of required protection.
Security policies are reviewed and revised by IT team based on new security incidents or new feedback that is received from clients, which is not covered in existing policy documents. Revised policies are approved by the management representative. This role is assigned to VP (engineering).
This policy applies to all employees of Cavisson’s, contracted 3rd parties, affiliates and vendors that use the information technology resources belonging to Cavisson and/or its clients to perform their business functions.
This policy applies to all users of the Cavisson’s owned or leased / hired facilities and equipment. The policy defines what paper and electronic information belonging to Cavisson and/or its clients should be protected and, offers guidance on how such protection can be achieved. This policy also describes employee roles and the contribution staff make to the safe and secure use of such information.
This policy should be applied whenever a user accesses information or information equipment. This policy applies to all locations where the information or information processing equipment is stored, including remote sites.
Cavisson recognizes that there are risks associated with users accessing and handling information in order to conduct official business.
This policy aims to mitigate the following risks:
- Viruses, malware etc.
- Increased risk of data loss and corresponding fines
- Inappropriate access to and unacceptable use of the network, software, facilities and documents
- Inadequate destruction of data
- The non-reporting of information security incidents
- Inconsistency in how users deal with secure documents
- The impact of insufficient training for users
- The sharing of passwords
Non-compliance with this policy could have a significant effect on the efficient operation of the company and may result in financial loss and an inability to provide necessary services to our customers.
5. Information Security Policies
- Confidentiality of all data is to be maintained through discretionary and mandatory access controls.
- Internet and other external service access is restricted to authorized personnel only.
- Access to data on all laptop computers is to be secured through encryption or other means, to provide confidentiality of data in the event of loss or theft of equipment.
- Only authorized and licensed software may be installed, and installation may be performed only by authorized personnel.
- The use of unauthorized software is strictly prohibited. In the event if usage of unauthorized software is detected, the software will be removed from the system immediately.
- Data may only be transferred for the purpose of backup.
- All diskette drives and removable media from external sources must be virus checked before they are used.
- Passwords must consist of a mixture alphanumeric characters, and must be changed periodically and must be unique.
- Workstation configurations may only be changed by authorized personnel.
- The physical security of computer equipment will conform to recognized loss prevention guidelines.
- To prevent the loss of availability of the systems, measures must be taken to backup data, applications and the configurations of all workstations.
- A business continuity plan needs to be followed on a regular basis.
- The IT staff will provide up to date virus scanning software for the scanning and removal of suspected viruses.
- Corporate file-servers, workstations and personal laptops will be protected with virus scanning software.
- All workstation and server anti-virus software will be regularly updated with the latest anti-virus patches by the IT staff.
- No removable media, disks that are brought from outside may be used until they have been virus scanned.
- All systems will be built from original, clean master copies whose write protection has always been in place. Only original master copies will be used until virus scanning has taken place.
- All removable media containing executable software (software with .EXE and .COM extensions) will be write protected wherever possible.
- All demonstrations by vendors will be run on their own machines.
- Shareware is not to be used, as shareware is one of the most common infection sources. If it is absolutely necessary to use shareware, it must be thoroughly scanned before use.
- New commercial software will be scanned before it is installed as it occasionally contains viruses.
- Network level security will be installed at the perimeter of the network.
- Network level security must cover Firewall, Intrusion prevention system, Anti Virus, URL filtering and application level control.
- “Work from Home” will be allowed only through VPN connection with 2-way authentication.
- IPS, AV and URL filtering updates will be applied as soon as they are made available.
- Client and development teams’ network will be kept isolated at firewall. This is true for physical LAN as well as WiFi LAN.
To ensure that the systems do not pose an unmanaged security risk for the company and its clients, required security patches need to be applied in a timely and effective manner IT System administrators will use automated tools, where available, to create a detailed list of all currently installed software on workstations, servers and other networked devices. A manual audit will be conducted on any system or device for which an automated tool is not available.
- Systems and software will be evaluated to verify the patch and update levels and an analysis of vulnerabilities will be performed.
- Specific guidelines for applying patches and updates will be developed and made available to system administrators.
- Automated tools will scan for available patches and patch levels, which will be reviewed as specified in the Patch Application Guidelines. Manual scans and reviews will be conducted on systems for which automated tools are not available.
- An informal risk assessment will be performed within 2 business days of the receipt of notification of patches. If a determination regarding the applicability of the patch or mitigating controls cannot be made in that time a formal risk assessment will begin.
- Vendor supplied patch documentation will be reviewed in order to assure compatibility with all system components prior to being applied.
- Where possible, patches will be successfully tested on non production systems installed with the majority of critical applications/services prior to being loaded on production systems.
- Successful backups of mission critical systems will be verified prior to installation of patches and a mechanism for reverting to the patch levels in effect prior to patching will be identified.
- Patches will be applied during an authorized maintenance window in cases where the patch application will cause a service interruption for mission critical systems.
- Logs will be maintained for all system categories indicating which devices have been patched. System logs help record the status of systems and provide continuity among administrators. The log may be in paper or electronic form. Information to be recorded will include but is not limited to: date of action, administrator’s name, patches and patch numbers that were installed, problems encountered, and system administrator’s remarks.
- In the event that a system must be, reloaded, all relevant data on the current OS and patch level will be recorded. The system should be brought back to the patch levels in effect before reloading.
- In the event that a patch will not be applied due to incompatibility or risk assumption, precautions to mitigate the risk of exploitation to the network will be implemented and documented in the log.
Cavisson’s IT staff will develop configuration standards for the operating systems, services, and infrastructure it manages.
All devices and systems managed by the IT staff and currently in a production state must adhere to the applicable configuration standards for that device or system.
- A device that is not administered by the IT staff needs to conform to configuration standards before providing services to that device.
- Devices and systems that do not comply with applicable configuration standards may lose access to services provided by the IT staff. This may include a device’s ability to access wired and wireless networks.
- Configuration standards and exceptions will be reviewed every year.
- Configuration standards may be reviewed more frequently to incorporate security changes.
6. User Access Related Policies
This section discusses the types of security and security policy regarding access control, passwords, and data security in a networked environment. Cavisson’s network has four types of security:
- Log in/Password (initial access): Security is activated when a user logs in to the network. The server requires both a recognizable user name and a password. Each user chooses his or her own password, which is encrypted by the system. If the user forgets the password the network administrator must assign a new one.
- Trustee (directory level access): A trustee is a user who has been given rights to a directory and the files it contains. Trustee rights can be assigned to both individuals and groups. A trustee will not assign directory or file rights to a user who does not have a legitimate need to use that file or directory. Trustees will ensure that confidential office information to which they have access is not written to removable media and transported off company premises unless authorized by the departmental supervisor or performed by authorized individuals as part of backup and emergency/recovery procedures. In addition, reports printed using the data should be distributed only to authorized users.
- Directory: The directory security defines a user’s rights in a given directory. These rights are:
- Supervisor (assigns the rights for the directory)
- Access control (trustee assignments)
- File scan (search)
- Modify filenames and attributes
- Create new files or subdirectories
- Erase existing files or subdirectories
- Read files / Write files
The owner will not assign rights to users who do not have a legitimate need or authority to view or use the information.
- File Attributes: The owner of a file has the right to set the following attributes:
- Shareable read only
- Shareable read write
- Non-shareable read only
- Non-shareable read write
- Hidden file
- Delete inhibit
- Rename inhibit
- Each user must have a unique user-id and must be assigned a password.
- User-id and its password must not be shared with anyone else. User himself is accountable for all activities associated with assigned user-id.
- Password of newly created accounts or common accounts by server administrator should be conveyed in following manner
- Credentials most Ideally be provided over phone.
- If they cannot be shared over phone due to logistic issue, then they must not be shared in single email.
- They should be sent in parts, ideally over different channels (such as URL over email, username over chat, password over phone).
- If different channels are not possible, then they can to be sent in different parts of same channel (such as multiple mails for URL, Username and password)
- Password must conform to following standard:
- Minimum Length – 8 characters
- Password must not be derivative of user-id.
- Password must contain at least 1 alphabetic and 1 non-alphabetic character.
- Password must have combination of uppercase and lowercase letters
- Passwords changes are must in 90 days.
- Account lockout threshold – 4 continuous failed login attempts.
- Reset account lockout after – 30 minutes.
- User must be notified 1 week before password expiry date.
- System should maintain history of last 4 passwords so that they can’t be repeated.
This policy defines access control standards for system use notices and remote access for users. Access controls are the rules that are applied in order to control access to our information assets. The risks of using inadequate access controls range from inconvenience to critical loss or corruption of data.
Access control standards for Cavisson’s IT systems are established in a manner that carefully balances restrictions that prevent unauthorized access to information and services against the need for unhindered access for authorized users.
- System use notice – Before a user gains access to a system, a general system use notice must be displayed that welcomes users and identifies it as a company resource, warns against unauthorized use of the computer, and indicates that use of the system implies consent to all relevant policies. The System Use Notice should be passively displayed such that no user action is required to view it before logging into the system.
- Remote access – Remote access control procedures must provide appropriate safeguards through appropriate identification, authentication, and encryption techniques. A remote user must first authenticate to an authorized remote access service with strong encryption, such as VPN, before logging into a campus computer.
- All users must follow policy of “Clear desk and clear screen” policy in following ways:
- Lock away all sensitive and valuable documents (paper and magnetic) in cabinets or desk drawers (as appropriate) when the desk is unattended for an extended period – for example when away for meetings, at lunch times, or overnight.
- Log off computers and laptops when unattended. At end of day, close down all the applications and log off/shutdown the workstation.
- Activate a screensaver policy that secures computers with a 15-minute lockout policy.
There are four types of terminations that need to be handled appropriately:
- Voluntary terminations (User’s choice)
- nvoluntary terminations (Company’s choice)
- Hostile terminations (Voluntary or involuntary) – These terminations may include:
- Any situation where the individual is being terminated “with cause”.
- Any situation where the individual is considered disgruntled.
- Any situation where facility management judges the individual would pose a threat to Cavisson’s information assets.
- Third party user terminations at the end of contract
Once notified of a user’s termination, IT is responsible for ensuring that:
- Password access is immediately revoked in the event of an involuntary and hostile termination, and scheduled to be revoked on the last day of employment for voluntary terminations.
- Access to systems and applications such as e-mail, network is immediately revoked in the event of an involuntary and hostile termination, and scheduled to be revoked on the last day of employment for voluntary terminations.
- All access privileges for third party users shall be terminated at the time the user’s relationship with Cavisson is terminated. This applies to contractors and other third parties.
- All organizational information system-related property such as hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes ids provided to the user during the employment are retrieved from the user
- Access to organizational information and information systems formerly controlled by the terminated individual is retained.
7. Infrastructure Security policies
PROTECTED and RESTRICTED information must be stored in a facility securely. A risk assessment should identify the appropriate level of protection to be implemented to secure the information being stored.
Physical security must begin with the building itself and an assessment of perimeter vulnerability must be conducted. The building must have appropriate control mechanisms in place for the type of information and equipment that is stored there. These could include, but are not restricted to, the following:
- Alarms fitted and activated outside working hours
- Window and door locks.
- Access control mechanisms fitted to all accessible doors (if codes are utilized, they should be regularly changed and known only to those people authorized to access the area/building).
- CCTV cameras
- Staffed reception area
- Protection against damage – e.g. fire, flood, vandalism
Identification and access tools/passes (e.g. badges, keys, entry codes etc.) must only be held by officers authorized to access those areas and should not be loaned/provided to anyone else. Visitors to secure areas are required to sign in and out with arrival and departure times and are required to wear an identification badge. A Cavisson employee must accompany and monitor all visitors accessing secure IT areas at all the times. Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally. Keys are not stored near these secure areas or lockable cabinets.
In all cases where security processes are in place, instructions must be issued to address the event of a security breach.
- Only personnel having an ongoing recurring business need will be given unescorted access to the IT restricted space.
- Personnel who no longer have a business need to enter the restricted space will immediately be removed from the access control system.
- PA sign in/sign out logbook shall be required for all escorted visitors; as a minimum the logbook shall contain the printed identity of each visitor, visitor’s signature, agency/company represented, purpose of visit, date/time in and date/time out.
- An individual who has knowledge of the system being worked on shall escort non-permanent contractors needing access to the IT restricted space at all times
- Any suspicious activity should be reported to the security immediately.
All general computer equipment must be located in suitable physical locations that:
- Limit the risks from environmental hazards – e.g. heat, fire, smoke, water, dust and vibration.
- Limit the risk of theft – e.g. if necessary items such as laptops should be physically attached to the desk.
- Allow workstations handling sensitive data to be positioned to eliminate the risk of the data being seen by unauthorized people.
Desktop PCs should not have data stored on the local hard drive. Data should be stored on the network file servers where appropriate. This ensures that information lost, stolen or damaged via unauthorized access can be restored with its integrity maintained.
All servers located outside the company premises must be sited in a physically secure environment. Business critical systems should be protected by an Un- interrupted Power Supply (UPS) to reduce the operating system and data corruption risk from power failures. The equipment must not be moved or modified by anyone without the authorization from the IT staff.
All items of equipment must be recorded on an inventory, both on the Service and the Information Services inventory. Procedures should be in place to ensure inventories are
updated as soon as assets are received or disposed of. All equipment must be security marked and have a unique asset number allocated to it. This asset number should be recorded in the Service and the IS / IT inventories.
Physical Security of portable computing devices and media is utmost important for Cavisson. All employees and associates should ensure the proper protection of such equipment.
- Unattended portable computing devices and media must be physically secure. For example, they must be locked in an office, locked in a desk drawer or filing cabinet, or attached to a desk or cabinet via a cable lock system.
- During transportation in a vehicle, portable computing devices must be hidden from view and not left unattended.
- All computer equipment used in open, public, or otherwise insecure areas must implement the following to the greatest extent possible:
- A theft deterrent device when left unattended.
- Reasonable safeguards to prevent unauthorized viewing of log-ins, passwords, and sensitive data
- Theft of portable computing devices containing sensitive information must be reported immediately to the IT staff and Information Security Officer.
Cables that carry data or support key information services must be protected from interception or damage. Power cables should be separated from network cables to prevent interference. Network cables should be protected by conduit and where possible avoid routes through public areas.
- Access to the wireless service will be restricted to only authorized users.
- The users shall be authenticated. Guests will be provided a temporary ID for authentication.
- The wireless service shall protect authentication credentials through the use of data encryption.
- Users of the wireless service are responsible for obtaining a device that meets the current implementation requirements.
All computer equipment needs to be maintained in accordance with the manufacturer’s instructions and with any documented internal procedures to ensure it remains in working order. Staff involved with maintenance should:
- Retain all copies of manufacturer’s instructions.
- Identify recommended service intervals and specifications.
- Enable a call-out process in event of failure.
- Ensure only authorized technicians perform any work on the equipment.
- Record details of all remedial work carried out.
- Identify any insurance requirements.
- Record details of faults incurred and actions required.
A service history record of equipment should be maintained so that when equipment becomes older decisions can be made regarding the appropriate time for it to be replaced.
Equipment maintenance must be in accordance with the manufacturer’s instructions. This must be documented and available for support staff to use when arranging repairs.
The use of equipment off-site must be formally approved by the user’s line manager. Equipment taken away from premises is the responsibility of the user and should be:
- Be logged in and out, where applicable.
- Not be left unattended.
- Concealed whilst transported
- Not be left open to theft or damage whether in the office, during transit or at home.
- Where possible, be disguised (e.g. laptops should be carried in less formal bags).
- Be encrypted if carrying PROTECTED or RESTRICTED information.
- Be password protected.
- Be adequately insured.
Users should ensure, where necessary and required, that insurance cover is extended to cover equipment which is used off site. Users should also ensure that they are aware of and follow the requirements of the insurance policy. Any losses / damage must be reported to the IT staff in the first instance.
Equipment that is to be reused or disposed of must have all of its data and software erased / destroyed. If the equipment is to be passed onto another organization (e.g. returned under a leasing agreement) the data removal must be achieved by using professional data removing software tools.
Software media or services must be destroyed to avoid the possibility of inappropriate usage that could break the terms and conditions of the licenses held.
In order to confirm accuracy and condition of deliveries and to prevent subsequent loss or theft of stored equipment, the following must be applied:
- Equipment deliveries must be signed for by an authorized individual using an auditable formal process. This process should confirm that the delivered items correspond fully to the list on the delivery note. Actual assets received must be recorded.
- Loading areas and holding facilities should be adequately secured against unauthorized access and all access should be auditable.
- Subsequent removal of equipment should be via a formal, auditable process.
8. Log Management Policies
Logs are maintained for following categories of data. Logs are reviewed whenever required to analyze any security incident.
- Access logs for networking devices like laptops, servers, firewall…
- These logs are maintained for minimum period of 1 month.
- CCTV image files
- These logs are maintained for minimum period of 1 month.
- Attendance and door access logs
- These logs are maintained for minimum period of 1 year.
- Vulnerability assessment logs
- These logs are maintained for minimum period of 1 year.
9. Software Usage Policies
All software installed on company PCs and on the network will comply with the software’s licensing agreement. Software licensed for a server is limited to the number of users covered by the license. An original disk must exist for each software application installed on a user’s PC. The only exception is software with a site license or public domain software on an authorized list. In the case of authorized shareware products, if the company uses the software beyond the trial period, the author will be paid the suggested contribution. So-called “pirated” software will not be installed on company PCs.
Only software, authorized by the company may be installed on a network or on an individual PC. Users will not install personal software on a PC without the approval of their supervisor. No games or entertainment packages will be installed. The owner must show proof of ownership. An anti-virus program will be run before installing any program on a PC. The company will discourage the use of other than standard authorized software
Users may NOT copy company-owned software for their personal use, for distribution to others, or for use on another company PC. The company software may be copied only for legitimate backup purposes.
The software developed by employees on company-owned equipment and/ or during normal working hours, is owned by the company.
The IT staff is responsible for completing and returning the product registration forms. A copy of the receipt and product identification number (usually the serial number) should be recorded for reference when making support calls.
10. Employee Awareness and Training
Permanent employees and third party personnel working for Cavisson will be provided with Information Security policies to enhance awareness and educate them regarding the range of threats and the appropriate safeguards.
Cavisson senior management needs to lead by example by ensuring that Information Security is given a high priority in all current and future activities and initiatives.
There is a need for top-level management to take the lead in Information Security awareness initiatives, and to cascade them down the organization.
Cavisson IT staff is committed to providing training to all users of new systems to ensure that their use is both efficient and does not compromise Information Security. User should be able to implement new systems without this resulting in concerns over Information Security, a downgrading of existing Information Security framework, or security breaches.
Individual training in Information Security is mandatory, with any technical training being appropriate to the responsibility of the user’s job function. When the user changes the role, the Information Security needs must be re-assessed and any new training provided as a priority.
The level of Information Security training required for individual system users must be appropriate to their specific duties so that the confidentiality, integrity, and availability of the information they would normally handle is safeguarded.
The information security policies need to be reviewed once every 6 months by the Information Security Officer and the IT staff. The policy should be updated with the recommended security improvements where necessary.