Sample Security Policies/Acceptable_Encryption_Policy.doc
Acceptable Encryption Policy
1.0 Purpose
The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.
2.0 Scope
This policy applies to all <Company Name> employees and affiliates.
3.0 Policy
Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate's Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hellman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. <Company Name>’s key length requirements will be reviewed annually and upgraded as technology allows.
The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by InfoSec. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Definitions
Term
Definition
Proprietary Encryption
An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.
Symmetric Cryptosystem
A method of encryption in which the same key is used for both encryption and decryption of the data.
Asymmetric Cryptosystem
A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).
6.0 Revision History
Sample Security Policies/Acceptable_Use_Policy.docInfoSec Acceptable Use Policy
1.0 Overview
InfoSec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to <Company Name>. established culture of openness, trust and integrity. InfoSec is committed to protecting <Company Name>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are .
Consensus Policy Resource Community
Remote Access Policy1. Overview
Remote access to our corporate network is essential to maintain our Team’s productivity, but in many cases this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network. While these remote networks are beyond the control of Hypergolic Reactions, LLC policy, we must mitigate these external risks the best of our ability.2. Purpose
The purpose of this policy is to define rules and requirements for connecting to <Company Name>'s network from any host. These rules and requirements are designed to minimize the potential exposure to <Company Name> from damages which may result from unauthorized use of <Company Name> resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical <Company Name> internal systems, and fines or other financial liabilities incurred as a result of those losses.
3. Scope
This policy applies to all <Company Name> employees, contractors, vendors and agents with a <Company Name>-owned or personally-owned computer or workstation used to connect to the <Company Name> network. This policy applies to remote access connections used to do work on behalf of <Company Name>, including reading or sending email and viewing intranet web resources. This policy covers any and all technical implementations of remote access used to connect to <Company Name> networks.
4. Policy
It is the responsibility of <Company Name> employees, contractors, vendors and agents with remote access privileges to <Company Name>'s corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to <Company Name>.
General access to the Internet for recreational use through the <Company Name> network is strictly limited to <Company Name> employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”). When accessing the <Company Name> network from a personal computer, Authorized Users are responsible for preventing access to any <Company Name> computer resources or data by non-Authorized Users. Performance of illegal activities through the <Company Name> network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Acceptable Use Policy.
Authorized Users will not use <Company Name> networks to access the Internet for outside business interests.
For additional information regarding <Company Name>'s remote access connection options, including how to obtain a remote access login, free anti-virus software, troubleshooting, etc., go to the Remote Access Services website (company url).
4.1 Requirements
4.1.1 Secure remote access must be strictly controlled with encryption (i.e., Virt ...
Consensus Policy Resource Community
Remote Access Policy1. Overview
Remote access to our corporate network is essential to maintain our Team’s productivity, but in many cases this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network. While these remote networks are beyond the control of Hypergolic Reactions, LLC policy, we must mitigate these external risks the best of our ability.2. Purpose
The purpose of this policy is to define rules and requirements for connecting to <Company Name>'s network from any host. These rules and requirements are designed to minimize the potential exposure to <Company Name> from damages which may result from unauthorized use of <Company Name> resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical <Company Name> internal systems, and fines or other financial liabilities incurred as a result of those losses.
3. Scope
This policy applies to all <Company Name> employees, contractors, vendors and agents with a <Company Name>-owned or personally-owned computer or workstation used to connect to the <Company Name> network. This policy applies to remote access connections used to do work on behalf of <Company Name>, including reading or sending email and viewing intranet web resources. This policy covers any and all technical implementations of remote access used to connect to <Company Name> networks.
4. Policy
It is the responsibility of <Company Name> employees, contractors, vendors and agents with remote access privileges to <Company Name>'s corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to <Company Name>.
General access to the Internet for recreational use through the <Company Name> network is strictly limited to <Company Name> employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”). When accessing the <Company Name> network from a personal computer, Authorized Users are responsible for preventing access to any <Company Name> computer resources or data by non-Authorized Users. Performance of illegal activities through the <Company Name> network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Acceptable Use Policy.
Authorized Users will not use <Company Name> networks to access the Internet for outside business interests.
For additional information regarding <Company Name>'s remote access connection options, including how to obtain a remote access login, free anti-virus software, troubleshooting, etc., go to the Remote Access Services website (company url).
4.1 Requirements
4.1.1 Secure remote access must be strictly controlled with encryption (i.e., Virt ...
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docxcockekeshia
Week 7
Worksheet 4: LAN/WAN Compliance and Auditing
Course Learning Outcome(s)
· Analyze information security systems compliance requirements within the Workstation and LAN Domains.
· Design and implement ISS compliance within the LAN-to-WAN and WAN domains with an appropriate framework.
As auditors, we presume that no data produced on a computer is 100% secure regardless of whether it’s a standalone device or connected to a local area network (LAN) or a wide area network (WAN). Organizations implement controls, which are developed and implemented based on regulations and best security practices. Security is implemented throughout an organizations enterprise – from the host the user sits and throughout the devices data traverses or is stored. Here’s an example of a basic enterprise and the security controls that may be implemented. Remember, controls can be physical or logical devices, software or encryption.
Host – A host is a computer, tablet or other device that a user interfaces with to perform a function. The device you’re reading this on is a host. The security controls that could be implemented onto a host include a Host Based Intrusion Detection Systems (HIDS), Host Based Intrusion Prevention System (HIPS), a software Firewall, and Antivirus protection. Policy controls implemented on a host include Role Based Access Control (RBAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC), Login requirements, lockout settings and others that restrict what a user can and can’t do while logged into a host and software to manage (allow and deny) policies electronically (ePo).
Local Area Network – Think of a LAN as an internal network used by an organization that allows user to execute functions using various applications and storage while also having the ability to connect to other organizations using the Internet or Virtual Private Networks (VPN’s). A host connects to a switch and data is routed to a router where it either access systems on the LAN or to a router where it’s going to exchange data with another LAN or WAN. The devices that comprise a LAN and WAN are similar with a difference in that a WAN is built to a much larger scale. As stated, in a network, there are many devices, servers, switches, routers, storage, Call Managers (for VoIP communications), firewalls, web content filters, security appliances that manage Network Intrusion Detection Systems (NIDS), Network Intrusion Prevention Systems (NIPS) and other organization unique systems.
Often as a cost savings measure, services such as security, web content filtering, storage, IP telephony, Software licensing (SaaS) and others can be outsourced to a third party vendor. An agreement is made between the organization and the vendor on the expected requirements and documented in the contract. These requirements are known as Service Level Agreements (SLA).At no point does an organization relieve itself of regulatory requirements for data protection by contracting it o.
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docxgriffinruthie22
Worksheet 4: LAN/WAN Compliance and Auditing
look on the document below how its set up
Course Learning Outcome(s)
Analyze information security systems compliance requirements within the Workstation and LAN Domains.
Design and implement ISS compliance within the LAN-to-WAN and WAN domains with an appropriate framework.
As auditors, we presume that no data produced on a computer is 100% secure regardless of whether it’s a standalone device or connected to a local area network (LAN) or a wide area network (WAN). Organizations implement controls, which are developed and implemented based on regulations and best security practices. Security is implemented throughout an organizations enterprise – from the host the user sits and throughout the devices data traverses or is stored. Here’s an example of a basic enterprise and the security controls that may be implemented. Remember, controls can be physical or logical devices, software or encryption.
Host – A host is a computer, tablet or other device that a user interfaces with to perform a function. The device you’re reading this on is a host. The security controls that could be implemented onto a host include a Host Based Intrusion Detection Systems (HIDS), Host Based Intrusion Prevention System (HIPS), a software Firewall, and Antivirus protection. Policy controls implemented on a host include Role Based Access Control (RBAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC), Login requirements, lockout settings and others that restrict what a user can and can’t do while logged into a host and software to manage (allow and deny) policies electronically (ePo).
Local Area Network – Think of a LAN as an internal network used by an organization that allows user to execute functions using various applications and storage while also having the ability to connect to other organizations using the Internet or Virtual Private Networks (VPN’s). A host connects to a switch and data is routed to a router where it either access systems on the LAN or to a router where it’s going to exchange data with another LAN or WAN. The devices that comprise a LAN and WAN are similar with a difference in that a WAN is built to a much larger scale. As stated, in a network, there are many devices, servers, switches, routers, storage, Call Managers (for VoIP communications), firewalls, web content filters, security appliances that manage Network Intrusion Detection Systems (NIDS), Network Intrusion Prevention Systems (NIPS) and other organization unique systems.
Often as a cost savings measure, services such as security, web content filtering, storage, IP telephony, Software licensing (SaaS) and others can be outsourced to a third party vendor. An agreement is made between the organization and the vendor on the expected requirements and documented in the contract. These requirements are known as Service Level Agreements (SLA).At no point does an organization relieve itself of regulatory requiremen ...
With 2014 being noted as “The Year of the Breach,” many businesses are still unprepared or not properly protected from numerous security threats. So what can your business do to help keep sensitive data safe? Check out the following slideshow to learn how to protect yourself and your business from threats. Contact the IT Security experts at MTG today to protect your organization!
Sample Data Security PoliciesThis document provides three ex.docxrtodd599
Sample Data Security Policies
This document provides three example data security policies
that cover key areas of concern. They should not be considered
an exhaustive list but rather each organization should identify
any additional areas that require policy in accordance with their
users, data, regulatory environment and other relevant factors.
The three policies cover:
1. Data security policy: Employee requirements
2. Data security policy: Data Leakage Prevention – Data in Motion
3. Data security policy: Workstation Full Disk Encryption
Comments to assist in the use of these policies have been added in red.
Sample Data Security Policies
1
Data security policy: Employee requirements
Using this policy
This example policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of
data with which they should be concerned. This should link to your AUP (acceptable use policy), security training and information
security policy to provide users with guidance on the required behaviors.
1.0 Purpose
<Company X> must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely
impacting our customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work
effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect
all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for
data leakage prevention, a focus for the policy and a rationale.
2.0 Scope
1. Any employee, contractor or individual with access to <Company X> systems or data.
2. Definition of data to be protected (you should identify the types of data and give examples so that your users can identify it
when they encounter it)
� PII
� Financial
� Restricted/Sensitive
� Confidential
� IP
3.0 Policy – Employee requirements
1. You need to complete <Company X>’s security awareness training and agree to uphold the acceptable use policy.
2. If you identify an unknown, un-escorted or otherwise unauthorized individual in <Company X> you need to immediately notify
<complete as appropriate>.
3. Visitors to <Company X> must be escorted by an authorized employee at all times. If you are responsible for escorting
visitors you must restrict them appropriate areas.
4. You are required not to reference the subject or content of sensitive or confidential data publically, or via systems or
communication channels not controlled by <Company X>. For example, the use of external e-mail systems not hosted by
<Company X> to distribute data is not allowed.
5. Please keep a clean desk. To maintain information security you need to ensure that all printed in scope data is not left
unattended at your workstation.
Sample Data Security Policies
2.
How to Secure Your Enterprise Network.docxNeilStark1
With the advent of the digital age, businesses have gone digital with the help of adequate enterprise networking setup that comprises IT infrastructures that provides connectivity among users, devices, and applications.
How to Secure Your Enterprise Network.pdfNeilStark1
With the advent of the digital age, businesses have gone digital with the help of adequate enterprise networking setup that comprises IT infrastructures that provides connectivity among users, devices, and applications.
How to Secure Your Enterprise Network.docxNeilStark1
With the advent of the digital age, businesses have gone digital with the help of adequate enterprise networking setup that comprises IT infrastructures that provides connectivity among users, devices, and applications.
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals,
yahoo journals, bing journals, International Journal of Engineering Research and Development, google journals, hard copy of journal
ScanScan 1Scan 2Scan 3Scan 4Scan 5Scan 6Scan 7Scan 8Scan 9Scan 10Scan 11Scan 12Scan 13
Chapter 13 Global Health Challenges
MANY INDIVIDUALS AND NONGOVERNMENTAL ORGANIZATIONS (NGOS) HELP FIGHT GLOBAL DISEASE. The Bill and Melinda Gates Foundation plays a key role in the war against malaria, AIDS, and other diseases. Melinda and Bill Gates met with doctors and patients at the Manhica Research Center and Hospital in an area of Mozambique heavily affected by malaria.
Learning Objectives
1. 13.1Recall the causes and effects of noncommunicable diseases
2. 13.2Evaluate the role of global travel and trade in facilitating the globalization of infectious diseases
3. 13.3Outline the three developments that gave rise to the concept of human security
4. 13.4Describe the three epidemiologic transitions to better understand contemporary concerns about infectious diseases
5. 13.5Report the cause, spread, effects, and control measures of influenza and avian flu
6. 13.6Report the cause, spread, effects, and control measures of malaria
7. 13.7Recognize the causes and preventive measures of HIV
8. 13.8Report the origin, spread, effects, and control measures of SARS
9. 13.9Report the origin, spread, effects, and control measures of Ebola
10. 13.10Outline role of the WHO in preventing the spread of infectious diseases
Noncommunicable diseases (NCDs) such as heart disease, cancer, diabetes, chronic respiratory disease, and mental illness in general and Alzheimer’s disease in particular are the leading causes of death and disability globally. Long associated with affluent Western standards of living, NCDs are now a global problem. While rich countries are better equipped to deal with chronic diseases, they are far more deadly in poor countries. Growing numbers of old people and the spread of middle-class lifestyles make NCDs more prevalent than infectious diseases. Globalization also contributes to the growth of NCDs by helping expand the global middle class and by promoting fast foods, sugary drinks, alcohol, smoking, processed foods, and sedentary lifestyles. A major global health threat that undermines efforts to cure diseases is the emergence of germs that are resistant to antibiotics. This is due mainly to the excessive use of antibiotics in medicine and agriculture.
Infectious diseases are intertwined with numerous global issues and are inseparable from political, economic, and cultural components of globalization. Ethnic conflicts make populations vulnerable to infectious diseases. Fighting contributes to the collapse of public services, which means that many people die from what would ordinarily be treatable diseases, such as diarrhea and respiratory infections. Conflicts also create refugees, overcrowding, and unsanitary conditions, thereby creating environments conducive to the spread of infectious diseases.
Environmental degradation and deforestation expose humans to a variety of infectious diseases. They also contribute to global warming and flooding,.
Scapegoating is a theory of prejudice and discrimination. Societ.docxtodd331
Scapegoating is a theory of prejudice and discrimination. Society looks at the weakest group, and places blame on that group for all ills. That group then becomes the bottom level of society. We've seen this over the past 18 months. Illegal immigrants have been blamed for many issues, in particular crime and unemployment rates. Yet, I know few in my own area who will do the jobs these folks do every day. As for crime, please see the link below for a journal article that addresses this issue. Most crimes committed by immigrants without papers are misdemeanors.
What are your thoughts?
.
More Related Content
Similar to Sample Security PoliciesAcceptable_Encryption_Policy.docAccep.docx
Week 7Worksheet 4 LANWAN Compliance and AuditingCourse L.docxcockekeshia
Week 7
Worksheet 4: LAN/WAN Compliance and Auditing
Course Learning Outcome(s)
· Analyze information security systems compliance requirements within the Workstation and LAN Domains.
· Design and implement ISS compliance within the LAN-to-WAN and WAN domains with an appropriate framework.
As auditors, we presume that no data produced on a computer is 100% secure regardless of whether it’s a standalone device or connected to a local area network (LAN) or a wide area network (WAN). Organizations implement controls, which are developed and implemented based on regulations and best security practices. Security is implemented throughout an organizations enterprise – from the host the user sits and throughout the devices data traverses or is stored. Here’s an example of a basic enterprise and the security controls that may be implemented. Remember, controls can be physical or logical devices, software or encryption.
Host – A host is a computer, tablet or other device that a user interfaces with to perform a function. The device you’re reading this on is a host. The security controls that could be implemented onto a host include a Host Based Intrusion Detection Systems (HIDS), Host Based Intrusion Prevention System (HIPS), a software Firewall, and Antivirus protection. Policy controls implemented on a host include Role Based Access Control (RBAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC), Login requirements, lockout settings and others that restrict what a user can and can’t do while logged into a host and software to manage (allow and deny) policies electronically (ePo).
Local Area Network – Think of a LAN as an internal network used by an organization that allows user to execute functions using various applications and storage while also having the ability to connect to other organizations using the Internet or Virtual Private Networks (VPN’s). A host connects to a switch and data is routed to a router where it either access systems on the LAN or to a router where it’s going to exchange data with another LAN or WAN. The devices that comprise a LAN and WAN are similar with a difference in that a WAN is built to a much larger scale. As stated, in a network, there are many devices, servers, switches, routers, storage, Call Managers (for VoIP communications), firewalls, web content filters, security appliances that manage Network Intrusion Detection Systems (NIDS), Network Intrusion Prevention Systems (NIPS) and other organization unique systems.
Often as a cost savings measure, services such as security, web content filtering, storage, IP telephony, Software licensing (SaaS) and others can be outsourced to a third party vendor. An agreement is made between the organization and the vendor on the expected requirements and documented in the contract. These requirements are known as Service Level Agreements (SLA).At no point does an organization relieve itself of regulatory requirements for data protection by contracting it o.
Worksheet 4 LANWAN Compliance and Auditinglook on the docume.docxgriffinruthie22
Worksheet 4: LAN/WAN Compliance and Auditing
look on the document below how its set up
Course Learning Outcome(s)
Analyze information security systems compliance requirements within the Workstation and LAN Domains.
Design and implement ISS compliance within the LAN-to-WAN and WAN domains with an appropriate framework.
As auditors, we presume that no data produced on a computer is 100% secure regardless of whether it’s a standalone device or connected to a local area network (LAN) or a wide area network (WAN). Organizations implement controls, which are developed and implemented based on regulations and best security practices. Security is implemented throughout an organizations enterprise – from the host the user sits and throughout the devices data traverses or is stored. Here’s an example of a basic enterprise and the security controls that may be implemented. Remember, controls can be physical or logical devices, software or encryption.
Host – A host is a computer, tablet or other device that a user interfaces with to perform a function. The device you’re reading this on is a host. The security controls that could be implemented onto a host include a Host Based Intrusion Detection Systems (HIDS), Host Based Intrusion Prevention System (HIPS), a software Firewall, and Antivirus protection. Policy controls implemented on a host include Role Based Access Control (RBAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC), Login requirements, lockout settings and others that restrict what a user can and can’t do while logged into a host and software to manage (allow and deny) policies electronically (ePo).
Local Area Network – Think of a LAN as an internal network used by an organization that allows user to execute functions using various applications and storage while also having the ability to connect to other organizations using the Internet or Virtual Private Networks (VPN’s). A host connects to a switch and data is routed to a router where it either access systems on the LAN or to a router where it’s going to exchange data with another LAN or WAN. The devices that comprise a LAN and WAN are similar with a difference in that a WAN is built to a much larger scale. As stated, in a network, there are many devices, servers, switches, routers, storage, Call Managers (for VoIP communications), firewalls, web content filters, security appliances that manage Network Intrusion Detection Systems (NIDS), Network Intrusion Prevention Systems (NIPS) and other organization unique systems.
Often as a cost savings measure, services such as security, web content filtering, storage, IP telephony, Software licensing (SaaS) and others can be outsourced to a third party vendor. An agreement is made between the organization and the vendor on the expected requirements and documented in the contract. These requirements are known as Service Level Agreements (SLA).At no point does an organization relieve itself of regulatory requiremen ...
With 2014 being noted as “The Year of the Breach,” many businesses are still unprepared or not properly protected from numerous security threats. So what can your business do to help keep sensitive data safe? Check out the following slideshow to learn how to protect yourself and your business from threats. Contact the IT Security experts at MTG today to protect your organization!
Sample Data Security PoliciesThis document provides three ex.docxrtodd599
Sample Data Security Policies
This document provides three example data security policies
that cover key areas of concern. They should not be considered
an exhaustive list but rather each organization should identify
any additional areas that require policy in accordance with their
users, data, regulatory environment and other relevant factors.
The three policies cover:
1. Data security policy: Employee requirements
2. Data security policy: Data Leakage Prevention – Data in Motion
3. Data security policy: Workstation Full Disk Encryption
Comments to assist in the use of these policies have been added in red.
Sample Data Security Policies
1
Data security policy: Employee requirements
Using this policy
This example policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of
data with which they should be concerned. This should link to your AUP (acceptable use policy), security training and information
security policy to provide users with guidance on the required behaviors.
1.0 Purpose
<Company X> must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely
impacting our customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work
effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect
all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for
data leakage prevention, a focus for the policy and a rationale.
2.0 Scope
1. Any employee, contractor or individual with access to <Company X> systems or data.
2. Definition of data to be protected (you should identify the types of data and give examples so that your users can identify it
when they encounter it)
� PII
� Financial
� Restricted/Sensitive
� Confidential
� IP
3.0 Policy – Employee requirements
1. You need to complete <Company X>’s security awareness training and agree to uphold the acceptable use policy.
2. If you identify an unknown, un-escorted or otherwise unauthorized individual in <Company X> you need to immediately notify
<complete as appropriate>.
3. Visitors to <Company X> must be escorted by an authorized employee at all times. If you are responsible for escorting
visitors you must restrict them appropriate areas.
4. You are required not to reference the subject or content of sensitive or confidential data publically, or via systems or
communication channels not controlled by <Company X>. For example, the use of external e-mail systems not hosted by
<Company X> to distribute data is not allowed.
5. Please keep a clean desk. To maintain information security you need to ensure that all printed in scope data is not left
unattended at your workstation.
Sample Data Security Policies
2.
How to Secure Your Enterprise Network.docxNeilStark1
With the advent of the digital age, businesses have gone digital with the help of adequate enterprise networking setup that comprises IT infrastructures that provides connectivity among users, devices, and applications.
How to Secure Your Enterprise Network.pdfNeilStark1
With the advent of the digital age, businesses have gone digital with the help of adequate enterprise networking setup that comprises IT infrastructures that provides connectivity among users, devices, and applications.
How to Secure Your Enterprise Network.docxNeilStark1
With the advent of the digital age, businesses have gone digital with the help of adequate enterprise networking setup that comprises IT infrastructures that provides connectivity among users, devices, and applications.
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals,
yahoo journals, bing journals, International Journal of Engineering Research and Development, google journals, hard copy of journal
Similar to Sample Security PoliciesAcceptable_Encryption_Policy.docAccep.docx (20)
ScanScan 1Scan 2Scan 3Scan 4Scan 5Scan 6Scan 7Scan 8Scan 9Scan 10Scan 11Scan 12Scan 13
Chapter 13 Global Health Challenges
MANY INDIVIDUALS AND NONGOVERNMENTAL ORGANIZATIONS (NGOS) HELP FIGHT GLOBAL DISEASE. The Bill and Melinda Gates Foundation plays a key role in the war against malaria, AIDS, and other diseases. Melinda and Bill Gates met with doctors and patients at the Manhica Research Center and Hospital in an area of Mozambique heavily affected by malaria.
Learning Objectives
1. 13.1Recall the causes and effects of noncommunicable diseases
2. 13.2Evaluate the role of global travel and trade in facilitating the globalization of infectious diseases
3. 13.3Outline the three developments that gave rise to the concept of human security
4. 13.4Describe the three epidemiologic transitions to better understand contemporary concerns about infectious diseases
5. 13.5Report the cause, spread, effects, and control measures of influenza and avian flu
6. 13.6Report the cause, spread, effects, and control measures of malaria
7. 13.7Recognize the causes and preventive measures of HIV
8. 13.8Report the origin, spread, effects, and control measures of SARS
9. 13.9Report the origin, spread, effects, and control measures of Ebola
10. 13.10Outline role of the WHO in preventing the spread of infectious diseases
Noncommunicable diseases (NCDs) such as heart disease, cancer, diabetes, chronic respiratory disease, and mental illness in general and Alzheimer’s disease in particular are the leading causes of death and disability globally. Long associated with affluent Western standards of living, NCDs are now a global problem. While rich countries are better equipped to deal with chronic diseases, they are far more deadly in poor countries. Growing numbers of old people and the spread of middle-class lifestyles make NCDs more prevalent than infectious diseases. Globalization also contributes to the growth of NCDs by helping expand the global middle class and by promoting fast foods, sugary drinks, alcohol, smoking, processed foods, and sedentary lifestyles. A major global health threat that undermines efforts to cure diseases is the emergence of germs that are resistant to antibiotics. This is due mainly to the excessive use of antibiotics in medicine and agriculture.
Infectious diseases are intertwined with numerous global issues and are inseparable from political, economic, and cultural components of globalization. Ethnic conflicts make populations vulnerable to infectious diseases. Fighting contributes to the collapse of public services, which means that many people die from what would ordinarily be treatable diseases, such as diarrhea and respiratory infections. Conflicts also create refugees, overcrowding, and unsanitary conditions, thereby creating environments conducive to the spread of infectious diseases.
Environmental degradation and deforestation expose humans to a variety of infectious diseases. They also contribute to global warming and flooding,.
Scapegoating is a theory of prejudice and discrimination. Societ.docxtodd331
Scapegoating is a theory of prejudice and discrimination. Society looks at the weakest group, and places blame on that group for all ills. That group then becomes the bottom level of society. We've seen this over the past 18 months. Illegal immigrants have been blamed for many issues, in particular crime and unemployment rates. Yet, I know few in my own area who will do the jobs these folks do every day. As for crime, please see the link below for a journal article that addresses this issue. Most crimes committed by immigrants without papers are misdemeanors.
What are your thoughts?
.
Scanned with CamScannerScanned with CamScannerIN.docxtodd331
Scanned with CamScanner
Scanned with CamScanner
INSTRUCTIONS
Write a brief case study (ALZHIEMER DISEASE) of a real or hypothetical issue or problem that needs investigation (approx. 200-250 words max).
Discussion 3.2: Hypothesis Test Tag Team
Corporate Responsibility 8;
The Social Responsibility of Business Is
to Increase Its Profits
Milton Friedman
When I hear businessmen speak eloquently
about the “social responsibilities of business
in a free-enterprise system,” I am reminded
of the wonderful line about the Frenchman
who discovered at the age of 70 that he had
been speaking prose all his life. The busi
nessmen believe that they are defending free
enterprise when they declaim that business
is not concerned “merely” with profit but
also with promoting desirable “social” ends;
that business has a “social conscience” and
takes seriously its responsibilities for provid
ing employment, eliminating discrimina
tion, avoiding pollution and whatever else
may be the catchwords of the contemporary
crop of reformers. In fact they are—or
would be if they or anyone else took them
seriously—preaching pure and unadulter
ated socialism. Businessmen who talk this
way are unwitting puppets of the intellectual
forces that have been undermining the basis
of a free society these past decades.
The discussions of the “social responsibil
ities of business” are notable for their analyt
ical looseness and lack of rigor. What does it
mean to say that “business” has responsibili
ties? Only people can have responsibilities.
A corporation is an artificial person and in
this sense may have artificial responsibili
ties, but “business” as a whole cannot be said
to have responsibilities, even in this vague
sense. The first step toward clarity in ex
amining the doctrine of the social responsi
bility of business is to ask precisely what it
implies for whom.
Presumably, the individuals who are to be
responsible are businessmen, which means
individual proprietors or corporate execu
tives. Most of the discussion of social respon
sibility is directed at corporations, so in what
follows I shall mostly neglect the individual
proprietors and speak of corporate execu
tives.
In a free-enterprise, private-property sys
tem, a corporate executive is an employee of
the owners of the business. He has direct re
sponsibility to his employers. That responsi
bility is to conduct the business in accord
ance with their desires, which generally will
be to make as much money as possible while
conforming to the basic rules of the society,
both those embodied in law and those em
bodied in ethical custom. Of course, in some
cases his employers may have a different ob
jective. A group of persons might establish a
corporation for an eleemosynary purpose—
for example, a hospital or a school. The
manager of such a corporation will not have
money profit as his objectives but the ren
dering of certain services.
In either case,.
Sara Mohammed1991 Washington St.Indiana, PA 15701(571) 550-3.docxtodd331
Sara Mohammed
1991 Washington St.
Indiana, PA 15701
(571) 550-3232
[email protected]
EDUCATION
Indiana University of Pennsylvania (IUP) Expected December 2020
Bachelor of Science in Business
Northern Virginia Community College (NOVA), Woodbridge, VA May 2016
English As a Second Language
Volunteerism
Saudi club association at Gannon University Fall 2018
SKILLS
· Speak three languages (Arabic, English, and Turkish)
· Knowledge with technology
· Experience with Microsoft, Word, Excel, and PowerPoint
· Looking for helping others always
· Familiar with taking care of kids
.
Scanned with CamScannerApplication Assignment 2 Part 2 .docxtodd331
Scanned with CamScanner
Application Assignment 2: Part 2 - Developing an Advocacy Campaign
The following application, Part 2, will be due in Week 7.
To prepare:
· Review Chapter 3 of Health policy and politics: A nurse’s guide.
· In the first assignment, you reflected on whether the policy you would like to promote could best be achieved through the development of new legislation, or a change in an existing law or regulation. Refine as necessary using any feedback from your first paper.
· Contemplate how existing laws or regulations may affect how you proceed in advocating for your proposed policy.
· Consider how you could influence legislators or other policymakers to enact the policy you propose.
· Think about the obstacles of the legislative process that may prevent your proposed policy from being implemented as intended.
·
To complete:
Part Two will have approximately 3–4 pages of content plus a title page and references. Part Two will address the following:
· Explain whether your proposed policy could be enacted through a modification of existing law or regulation or the creation of new legislation/regulation.
· Explain how existing laws or regulations could affect your advocacy efforts. Be sure to cite and reference the laws and regulations using primary sources.
· Provide an analysis of the methods you could use to influence legislators or other policymakers to support your policy. In particular, explain how you would use the “three legs” of lobbying in your advocacy efforts.
· Summarize obstacles that could arise in the legislative process and how to overcome these hurdles.
Milstead: 3 Legs of Lobbying
“According to Milstead (2013), Leg One of the Three-Legged Stool consists of lobbying which is the act of influencing – the art of persuading-a government entity. “Legislators often rely on lobbyists’ expertise to help them understand what they are voting for or against.” (Milstead, 2013, p. 53). Local State Representatives should be targeted as a champion for the bill and that’s likely where an average voter can begin for their voice to be heard at the local and state levels.Leg Two of the Three-Legged Stool also includes the grassroots lobbyists. The AmericanNurses Association often spear-heads lobbying efforts in the best interest of the public on healthcare related issues and has a strong history of working with Congress on these important issues. “Grassroots lobbyists are constituents who have the power to elect officials through their vote and have expertise and knowledge about a particular issue (such as nurses in healthcare reform debates)” (Milstead, 2013, p. 54). Nurses can become a member of the American Nurses Association or other associations to ensure nurses have a voice on these important issues”
Reflection
Associate Professor Michael Segon
Director MBA
1
Reflection
Reflection is used as a learning tool to make sense of what we have experienced and how we can optimise our learning from that experience.
.
Scanned by CamScannerScanned by CamScannerChapte.docxtodd331
Scanned by CamScanner
Scanned by CamScanner
Chapter 13:The Bureaucracy
ADA Text Version
Learning Objectives
1. Describe the formal organization of the federal bureaucracy.
2. Classify the vital functions performed by the bureaucracy.
3. Explain the present Civil Service system and contrast it with the 19th century spoils system.
4. Identify the various factors contributing to bureaucracy's growth over time.
5. Compare the means by which Congress and the president attempt to maintain control over the bureaucracy.
6. Analyze and evaluate the problems that bureaucratic organization poses for American democracy.
Introduction
The very word "bureaucracy" often carries negative connotations. To refer to an institution as a "bureaucracy" or characterize it as "bureaucratic" is usually intended as an insult. But the national bureaucracy, sometimes called the "fourth branch of government", is responsible for practically all of the day-to-day work of governing the country. While bureaucracy in the United States, consistent with our tradition of more limited government, is smaller than its counterparts in other longstanding democracies, its influence extends to almost every corner of American society. From delivery of the mail to regulation of the stock market to national defense, federal employees plan, regulate, adjudicate, enforce, and implement federal law. Despite recurrent calls to "shrink" the size of government, the federal bureaucracy remains the largest single employer in the United States. This lesson examines the bureaucracy's formal organization, its critical role in the American economy and society, and its perceived weaknesses.
Study Questions
1. How did sociologist Max Weber define bureaucracy?
2. Identify the various functions federal bureaucracies perform giving at least one example each:
a. Implementation
b. Regulation
c. Adjudication
d. Enforcement
e. Policy-making
3. How many people does the federal government employ? For what percentage of GDP does federal spending account? How does this compare to other economically advanced democracies?
4. Classify and distinguish the major types of bureaucracy in the federal government:
a. Cabinet Departments
b. Independent Agencies
c. Independent Regulatory Commissions
d. Government Corporations
5. How does the federal bureaucracy select and recruit personnel? Contrast the present civil service system with the spoils system. What advantages does the present system provide?
6. What factors explain the growth of bureaucracy over time despite recurrent calls for limiting the size of government?
7. Identify those factors in the budget process making it difficult to cut bureaucratic funding.
8. Describe the way Congress authorizes funding for the federal bureaucracy.
9. How does Congress attempt to control the federal bureaucracy?
10. How does the president attempt to control the federal bureaucracy?
11. What special problems does bureaucratic independence present in a democracy? Discuss with re.
SANS SIFT tool Final project , related to (digital foren.docxtodd331
SANS SIFT tool Final project , related to (digital forensics tools and technique)
Description : A 500-700 word, double spaced paper, written in APA format, showing sources and a bibliography and ppt presentation too
Presentation materials
.
Scanned by CamScannerScanned by CamScannerTABLE .docxtodd331
Scanned by CamScanner
Scanned by CamScanner
TABLE 2.2 Connecting Knowledge of Development and Learning to Teaching Practices
Principles of Child Development and Learning
Developmentally Appropriate Teaching Practices
Children develop holistically
• Teachers plan daily activities and routines to address aesthetic, emotional, cognitive, language, physical, and social development.
• Teachers integrate learning across the curriculum (e.g., mixing language, physical, and social; combining math, science, and reading).
Child development follows an orderly sequence
• Teachers use their knowledge of developmental sequences to gauge whether children are developing as expected, to determine reasonable expectations, and to plan next steps in the learning process.
Children develop at varying rates
• Teachers give children opportunities to pursue activities at their own pace.
• Teachers repeat activities more than once so children can participate according to changing needs and abilities.
• Teachers plan activities with multiple learning objectives to address the needs of more and less advanced learners.
Children learn best when they feel safe and secure
• Teachers develop nurturing relationships with children and remain with children long enough so children can easily identify a specific adult from whom to seek help, comfort, attention, and guidance.
• Daily routines are predictable. Changes in routine are explained in advance so children can anticipate what will happen.
• There is two-way communication between teachers and families, and families are welcome in the program.
• Children have access to images, objects, and activities that reflect their home experiences.
• The early childhood environment complies with all safety requirements.
• Adults use positive discipline to enhance children’s self-esteem, self-control, and problem-solving abilities.
• Teachers address aggression and bullying calmly, firmly, and proactively.
Children are active learners
• Activities, transitions, and routines respect children’s attention span, need for activity and need for social interaction. Inactive segments of the day are short.
• Children participate in gross motor activities every day.
Children learn through a combination of physical experience, social experience, and reflection
• Adults encourage children to explore and investigate. They pose questions, offer information, and challenge children’s thinking.
• Children have many chances to document and reflect on their ideas.
Children learn through mastery and challenge
• Practitioners simplify, maintain, or extend activities in response to children’s functioning and comprehension.
Children’s learning profiles vary
• Teachers present the same information in more than one modality (seeing, hearing, touching) and through different types of activities.
• Children have opportunities to play on their own and with others; indoors and outdoors; with natural and manufactured materials.
Chil.
Sandro Reyes 1
5
Human Impact on the Environment
Every day, I see the harmful impacts of humans on the environment. Just 13 percent of the globe’s oceans remain unsoiled by humanity’s damaging impacts (Carrington, 2018). In the remotest poles and Pacific areas, most of the ocean has no natural marine wildlife. Pollution, huge fishing fleets, and global shipping along with climate change are all degrading the oceans. The vehicles we drive every day, industrial wastes, overpopulation, and fossil fuels, all have negative effects on the environment. Human activities are negatively affecting the environment by degrading it and sooner or later, the earth will not be able to sustain humans.
Overpopulation is now an epidemic with decreased mortality rates, improved medicine, and food sustainability. We are living longer, which is increasing population. The impact of overpopulation includes environmental degradation due to cutting down of trees to create space. With less trees to filter the air, an increase in carbon dioxide levels is damaging every single organism (Interesting Engineering, 2019). Another effect of overpopulation is overdependence on fossil fuels such as coal and oil, which emit plentiful carbon oxide into the air. With increased population, humans need more space, which damage ecosystems and augment carbon dioxide emissions.
Pollution is another impact of human activities on the environment. From trash, industrial wastes to carbon dioxide emissions into the air, pollutions is inevitable. Over 2.4 billion individuals have no access to sources of clean water. Human activities continue to deplete indispensable resources such as soil, water, and air. United States, for example, produces 147 million metric tons of air pollution annually (Interesting Engineering, 2019). Air quality in developing nations continues to plummet as well. This means that we are engaging in activities that are hurting the environment.
Global warming is one of the greatest causes of environmental degradation contributed by human activities. Some people do not believe that global warming is real. However, that is not true, and its major contributors include carbon dioxide emissions from respiration, deforestation, and burning fossil fuels. Each year, we continue to contribute to levels of carbon dioxide globally. Current levels exceed 400 PPM, and the rise in carbon dioxide emissions are attributed to an increase in global temperatures (Interesting Engineering, 2019). The result is the melting of arctic glaciers and land ice, which will increase sea levels, and have negative effects on oceanic life.
Climate change is another impact on the environment that is being caused by us. It is linked .
Scanned with CamScannerResearch Summary (paper)For thi.docxtodd331
Scanned with CamScanner
Research Summary (paper)
For this assignment you summarize one of the experimental research studies from your research collection.
(I did not make one, feel free to choose any research that has to do with psychology.)
Check out Audris Oh's research summary I put in the files -- it's a great model.
Write your summary in 5 pages or so, basically summarizing each of the major sections - literature review, methods section, results section and discussion. Let the abstract at the beginning of the paper guide you (It's just one paragraph but is a great guide). Why was the study done and how does it fit in with other work in the field (the intro or lit review)? What was the actual experiment (the methods section)? What were the results (the results section)? Why is it important (the discussion section)? Conclude your paper with a personal reaction -- does this fit with what you’ve seen? How might you use any insight the study provides?
Include the pdf of the article (or link to it) and the reference to the article in APA style. Here's an example of a reference:
Stein, S., Isaacs, G., & Andrews, T. (2004). Incorporating authentic learning experiences within a university course. Studies in Higher Education, 29(2), 239-258.
Example of how the essay should look like: https://middlesexcc.libguides.com/ld.php?content_id=7578609
Mendel, 150 years on
T.H. Noel Ellis1, Julie M.I. Hofer1, Gail M. Timmerman-Vaughan2, Clarice J. Coyne3
and Roger P. Hellens4
1
Institute of Biological, Environmental & Rural Sciences, Aberystwyth University, Gogerddan Campus, Aberystwyth,
Ceredigion, SY23 3EB, UK
2
The New Zealand Institute for Plant & Food Research Ltd, Christchurch 8140, New Zealand
3
USDA-ARS Western Regional Plant Introduction Station, Washington State University, Pullman, Washington, USA
4
The New Zealand Institute for Plant & Food Research Ltd, Auckland, New Zealand
Review
Mendel’s paper ‘Versuche über Pflanzen-Hybriden’ is the
best known in a series of studies published in the late 18th
and 19th centuries that built our understanding of the
mechanism of inheritance. Mendel investigated the seg-
regation of seven gene characters of pea (Pisum sativum),
of which four have been identified. Here, we review what
is known about the molecular nature of these genes,
which encode enzymes (R and Le), a biochemical regula-
tor (I) and a transcription factor (A). The mutations are: a
transposon insertion (r), an amino acid insertion (i), a
splice variant (a) and a missense mutation (le-1). The
nature of the three remaining uncharacterized characters
(green versus yellow pods, inflated versus constricted
pods, and axial versus terminal flowers) is discussed.
Mendel’s studies: species, traits and genes
Mendel’s paper ‘Versuche ü ber Pflanzen-Hybriden’ [1] is
the best known in a series of studies published in the late
18th and 19th centuries [2–4] that built our understanding
of the mechanism of inheritance [5]. The title of M.
Scanned with CamScannerHACCP Recipe TermsCheck tempe.docxtodd331
Scanned with CamScanner
HACCP Recipe Terms
Check temperature of food at least every four hours and record
Check temperature of storage area at beginning of shift.
Cook eggs, poultry, fish, and meat in a microwave oven to a minimum temperature of 165 degrees F.
Cook fish to a minimum of 145 degrees F for 15 seconds.
Cook ground meats to a minimum of 155 degrees F for 15 seconds.
Cook poultry to a minimum of 165 degrees F for 15 seconds.
Cook vegetables to a temperature of 135 degrees F or higher.
Cooked food should be cooled from 135 degrees F to 70 degrees F within 2 hours and from 70 degrees F to 41 degrees F or lower in an additional 4 hours.
Cool foods to at least 70 degrees F before refrigerating or freezing.
Crack egg in separate bowl before combining to larger bowl.
Discard food held in the temperature danger zone for longer than four hours.
Hold cold foods at an internal temperature of 41 degrees F or lower.
Hold frozen foods at a temperature of 0 degrees F or lower.
Thaw food in a microwave oven if it will be cooked immediately after.
Hold hot foods at a minimum internal temperature of 135 degrees F or higher.
Hold hot foods at a minimum internal temperature of 135 degrees F or higher.
Inspect can before opening for swollen ends, rust, or dents.
Label food for storage with ingredient list and date of preparation.
Prepare raw foods separately from ready to eat foods.
Reduce the size or quantity of food to be cooled.
Reheat food to 165 degrees F for 15 seconds.
Remove from the refrigerator only as much product as can be prepared at one time.
Remove jewelry
Rotate products to ensure that the oldest inventory is used first.
Sanitize work surface, equipment, and utensils.
Store chemicals away from food products.
Store cut melons at 41 degrees F or lower.
Store fresh-cut produce between 33 to 41 degrees F to maintain quality.
Store raw meat, poultry, and fish in the bottom of the refrigerator.
Thaw food by submerging under running potable water at a temperature of 70 degrees F or lower.
Thaw food in a microwave oven if it will be cooked immediately after.
Thaw food in the refrigerator at 41 degrees F or lower.
Use a clean, sanitized, and calibrated thermometer to measure the internal temperature of foods.
Wash all fresh fruit prior to serving
Wash your hands
Wear gloves
Wear hairnet
Standardized Recipe Form
Recipe Name_____________________________________ Category_______________________________ Recipe #__________________________
(i.e., entrée, breads)
HACCP Process: _____ 1 – No Cook _____ 2 – Cook & Same Day Serve _____ 3 – Cook, Cool, Reheat, Serve
Ingredients
For ___________Servings
Directions: Include step by step instructions, the critical control points (CCP-specific points at which a hazard can be reduced, eliminated or prevented) and critical limit (time and/or temperature that must be achieved to control a hazard).
Weight
Measure
Serving Size___________________ Pan Size_______________.
Scanned with CamScanner1 STANDARIZATION OF A B.docxtodd331
Scanned with CamScanner
1
STANDARIZATION OF A BASE
AND TITRATION OF A VINEGAR SOLUTION
ADDITIONAL READING
The concepts in this experiment are also discussed in sections 3.6 AND 17.3 of Chemistry and Chemical Reactivity by
Kotz, Treichel, Townsend and Treichel, and in sections 4.3b, 17.3a, and 17.3b of Mindtap General Chemistry by Vining,
Young, Day, and Botch
ABSTRACT
This experiment is divided into two parts. Each student is expected to perform the experiment individually.
In Part A, you will prepare a NaOH titrant solution, then standardize it (determine its exact concentration) using the acid
primary standard, potassium hydrogen phthalate, KHC8H4O4, frequently abbreviated as KHP. Note KHP is not a chemical
formula.
In Part B you will use your standardized NaOH solution to determine the molar concentration of vinegar (an acetic acid,
CH3COOH, solution), and convert this concentration unit to a mass percent concentration unit, and finally compare your
measured mass percent concentration to the value reported on the bottle.
BACKGROUND
TITRATIONS
One of the most useful strategies in analytical chemistry is to use a known reagent (known composition or concentration)
as a standard to analyze an unknown substance. A titration is an analytical procedure in which a solution of known
concentration, the standard solution, is slowly reacted with a solution of unknown concentration. The concentration of
the unknown solution can be easily calculated. Titration is often used to measure the concentration of an acid or base,
but it can also be used for any chemical reaction if the stoichiometry is known.
EXPERIMENTS 6 AND 7 ARE BOTH ACID BASE TITRATION EXPERIMENTS, QUITE SIMILAR TO EACH OTHER.
THE REASONS FOR DOING TWO TITRATION EXPERIMENTS
A. TO GIVE STUDENTS PLENTY OF OPPORTUNITY BOTH TO PERFECT THEIR TITRATION TECHNIQUE AND
TO LEARN TO DO THE CALCULATIONS;
B. TITRATION IS THE MOST IMPORTANT TECHNIQUE LEARNED IN CHEM 1033 LAB.
YOU WILL DO A PRACTICAL LAB EXAM AT THE END OF THE SEMESTER; IT WILL BE A VERY SIMILAR
TITRATION.
IT IS IMPORTANT TO REALIZE THAT TITRATION IS AN ACQUIRED SKILL, REQUIRING PRACTICE. MOST
STUDENTS ARE NOT PROFICIENT AT FIRST, BUT IF YOU WANT TO BECOME EXPERT AT IT, YOU WILL GET
THERE WITH PRACTICE.
It is critical that there be an observable change that signals that the titration is complete. This is called the endpoint,
since it signals the end of the titration, when the equivalents of titrant added just equal the equivalents of the analyte
unknown. When performing an acid-base titration, we commonly use an acid-base indicator that has one color before the
endpoint but changes sharply to a different color at the pH of the endpoint.
Titrations are carried out using a specialized piece of glassware called a buret, which is long tube with a dispensing valve.
The buret scale has graduated marks in units of 0.01 mL or 0.02 mL. You can apply the techniques used for readi.
Scanlon Technologies, Inc. Anne Scanlon founded Scanlon Technol.docxtodd331
Scanlon Technologies, Inc.
*
Anne Scanlon founded Scanlon Technologies, Inc., in 1993. The company designed and manufactured high-tech products that were used in various industries ranging from semiconductor to aviation. Over the years, Scanlon Technologies reported a compound annual growth rate in revenues of over 20% due to high demand for the company’s products and Anne’s superior management skills. By the end of 1996, it was clear that any further growth would have to come from international expansion. However, establishing manufacturing operations and opening up sales and marketing offices abroad required a significant amount of capital. Anne considered investing more of her own money into the business; however, given that she already had most of her wealth tied up in the company, she decided against the idea. Moreover, she believed that the amount of funds Scanlon Technologies needed to raise for expansion was in the tens of millions. In her mind, there was only one clear solution—go public.
In September 1996, Anne hired J.P. Suisse, a top tier investment bank, to take Scanlon Technologies public. On January 1, 1997, the company, which was authorized by the State of Delaware to sell 20 million common stock and 10 million preferred stock, issued one million shares of common stock in an Initial Public Offering (IPO) and began trading on the New York Stock Exchange under the ticker symbol STI. The stock, which had a par value of $1, was sold for $20 per share and climbed to $26 a share by the end of its first trading day.
As expected, the funds raised in the IPO were used to open offices all over the world as well as build a second manufacturing plant in Toronto, Canada. Over the next couple of years, business was good and the company was able to generate enough cash to maintain its level of operations.
In October 1999, Anne learned that Kadehjian
Solution
s Coporation, a competitor, was considering the option of being acquired. Anne believed that such an acquisition would position Scanlon Technologies as the industry leader. One of Kadehjian’s requirements for such an acquisition was that it be an all-cash transaction. Anne knew that this would require Scanlon Technologies to raise approximately $7 million.
Ann contracted J.P. Suisse to discuss raising these funds through the capital markets. The managing directors at J.P. Suisse recommended that Scanlon Technologies employ a combination of debt and equity securities. Anne agreed and on January 1, 2000, the company issued an additional one hundred thousand shares of its $1 par value common stock at $40 per share. On the same day, the company issued $2 million in bonds at 95.8, due in 5 years with 5% interest payable annually (at year end). The market interest rate at the time was 6% per year. Also on January 1, 2000, Scanlon Technologies issued $1.3 million in zero-coupon (i.e. no interest) convertible bonds, also due in 5 years. Each $1,000 bond converted into 20 shares of its commo.
scan the following 2 poems by Robert Herrick. analyze each poems rhy.docxtodd331
scan the following 2 poems by Robert Herrick. analyze each poems rhyme and verse and its meter and number of feet. then in a short paragraph, tell me what you think.
Upon Julia's Breasts
Display thy breasts, my Julia, there let me
Behold that circummortal purity;
Between whose glories, there my lips I'll lay,
Ravished in that fair Via Lactea.
Upon a Child That Died
Here she lies, a pretty bud,
Lately made of flesh and blood,
Who as soon fell fast asleep
As her little eyes did peep.
Give her strewings, but not stir
The earth that lightly covers her.
.
SBUX ISIncome Statement - As Reported 10K in millionsIncome Statem.docxtodd331
SBUX ISIncome Statement - As Reported 10K in millionsIncome Statement - As Reported 10Q in millions9/30/139/30/149/30/159/30/169/30/179/30/18TTM12/30/173/30/186/30/189/30/1812/29/18TTM Company-operated stores$11,793.2$12,977.9$15,197.3$16,844.1$17,650.719,690.320,318.8 Company-operated stores4,741.84,828.05,060.45,060.1$5,370.3020,318.8 Total specialty$3,073.6$3,469.9$3,965.4$4,471.8$4,736.15,029.24,959.6 Total specialty1,331.91,203.81,249.91,243.5$1,262.404,959.6 Licensed stores$1,360.5$1,588.6$1,861.9$2,154.2$2,355.02,652.22,706.9 Licensed stores682.4625.6660.6683.6$737.102,706.9 CPG, foodservice and other$1,713.1$1,881.3$2,103.5$2,317.6$2,381.12,377.02,252.7 CPG, foodservice and other649.5578.2589.3559.9$525.302,252.7Total net revenues$14,866.8$16,447.8$19,162.7$21,315.9$22,386.8$24,719.525,278.4Total net revenues6,073.76,031.86,310.36,303.6$6,632.7025,278.4 Cost of sales including occupancy costs-$6,382.3-$6,858.8-$7,787.5-$8,511.1-$9,038.2-10,174.5-10,434.2 Cost of sales including occupancy costs-2,502.9-2,516.0-2,554.9-2,604.6($2,758.70)-10,434.2 Store operating expenses-$4,286.1-$4,638.2-$5,411.1-$6,064.3-$6,493.3-7,193.2-7,449.2 Store operating expenses-1,737.0-1,789.6-1,825.0-1,841.6($1,993.00)-7,449.2 Other operating expenses-$431.8-$457.3-$522.4-$545.4-$553.8-539.3-532.2 Other operating expenses-141.6-134.3-148.0-156.7($93.20)-532.2 Depreciation and amortization expenses-$621.4-$709.6-$893.9-$980.8-$1,011.4-1,247.0-1,321.6 Depreciation and amortization expenses-258.8-331.6-330.0-326.6($333.40)-1,321.6 General and administrative expenses-$937.9-$991.3-$1,196.7-$1,360.6-$1,393.3-1,759.0-1,797.8 General and administrative expenses-379.1-405.8-468.7-460.0($463.30)-1,797.8 Restructuring and impairments$0.0$0.0$0.0$0.0-$153.5-224.4-240.0 Restructuring and impairments-27.6-134.7-16.9-45.2($43.20)-240.0 Litigation credit / charge-$2,784.1$20.2$0.0$0.0$0.0$0.0Income from equity investees89.452.771.487.7$67.80279.6Income from equity investees$251.4$268.3$249.9$318.2$391.4301.2279.6Operating income / loss1,116.1772.51,038.2956.6$1,015.703,783.0Operating income / loss-$325.4$3,081.1$3,601.0$4,171.9$4,134.7$3,883.33,783.0Gain resulting from acquisition of joint venture1,326.3Net interest and other income62.3483-$24.8074.9 Gain resulting from acquisition of joint venture$0.0$0.0$390.6$0.0$0.01,376.4$0.0 Interest income and other, net88.2313239$24.80126.0Loss on divestiture of certain operations$0.0$0.0-$61.1$0.0$0.0499.2 Interest expense-25.9-503($75.00)-77.0 Interest income and other, net$123.6$142.7$43.0$108.0$275.3191.4$126.0Earnings / loss before income taxes3,005.9363236$965.501,068.7 Interest expense-$28.1-$64.1-$70.5-$81.3-$92.5-170.3-$77.0Income tax expense / benefit-755.8-35-45-64($205.10)-349.4Earnings / loss before income taxes-$229.9$3,159.7$3,903.0$4,198.6$4,317.5$5,780.0$1,068.7Net earnings / loss including noncontrolling interests2,250.18161,027932$760.403,534.721.83%Net earnings / loss attributab.
Scan the articles in the attached course text. Write a discussi.docxtodd331
Scan the articles in the attached course text. Write a discussion initial post on one of the articles. Choose the one that interests you most.
1.Provide a very brief overview of what you think are the key points (a literature review).
2.What about the policy area interests you?
3.What about the information systems involved in the article interested you?
4.How might this article’s research approach help you in your dissertation research project?
(NOTE: Please cut and paste the above-numbered list into your reply to help with organization.)
.
Scale Ratio Variable Histograms are useful for presenting qu.docxtodd331
Scale Ratio Variable
Histograms are useful for presenting quantitative data such as the example variable ADULT_CT which describes the number of individuals per household. The variable measurement is scale ratio and as it depicts a number, a histogram is able to reflect the number of individuals belonging to each variable value or interval of values (Mishra, Pandey, Singh & Gupta, 2018).). Histograms divide the variable into equal intervals as shown below in individuals reported per home. The graph indicates nearly 3,000 reporting and displays the individual numbers per interval. The bar levels of the graph make it is easy to discern the average number reporting as 2 per household.
Nominal Variable
As nominal variables depict qualitative data such as in the variable Q87 which describes the level of trust individuals felt towards others, a pie graph would be beneficial to use as it easily displays each group or individual share in the total being examined (Mishra, Pandey, Singh & Gupta, 2018). For example, the pie graph here which shows what percentage of trust was and wasn’t felt toward others. Graphs like these are appropriate for showing a variable that cannot be ordered or numerical in value such as feelings of trust (Frankfort-Nachmias, Leon-Guerrero & Davis, 2020).
References
Frankfort-Nachmias, C., Leon-Guerrero, A., & Davis, G. (2020). Social statistics for a diverse society (9th ed.). Thousand Oaks, CA: Sage Publications.
Mishra, P., Pandey, C. M., Singh, U., & Gupta, A. (2018). Scales of measurement and presentation of statistical data.
Annals of cardiac anesthesia
,
21
(4), 419.
Wagner, III, W.E. (2020).
Using IBM® SPSS® statistics for research methods and social science statistics
(7th ed.). Thousand Oaks, CA: Sage Publications.
Be sure to support your Main Post and Response Post with reference to the week’s Learning Resources and other scholarly evidence in APA Style.
.
Scan 12Scan 13Scan 14Scan 15Scan 16Scan 17Scan 18Scan 19
HIST 308
Sofia Clark
Spring 2020
Research Paper
Sample Outline:
1) Introduction
2) Story of capture
3) Background on British antislavery
4) Background on Royal Navy
5) Background on this specific Royal Navy vessel
6) Story of what treaty was used to condemn the slave ship
7) Background on treaty
8) Background on British relations with treaty country
9) Background on slave trade in this particular region
10) Story of what happens to the captives removed from this particular slave ship
11) Background on the general treatment of liberated Africans
12) Explanation of how the story of your ship exemplifies the broader history of slavery and anti-slavery
Bibliography
1) The slave trade in general (i.e., either the Transatlantic slave trade or Indian Ocean slave trade depending on your ship)
Article (JSTOR): Alkalimat, Abdul. "Slave Trade." In The African American Experience in Cyberspace: A Resource Guide to the Best Web Sites on Black Culture and History, 34-42. LONDON; STERLING, VIRGINIA: Pluto Press, 2004. Accessed May 30, 2020. doi:10.2307/j.ctt183q64x.8.
Article (JSTOR): JUNKER, CARSTEN. "Containing Bodies—Enscandalizing Enslavement: Stasis and Movement at the Juncture of Slave-Ship Images and Texts." In Migrating the Black Body: The African Diaspora and Visual Culture, edited by RAIFORD LEIGH and RAPHAEL-HERNANDEZ HEIKE, 13-29. Seattle; London: University of Washington Press, 2017. Accessed May 30, 2020. www.jstor.org/stable/j.ctvcwnj4v.5.
2) The slave trade in the specific area of Africa in which your ship embarked enslaved African captives (e.g., Bight of Benin, Senegambia, Angola).
Book (JSTOR): Strickrodt, Silke. "The Atlantic Connection: Little Popo & the Rise of Afro-European Trade on the Western Slave Coast, C. 1600 to 1702." In Afro-European Trade in the Atlantic World: The Western Slave Coast, C. 1550- C. 1885, 65-101. Woodbridge, Suffolk; Rochester, NY: Boydell & Brewer, 2015. Accessed May 30, 2020. doi:10.7722/j.ctt7zst5n.9.
Article (JSTOR): Graham, James D. "The Slave Trade, Depopulation and Human Sacrifice in Benin History: The General Approach." Cahiers D'Études Africaines 5, no. 18 (1965): 317-34. Accessed May 30, 2020. www.jstor.org/stable/4390897.
3) Slavery in the region to which your ship was heading (e.g., Cuba, Bahia, Pernambuco).
Book (One Search): Schneider, Elena Andrea. The Occupation of Havana: War, Trade, and Slavery in the Atlantic World. North Carolina Scholarship Online. Williamsburg, Virginia : Chapel Hill: Omohundro Institute of Early American History and Culture ; University of North Carolina Press, 2018.
Article (Project Muse): Garrigus, John. "Cuba, Haiti, and the Age of Atlantic Revolution." Reviews in American History 44, no. 1 (2016): 52-57. doi:10.1353/rah.2016.0012.
4) British antislavery policy toward the country your ship was from (e.g., Portugal, Spain, USA)
Book- page 14(Academic Search Premiere- also works for #.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
1. Sample Security Policies/Acceptable_Encryption_Policy.doc
Acceptable Encryption Policy
1.0 Purpose
The purpose of this policy is to provide guidance that limits the
use of encryption to those algorithms that have received
substantial public review and have been proven to work
effectively. Additionally, this policy provides direction to
ensure that Federal regulations are followed, and legal authority
is granted for the dissemination and use of encryption
technologies outside of the United States.
2.0 Scope
This policy applies to all <Company Name> employees and
affiliates.
3.0 Policy
Proven, standard algorithms such as DES, Blowfish, RSA, RC5
and IDEA should be used as the basis for encryption
technologies. These algorithms represent the actual cipher used
for an approved application. For example, Network Associate's
Pretty Good Privacy (PGP) uses a combination of IDEA and
RSA or Diffie-Hellman, while Secure Socket Layer (SSL) uses
RSA encryption. Symmetric cryptosystem key lengths must be
at least 56 bits. Asymmetric crypto-system keys must be of a
length that yields equivalent strength. <Company Name>’s key
length requirements will be reviewed annually and upgraded as
technology allows.
The use of proprietary encryption algorithms is not allowed for
2. any purpose, unless reviewed by qualified experts outside of the
vendor in question and approved by InfoSec. Be aware that the
export of encryption technologies is restricted by the U.S.
Government. Residents of countries other than the United States
should make themselves aware of the encryption technology
laws of the country in which they reside.
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
5.0 Definitions
Term
Definition
Proprietary Encryption
An algorithm that has not been made public and/or has not
withstood public scrutiny. The developer of the algorithm could
be a vendor, an individual, or the government.
Symmetric Cryptosystem
A method of encryption in which the same key is used for both
encryption and decryption of the data.
Asymmetric Cryptosystem
A method of encryption in which two different keys are used:
one for encrypting and one for decrypting the data (e.g., public-
3. key encryption).
6.0 Revision History
Sample Security Policies/Acceptable_Use_Policy.docInfoSec
Acceptable Use Policy
1.0 Overview
InfoSec's intentions for publishing an Acceptable Use Policy are
not to impose restrictions that are contrary to <Company
Name>. established culture of openness, trust and integrity.
InfoSec is committed to protecting <Company Name>'s
employees, partners and the company from illegal or damaging
actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not
limited to computer equipment, software, operating systems,
storage media, network accounts providing electronic mail,
WWW browsing, and FTP, are the property of <Company
Name>. These systems are to be used for business purposes in
serving the interests of the company, and of our clients and
customers in the course of normal operations. Please review
Human Resources policies for further details.
Effective security is a team effort involving the participation
and support of every <Company Name> employee and affiliate
who deals with information and/or information systems. It is the
responsibility of every computer user to know these guidelines,
and to conduct their activities accordingly.
2.0 Purpose
The purpose of this policy is to outline the acceptable use of
computer equipment at <Company Name>. These rules are in
place to protect the employee and <Company Name>.
Inappropriate use exposes <Company Name> to risks including
4. virus attacks, compromise of network systems and services, and
legal issues.
3.0 Scope
This policy applies to employees, contractors, consultants,
temporaries, and other workers at <Company Name>, including
all personnel affiliated with third parties. This policy applies to
all equipment that is owned or leased by <Company Name>.
4.0 Policy
4.1 General Use and Ownership
1. While <Company Name>'s network administration desires to
provide a reasonable level of privacy, users should be aware
that the data they create on the corporate systems remains the
property of <Company Name>. Because of the need to protect
<Company Name>'s network, management cannot guarantee the
confidentiality of information stored on any network device
belonging to <Company Name>.
2. Employees are responsible for exercising good judgment
regarding the reasonableness of personal use. Individual
departments are responsible for creating guidelines concerning
personal use of Internet/Intranet/Extranet systems. In the
absence of such policies, employees should be guided by
departmental policies on personal use, and if there is any
uncertainty, employees should consult their supervisor or
manager.
3. InfoSec recommends that any information that users consider
sensitive or vulnerable be encrypted. For guidelines on
information classification, see InfoSec's Information Sensitivity
Policy. For guidelines on encrypting email and documents, go to
InfoSec's Awareness Initiative.
4. For security and network maintenance purposes, authorized
individuals within <Company Name> may monitor equipment,
5. systems and network traffic at any time, per InfoSec's Audit
Policy.
5. <Company Name> reserves the right to audit networks and
systems on a periodic basis to ensure compliance with this
policy.
4.2 Security and Proprietary Information
1. The user interface for information contained on
Internet/Intranet/Extranet-related systems should be classified
as either confidential or not confidential, as defined by
corporate confidentiality guidelines, details of which can be
found in Human Resources policies. Examples of confidential
information include but are not limited to: company private,
corporate strategies, competitor sensitive, trade secrets,
specifications, customer lists, and research data. Employees
should take all necessary steps to prevent unauthorized access
to this information.
2. Keep passwords secure and do not share accounts. Authorized
users are responsible for the security of their passwords and
accounts. System level passwords should be changed quarterly,
user level passwords should be changed every six months.
3. All PCs, laptops and workstations should be secured with a
password-protected screensaver with the automatic activation
feature set at 10 minutes or less, or by logging-off (control-alt-
delete for Win2K users) when the host will be unattended.
4. Use encryption of information in compliance with InfoSec's
Acceptable Encryption Use policy.
5. Because information contained on portable computers is
especially vulnerable, special care should be exercised. Protect
laptops in accordance with the “Laptop Security Tips”.
6. 6. Postings by employees from a <Company Name> email
address to newsgroups should contain a disclaimer stating that
the opinions expressed are strictly their own and not necessarily
those of <Company Name>, unless posting is in the course of
business duties.
7. All hosts used by the employee that are connected to the
<Company Name> Internet/Intranet/Extranet, whether owned by
the employee or <Company Name>, shall be continually
executing approved virus-scanning software with a current virus
database. Unless overridden by departmental or group policy.
8. Employees must use extreme caution when opening e-mail
attachments received from unknown senders, which may contain
viruses, e-mail bombs, or Trojan horse code.
4.3. Unacceptable Use
The following activities are, in general, prohibited. Employees
may be exempted from these restrictions during the course of
their legitimate job responsibilities (e.g., systems
administration staff may have a need to disable the network
access of a host if that host is disrupting production services).
Under no circumstances is an employee of <Company Name>
authorized to engage in any activity that is illegal under local,
state, federal or international law while utilizing <Company
Name>-owned resources.
The lists below are by no means exhaustive, but attempt to
provide a framework for activities which fall into the category
of unacceptable use.
System and Network Activities
The following activities are strictly prohibited, with no
exceptions:
7. 1. Violations of the rights of any person or company protected
by copyright, trade secret, patent or other intellectual property,
or similar laws or regulations, including, but not limited to, the
installation or distribution of "pirated" or other software
products that are not appropriately licensed for use by
<Company Name>.
2. Unauthorized copying of copyrighted material including, but
not limited to, digitization and distribution of photographs from
magazines, books or other copyrighted sources, copyrighted
music, and the installation of any copyrighted software for
which <Company Name> or the end user does not have an
active license is strictly prohibited.
3. Exporting software, technical information, encryption
software or technology, in violation of international or regional
export control laws, is illegal. The appropriate management
should be consulted prior to export of any material that is in
question.
4. Introduction of malicious programs into the network or server
(e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
5. Revealing your account password to others or allowing use of
your account by others. This includes family and other
household members when work is being done at home.
6. Using a <Company Name> computing asset to actively
engage in procuring or transmitting material that is in violation
of sexual harassment or hostile workplace laws in the user's
local jurisdiction.
7. Making fraudulent offers of products, items, or services
originating from any <Company Name> account.
8. Making statements about warranty, expressly or implied,
8. unless it is a part of normal job duties.
9. Effecting security breaches or disruptions of network
communication. Security breaches include, but are not limited
to, accessing data of which the employee is not an intended
recipient or logging into a server or account that the employee
is not expressly authorized to access, unless these duties are
within the scope of regular duties. For purposes of this section,
"disruption" includes, but is not limited to, network sniffing,
pinged floods, packet spoofing, denial of service, and forged
routing information for malicious purposes.
10. Port scanning or security scanning is expressly prohibited
unless prior notification to InfoSec is made.
11. Executing any form of network monitoring which will
intercept data not intended for the employee's host, unless this
activity is a part of the employee's normal job/duty.
12. Circumventing user authentication or security of any host,
network or account.
13. Interfering with or denying service to any user other than
the employee's host (for example, denial of service attack).
14. Using any program/script/command, or sending messages of
any kind, with the intent to interfere with, or disable, a user's
terminal session, via any means, locally or via the
Internet/Intranet/Extranet.
15. Providing information about, or lists of, <Company Name>
employees to parties outside <Company Name>.
Email and Communications Activities
1. Sending unsolicited email messages, including the sending of
"junk mail" or other advertising material to individuals who did
9. not specifically request such material (email spam).
2. Any form of harassment via email, telephone or paging,
whether through language, frequency, or size of messages.
3. Unauthorized use, or forging, of email header information.
4. Solicitation of email for any other email address, other than
that of the poster's account, with the intent to harass or to
collect replies.
5. Creating or forwarding "chain letters", "Ponzi" or other
"pyramid" schemes of any type.
6. Use of unsolicited email originating from within <Company
Name>'s networks of other Internet/Intranet/Extranet service
providers on behalf of, or to advertise, any service hosted by
<Company Name> or connected via <Company Name>'s
network.
7. Posting the same or similar non-business-related messages to
large numbers of Usenet newsgroups (newsgroup spam).
5.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
6.0 Definitions
TermDefinition
Spam
Unauthorized and/or unsolicited electronic mass mailings.
7.0 Revision History
Sample Security Policies/Analog_Line_Policy.doc
10. Analog/ISDN Line Security Policy
1.0 Purpose
This document explains <Company Name> analog and ISDN
line acceptable use and approval policies and procedures. This
policy covers two distinct uses of analog/ISDN lines: lines that
are to be connected for the sole purpose of fax sending and
receiving, and lines that are to be connected to computers.
2.0 Scope
This policy covers only those lines that are to be connected to a
point inside <Company Name> building and testing sites. It
does not pertain to ISDN/phone lines that are connected into
employee homes, PBX desktop phones, and those lines used by
Telecom for emergency and non-corporate information
purposes.
3.0 Policy
3.1 Scenarios & Business Impact
There are two important scenarios that involve analog line
misuse, which we attempt to guard against through this policy.
The first is an outside attacker who calls a set of analog line
numbers in the hope of connecting to a computer that has a
modem attached to it. If the modem answers (and most
computers today are configured out-of-the-box to auto-answer)
from inside <Company Name> premises, then there is the
possibility of breaching <Company Name>'s internal network
through that computer, unmonitored. At the very least,
information that is held on that computer alone can be
compromised. This potentially results in the loss of millions of
dollars worth of corporate information.
11. The second scenario is the threat of anyone with physical access
into a <Company Name> facility being able to use a modem-
equipped laptop or desktop computer. In this case, the intruder
would be able to connect to the trusted networking of
<Company Name> through the computer's Ethernet connection,
and then call out to an unmonitored site using the modem, with
the ability to siphon <Company Name> information to an
unknown location. This could also potentially result in the
substantial loss of vital information.
Specific procedures for addressing the security risks inherent in
each of these scenarios follow.
3.2 Facsimile Machines
As a rule, the following applies to requests for fax and analog
lines:
· Fax lines are to be approved for departmental use only.
· No fax lines will be installed for personal use.
· No analog lines will be placed in a personal cubicle.
· The fax machine must be placed in a centralized
administrative area designated for departmental use, and away
from other computer equipment.
· A computer which is capable of making a fax connection is not
to be allowed to use an analog line for this purpose.
Waivers for the above policy on analog-as-fax lines will be
delivered on a case-by-case basis after reviewing the business
need with respect to the level of sensitivity and security posture
of the request.
12. Use of an analog/ISDN fax line is conditional upon the
requester's full compliance with the requirements listed below.
These requirements are the responsibility of the authorized user
to enforce at all times:
· The fax line is used solely as specified in the request.
· Only persons authorized to use the line have access to it.
· When not in use, the line is to be physically disconnected from
the computer.
· When in use, the computer is to be physically disconnected
from <Company Name>'s internal network.
· The line will be used solely for <Company Name> business,
and not for personal reasons.
· All downloaded material, prior to being introduced into
<Company Name> systems and networks, must have been
scanned by an approved anti-virus utility (e.g., McAfee
VirusScan) which has been kept current through regular
updates.
3.3 Computer-to-Analog Line Connections
The general policy is that requests for computers or other
intelligent devices to be connected with analog or ISDN lines
from within <Company Name> will not be approved for security
reasons. Analog and ISDN lines represent a significant security
threat to <Company Name>, and active penetrations have been
launched against such lines by hackers. Waivers to the policy
above will be granted on a case by case basis.
Replacement lines, such as those requeested because of a move,
fall under the category of "new" lines. They will also be
13. considered on a case by case basis.
3.4 Requesting an Analog/ISDN Line
Once approved by a manager, the individual requesting an
analog/ISDN line must provide the following information to
Telecom:
· a clearly detailed business case of why other secure
connections available at <Company Name> cannot be used,
· the business purpose for which the analog line is to be used,
· the software and hardware to be connected to the line and used
across the line,
· and to what external connections the requester is seeking
access.
The business case must answer, at a minimum, the following
questions:
· What business needs to be conducted over the line?
· Why is a <Company Name>-equipped desktop computer with
Internet capability unable to accomplish the same tasks as the
proposed analog line?
· Why is <Company Name>'s current dial-out access pool
unable to accomplish the same tasks as an analog line?
In addition, the requester must be prepared to answer the
following supplemental questions related to the security profile
of the request:
· Will the machines that are using the analog lines be physically
14. disconnected from <Company Name>'s internal network?
· Where will the analog line be placed? A cubicle or lab?
· Is dial-in from outside of <Company Name> needed?
· How many lines are being requested, and how many people
will use the line?
· How often will the line be used? Once a week, 2 hours per
day...?
· What is the earliest date the line can be terminated from
service?
· The line must be terminated as soon as it is no longer in use.
· What other means will be used to secure the line from
unauthorized use?
· Is this a replacement line from an old location? What was the
purpose of the original line?
· What types of protocols will be run over the line?
· Will a <Company Name>-authorized anti-virus scanner be
installed on the machine(s) using the analog lines?
· The requester should use the Analog/ISDN Line Request Form
to address these issues and submit a request.
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
15. 5.0 Revision History
Sample Security Policies/Anti-virus_Guidelines.doc
Guidelines on Anti-Virus Process
Recommended processes to prevent virus problems:
· Always run the Corporate standard, supported anti-virus
software is available from the corporate download site.
Download and run the current version; download and install
anti-virus software updates as they become available.
· NEVER open any files or macros attached to an email from an
unknown, suspicious or untrustworthy source. Delete these
attachments immediately, then "double delete" them by
emptying your Trash.
· Delete spam, chain, and other junk email without forwarding,
in with <Company Name>'s Acceptable Use Policy.
· Never download files from unknown or suspicious sources.
· Avoid direct disk sharing with read/write access unless there
is absolutely a business requirement to do so.
· Always scan a floppy diskette from an unknown source for
viruses before using it.
· Back-up critical data and system configurations on a regular
basis and store the data in a safe place.
· If lab testing conflicts with anti-virus software, run the anti-
virus utility to ensure a clean machine, disable the software,
then run the lab test. After the lab test, enable the anti-virus
16. software. When the anti-virus software is disabled, do not run
any applications that could transfer a virus, e.g., email or file
sharing.
· New viruses are discovered almost every day. Periodically
check the Lab Anti-Virus Policy and this Recommended
Processes list for updates.
Sample Security Policies/Application_Service_Providers.doc
Application Service Providers (ASP) Policy
1.0 Purpose
This document describes Information Security's requirements of
Application Service Providers (ASPs) that engage with
<Company Name>.
2.0 Scope
This policy applies to any use of Application Service Providers
by <Company Name>, independent of where hosted.
3.0 Policy
3.1 Requirements of Project Sponsoring Organization
The ASP Sponsoring Organization must first establish that its
project is an appropriate one for the ASP model, prior to
engaging any additional infrastructure teams within <Company
Name> or ASPs external to the company. The person/team
wanting to use the ASP service must confirm that the ASP
chosen to host the application or project complies with this
policy. The Business Function to be outsourced must be
evaluated against the following:
1. The requester must go through the ASP engagement process
17. with the ASP Tiger Team to ensure affected parties are properly
engaged.
2. In the event that <Company Name> data or applications are
to be manipulated by, or hosted at, an ASP's service, the ASP
sponsoring organization must have written, explicit permission
from the data/application owners. A copy of this permission
must be provided to InfoSec.
3. The information to be hosted by an ASP must fall under the
"Minimal" or "More Sensitive" categories. Information that falls
under the "Most Sensitive" category may not be outsourced to
an ASP. Refer to the Information Sensitivity Policy for
additional details.
4. If the ASP provides confidential information to <Company
Name>, the ASP sponsoring organization is responsible for
ensuring that any obligations of confidentiality are satisfied.
This includes information contained in the ASP's application.
<Company Name>'s legal services department should be
contacted for further guidance if questions about third-party
data arise. Projects that do not meet these criteria may not be
deployed to an ASP.
3.2 Requirements of the Application Service Provider
InfoSec has created an associated document, entitled ASP
Security Standards that sets forth the minimum security
requirements for ASPs. The ASP must demonstrate compliance
with these Standards in order to be considered for use.
The ASP engagement process includes an InfoSec evaluation of
security requirements. The ASP Security Standards can be
provided to ASPs that are either being considered for use by
<Company Name>, or have already been selected for use.
18. InfoSec may request that additional security measures be
implemented in addition to the measures stated in the ASP
Security Standards document, depending on the nature of the
project. InfoSec may change the requirements over time, and the
ASP is expected to comply with these changes.
ASPs that do not meet these requirements may not be used for
<Company Name> Systems, Inc. projects.
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment. Application Service Providers found to have
violated this policy may be subject to financial penalties, up to
and including termination of contract.
5.0 Definitions
Terms
Definitions
Application Service Provider (ASP)
ASPs combine hosted software, hardware and networking
technologies to offer a service-based application, as opposed to
a <Company Name>-owned and operated application. Common
ASP offerings include enterprise resource planning (ERP),
collaboration and sales force automation tools, but are not
limited to these things.
ASP Sponsoring Organization
19. The group within <Company Name> that wishes to utilize the
services of an ASP.
Business Function
The business need that a software application satisfies. managed
by an ASP that hosts an application on behalf of <Company
Name>.
6.0 Revision History
Sample Security Policies/Aquisition_Assessment_Policy.doc
Acquisition Assessment Policy
1.0 Purpose
To establish InfoSec responsibilities regarding corporate
acquisitions, and define the minimum security requirements of
an InfoSec acquisition assessment.
2.0 Scope
This policy applies to all companies acquired by <Company
Name> and pertains to all systems, networks, laboratories, test
equipment, hardware, software and firmware, owned and/or
operated by the acquired company.
3.0 Policy
I. General
Acquisition assessments are conducted to ensure that a company
being acquired by <Company Name> does not pose a security
risk to corporate networks, internal systems, and/or
20. confidential/sensitive information. InfoSec will provide
personnel to serve as active members of the acquisition team
throughout the acquisition process. The InfoSec role is to detect
and evaluate information security risk, develop a remediation
plan with the affected parties for the identified risk, and work
with the acquisitions team to implement solutions for any
identified security risks, prior to allowing connectivity to
<Company Name>'s networks. Below are the minimum
requirements that the acquired company must meet before being
connected to the <Company Name> network.
II. Requirements
A. Hosts
1. All hosts (servers, desktops, laptops) will be replaced or re-
imaged with a <Company Name> standard image.
2. Business critical production servers that cannot be replaced
or re-imaged must be audited and a waiver granted by InfoSec.
3. All PC based hosts will require <Company Name> approved
virus protection before the network connection.
B. Networks
1. All network devices will be replaced or re-imaged with a
<Company Name> standard image.
2. Wireless network access points will be configured to the
<Company Name> standard.
C. Internet
1. All Internet connections will be terminated.
21. 2. When justified by business requirements, air-gapped Internet
connections require InfoSec review and approval.
D. Remote Access
1. All remote access connections will be terminated.
2. Remote access to the production network will be provided by
<Company Name>.
E. Labs
1. Lab equipment must be physically separated and secured
from non-lab areas.
2. The lab network must be separated from the corporate
production network with a firewall between the two networks.
3. Any direct network connections (including analog lines,
ISDN lines, T1, etc.) to external customers, partners, etc., must
be reviewed and approved by the Lab Security Group (LabSec).
4. All acquired labs must meet with LabSec lab policy, or be
granted a waiver by LabSec.
5. In the event the acquired networks and computer systems
being connected to the corporate network fail to meet these
requirements, the <Company Name> Chief Information Officer
(CIO) must acknowledge and approve of the risk to <Company
Name>'s networks
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
22. 5.0 Definitions
Terms Definitions
Business Critical Production Server
A server that is critical to the continued business operations of
the acquired Company.
Sample Security Policies/asp_standards.docASP Security
Standards
1.0 Overview
This document defines the minimum security criteria that an
Application Service Provider (ASP) must meet in order to be
considered for use by <Company Name>. As part of the ASP
selection process, the ASP Vendor must demonstrate
compliance with the Standards listed below by responding in
writing to EVERY statement and question in the six categories.
InfoSec will closely review the vendor responses, and will
suggest remediation measures in any areas that fall short of the
minimum security criteria. Corporate Information Security
(InfoSec) approval of any given ASP resides largely on the
vendor's response to this document.
These Standards are subject to additions and changes without
warning by InfoSec.
2.0 Scope
This document can be provided to ASPs that are either being
considered for use by <Company Name>, or have already been
selected for use.
3.0 Responding to These Standards
InfoSec is looking for explicitly detailed, technical responses to
the following statements and questions. ASPs should format
23. their responses directly beneath the Standards (both questions
and requirements) listed below. In addition, please include any
security whitepapers, technical documents, or policies that you
may have.
Answers to each Guideline should be specific and avoid
generalities, e.g.:
Examples:
Bad: "We have hardened our hosts against attack."
Good: "We have applied all security patches for Windows 2000
as of 8/31/2000 to our servers. Our Administrator is tasked
with keeping up-to-date on current vulnerabilities that may
affect our environment, and our policy is to apply new patches
during our maintenance period (2300hrs, Saturday) every week.
Critical updates are implemented within 24 hours. A complete
list of applied patches is available to <Company Name>."
Bad: "We use encryption."
Good: "All communications between our site and <Company
Name> will be protected by IPSec ESP Tunnel mode using 168-
bit TripleDES encryption, SHA-1 authentication. We exchange
authentication material via either out-of-band shared secret, or
PKI certificates."
4.0 Standards
4.1 General Security
1. <Company Name> reserves the right to periodically audit the
<Company Name> application infrastructure to ensure
compliance with the ASP Policy and these Standards. Non-
intrusive network audits (basic portscans, etc.) may be done
24. randomly, without prior notice. More intrusive network and
physical audits may be conducted on site with 24 hours notice.
2. The ASP must provide a proposed architecture document that
includes a full network diagram of the <Company Name>
Application Environment, illustrating the relationship between
the Environment and any other relevant networks, with a full
data flowchart that details where <Company Name> data
resides, the applications that manipulate it, and the security
thereof.
3. The ASP must be able to immediately disable all or part of
the functionality of the application should a security issue be
identified.
4.2 Physical Security
1. The equipment hosting the application for <Company Name>
must be located in a physically secure facility, which requires
badge access at a minimum.
2. The infrastructure (hosts, network equipment, etc.) hosting
the <Company Name> application must be located in a locked
cage-type environment.
3. <Company Name> shall have final say on who is authorized
to enter any locked physical environment, as well as access the
<Company Name> Application Infrastructure.
4. The ASP must disclose who amongst their personnel will
have access to the environment hosting the application for
<Company Name>.
5. <Company Name>'s Corporate Asset Protection team requires
that the ASP disclose their ASP background check procedures
25. and results prior to InfoSec granting approval for use of an
ASP.
4.3 Network Security
1. The network hosting the application must be air-gapped from
any other network or customer that the ASP may have. This
means the <Company Name> application environment must use
separate hosts, and separate infrastructure.
2. How will data go between <Company Name> and the ASP?
Keep in mind the following two things:
a. If <Company Name> will be connecting to the ASP via a
private circuit (such as frame relay, etc.), then that circuit must
terminate on the <Company Name> extranet, and the operation
of that circuit will come under the procedures and policies that
govern the <Company Name> Partner Network Management
Group.
b. If, on the other hand, the data between <Company Name> and
the ASP will go over a public network such as the Internet,
appropriate firewalling technology must be deployed by the
ASP, and the traffic between <Company Name> and the ASP
must be protected and authenticated by cryptographic
technology (See Cryptography below).
4.4 Host Security
1. The ASP must disclose how and to what extent the hosts
(Unix, NT, etc.) comprising the <Company Name> application
infrastructure have been hardened against attack. If the ASP
has hardening documentation for the CAI, provide that as well.
26. 2. The ASP must provide a listing of current patches on hosts,
including host OS patches, web servers, databases, and any
other material application.
3. Information on how and when security patches will be
applied must be provided. How does the ASP keep up on
security vulnerabilities, and what is the policy for applying
security patches?
4. The ASP must disclose their processes for monitoring the
integrity and availability of those hosts.
5. The ASP must provide information on their password policy
for the <Company Name> application infrastructure, including
minimum password length, password generation guidelines, and
how often passwords are changed.
6. <Company Name> cannot provide internal
usernames/passwords for account generation, as the company is
not comfortable with internal passwords being in the hands of
third parties. With that restriction, how will the ASP
authenticate users? (e.g., LDAP, Netegrity, Client certificates.)
7. The ASP must provide information on the account generation,
maintenance and termination process, for both maintenance as
well as user accounts. Include information as to how an
account is created, how account information is transmitted back
to the user, and how accounts are terminated when no longer
needed.
4.5 Web Security
1. At <Company Name>'s discretion, the ASP may be required
to disclose the specific configuration files for any web servers
and associated support functions (such as search engines or
27. databases).
2. Please disclose whether, and where, the application uses
Java, Javascript, ActiveX, PHP or ASP (active server page)
technology.
3. What language is the application back-end written in? (C,
Perl, Python, VBScript, etc.)
4. Please describe the ASP process for doing security Quality
Assurance testing for the application. For example, testing of
authentication, authorization, and accounting functions, as well
as any other activity designed to validate the security
architecture.
5. Has the ASP done web code review, including CGI, Java, etc,
for the explicit purposes of finding and remediating security
vulnerabilities? If so, who did the review, what were the
results, and what remediation activity has taken place? If not,
when is such an activity planned?
4.6 Cryptography
1. The <Company Name> application infrastructure cannot
utilize any "homegrown" cryptography – any symmetric,
asymmetric or hashing algorithm utilized by the <Company
Name> application infrastructure must utilize algorithms that
have been published and evaluated by the general cryptographic
community.
2. Encryption algorithms must be of sufficient strength to
equate to 168-bit TripleDES.
3. Preferred hashing functions are SHA-1 and MD-5.
28. 4. Connections to the ASP utilizing the Internet must be
protected using any of the following cryptographic
technologies: IPSec, SSL, SSH/SCP, PGP.
5. If the <Company Name> application infrastructure requires
PKI, please contact <Company Name> Information Security
Group for additional guidance.
Sample Security Policies/Audit_Policy.doc
Audit Vulnerability Scan Policy
1.0 Purpose
The purpose of this agreement is to set forth our agreement
regarding network security scanning offered by the <Internal or
External Audit Name> to the <Company Name>. <Internal or
External Audit Name> shall utilize <Approved Name of
Software> to perform electronic scans of Client’s networks
and/or firewalls or on any system at <Company Name>.
Audits may be conducted to:
· Ensure integrity, confidentiality and availability of
information and resources
· Investigate possible security incidents ensure conformance to
<Company Name> security policies
· Monitor user or system activity where appropriate.
2.0 Scope
This policy covers all computer and communication devices
owned or operated by <Company Name>. This policy also
covers any computer and communications device that are
29. present on <Company Name> premises, but which may not be
owned or operated by <Company Name>. The <Internal or
External Audit Name> will not perform Denial of Service
activities.
3.0 Policy
When requested, and for the purpose of performing an audit,
consent to access needed will be provided to members of
<Internal or External Audit Name>. <Company Name> hereby
provides its consent to allow of <Internal or External Audit
Name> to access its networks and/or firewalls to the extent
necessary to allow [Audit organization] to perform the scans
authorized in this agreement. <Company Name> shall provide
protocols, addressing information, and network connections
sufficient for <Internal or External Audit Name> to utilize the
software to perform network scanning.
This access may include:
· User level and/or system level access to any computing or
communications device
· Access to information (electronic, hardcopy, etc.) that may be
produced, transmitted or stored on <Company Name> equipment
or premises
· Access to work areas (labs, offices, cubicles, storage areas,
etc.)
· Access to interactively monitor and log traffic on <Company
Name> networks.
3.1 Network Control.
If Client does not control their network and/or Internet service
is provided via a
30. second or third party, these parties are required to approve
scanning in writing if scanning is to occur outside of the
<Company Name’s> LAN. By signing this agreement, all
involved parties acknowledge that they authorize of <Internal
or External Audit Name> to use their service networks as a
gateway for the conduct of these tests during the dates and
times specified.
3.2ServiceDegradation and/or Interruption. Network
performance and/or availability may be affected by the network
scanning. <Company Name> releases <Internal or External
Audit Name> of any and all liability for damages that may arise
from network availability restrictions caused by the network
scanning,
unless such damages are the result <Internal or External Audit
Name>’s gross negligence or intentional
misconduct.
3.3Client Point of Contact During the Scanning Period.
<Company Name> shall identify in writing a person to be
available if the result <Internal or External Audit Name>
Scanning Team has questions regarding data discovered or
requires assistance.
3.4 Scanning period. <Company Name> and <Internal or
External Audit Name> Scanning Team shall identify in writing
the allowable dates for the scan to take place.
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
5.0 Revision History
29 September 2003, updated to include National Association of
State Auditors, Comptrollers, and Treasurers; the National
31. Association of Local Government Auditors; the U.S. General
Accounting Office; and U.S. Inspectors General Legal and
Reporting Considerations.
Sample Security
Policies/Automatically_Forwarded_Email_Policy.doc
Automatically Forwarded Email Policy
1.0 Purpose
To prevent the unauthorized or inadvertent disclosure of
sensitive company information.
2.0 Scope
This policy covers automatic email forwarding, and thereby the
potentially inadvertent transmission of sensitive information by
all employees, vendors, and agents operating on behalf of
<Company Name>.
3.0 Policy
Employees must exercise utmost caution when sending any
email from inside <Company Name> to an outside network.
Unless approved by an employee's manager InfoSec, <Company
Name> email will not be automatically forwarded to an external
destination. Sensitive information, as defined in the Information
Sensitivity Policy, will not be forwarded via any means, unless
that email is critical to business and is encrypted in accordance
with the Acceptable Encryption Policy.
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
32. 5.0 Definitions
Terms
Definitions
Email
The electronic transmission of information through a mail
protocol such as SMTP. Programs such as Eudora and Microsoft
Outlook use SMTP.
Forwarded email
Email resent from internal networking to an outside point.
Sensitive information
Information is considered sensitive if it can be damaging to
<Company Name> or its customers' dollar value, reputation, or
market standing.
Unauthorized Disclosure
The intentional or unintentional revealing of restricted
information to people who do not have a need to know that
information.
6.0 Revision History
Sample Security Policies/DB_Credentials_Policy.doc
DB Password Policy
1.0 Purpose
33. This policy states the requirements for securely storing and
retrieving database usernames and passwords (i.e., database
credentials) for use by a program that will access a database
running on one of <Company Name>'s networks.
Computer programs running on <Company Name>'s networks
often require the use of one of the many internal database
servers. In order to access one of these databases, a program
must authenticate to the database by presenting acceptable
credentials. The database privileges that the credentials are
meant to restrict can be compromised when the credentials are
improperly stored.
2.0 Scope
This policy applies to all software that will access a <Company
Name>, multi-user production database.
3.0 Policy
3.1 General
In order to maintain the security of <Company Name>'s internal
databases, access by software programs must be granted only
after authentication with credentials. The credentials used for
this authentication must not reside in the main, executing body
of the program's source code in clear text. Database credentials
must not be stored in a location that can be accessed through a
web server.
3.2 Specific Requirements
3.2.1. Storage of Data Base User Names and Passwords
· Database user names and passwords may be stored in a file
separate from the executing body of the program's code. This
34. file must not be world readable.
· Database credentials may reside on the database server. In this
case, a hash number identifying the credentials may be stored in
the executing body of the program's code.
· Database credentials may be stored as part of an
authentication server (i.e., an entitlement directory), such as an
LDAP server used for user authentication. Database
authentication may occur on behalf of a program as part of the
user authentication process at the authentication server. In this
case, there is no need for programmatic use of database
credentials.
· Database credentials may not reside in the documents tree of a
web server.
· Pass through authentication (i.e., Oracle OPS$ authentication)
must not allow access to the database based solely upon a
remote user's authentication on the remote host.
· Passwords or pass phrases used to access a database must
adhere to the Password Policy.
3.2.2. Retrieval of Database User Names and Passwords
· If stored in a file that is not source code, then database user
names and passwords must be read from the file immediately
prior to use. Immediately following database authentication, the
memory containing the user name and password must be
released or cleared.
· The scope into which you may store database credentials must
be physically separated from the other areas of your code, e.g.,
the credentials must be in a separate source file. The file that
contains the credentials must contain no other code but the
35. credentials (i.e., the user name and password) and any
functions, routines, or methods that will be used to access the
credentials.
· For languages that execute from source code, the credentials'
source file must not reside in the same browseable or executable
file directory tree in which the executing body of code resides.
3. Access to Database User Names and Passwords
· Every program or every collection of programs implementing
a single business function must have unique database
credentials. Sharing of credentials between programs is not
allowed.
· Database passwords used by programs are system-level
passwords as defined by the Password Policy.
· Developer groups must have a process in place to ensure that
database passwords are controlled and changed in accordance
with the Password Policy. This process must include a method
for restricting knowledge of database passwords to a need-to-
know basis.
4. Coding Techniques for implementing this policy
[Add references to your site-specific guidelines for the different
coding languages such as Perl, JAVA, C and/or Cpro.]
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
5.0 Definitions
36. Term
Definition
Computer language
A language used to generate programs.
Credentials
Something you know (e.g., a password or pass phrase), and/or
something that identifies you (e.g., a user name, a fingerprint,
voiceprint, retina print). Something you know and something
that identifies you are presented for authentication.
Entitlement
The level of privilege that has been authenticated and
authorized. The privileges level at which to access resources.
Executing body
The series of computer instructions that the computer executes
to run a program.
Hash
An algorithmically generated number that identifies a datum or
its location.
LDAP
Lightweight Directory Access Protocol, a set of protocols for
37. accessing information directories.
Module
A collection of computer language instructions grouped together
either logically or physically. A module may also be called a
package or a class, depending upon which computer language is
used.
Name space
A logical area of code in which the declared symbolic names are
known and outside of which these names are not visible.
Production
Software that is being used for a purpose other than when
software is being implemented or tested.
6.0 Revision History
Sample Security Policies/Dial-in_Access_Policy.doc
Dial-In Access Policy
1.0 Purpose
The purpose of this policy is to protect <Company Name>'s
electronic information from being inadvertently compromised
by authorized personnel using a dial-in connection.
2.0 Scope
The scope of this policy is to define appropriate dial-in access
and its use by authorized personnel.
38. 3.0 Policy
<Company Name> employees and authorized third parties
(customers, vendors, etc.) can use dial-in connections to gain
access to the corporate network. Dial-in access should be
strictly controlled, using one-time password authentication.
[Add something in about how “Dial –in access should be
requesting using the corporate account request process”]
It is the responsibility of employees with dial-in access
privileges to ensure a dial-in connection to <Company Name> is
not used by non-employees to gain access to company
information system resources. An employee who is granted dial-
in access privileges must remain constantly aware that dial-in
connections between their location and <Company Name> are
literal extensions of <Company Name>'s corporate network, and
that they provide a potential path to the company's most
sensitive information. The employee and/or authorized third
party individual must take every reasonable measure to protect
<Company Name>'s assets.
Analog and non-GSM digital cellular phones cannot be used to
connect to <Company Name>'s corporate network, as their
signals can be readily scanned and/or hijacked by unauthorized
individuals. Only GSM standard digital cellular phones are
considered secure enough for connection to <Company Name>'s
network. For additional information on wireless access to the
<Company Name> network, consult the Wireless
Communications Policy.
Note: Dial-in accounts are considered 'as needed' accounts.
Account activity is monitored, and if a dial-in account is not
used for a period of six months the account will expire and no
longer function. If dial-in access is subsequently required, the
individual must request a new account as described above.
40. telephones, voicemail, fax machines, external electronic bulletin
boards, wire services, online services, intranet, Internet and the
World Wide Web.
B. _________[Name of business or owner of computer system]
encourages the use of these media and associated services
because they can make communication more efficient and
effective and because they are valuable sources of information
about vendors, customers, technology, and new products and
services. However, all employees and everyone connected with
the organization should remember that electronic media and
services provided by the company are company property and
their purpose is to facilitate and support company business. All
computer users have the responsibility to use these resources in
a professional, ethical, and lawful manner.
C. To ensure that all employees are responsible, the following
guidelines have been established for using e-mail and the
Internet. No policy can lay down rules to cover every possible
situation. Instead, it is designed to express _________[name of
business or owner of computer system] philosophy and set forth
general principles when using electronic media and services.
SECTION TWO.
PROHIBITED COMMUNICATIONS
Electronic media cannot be used for knowingly transmitting,
retrieving, or storing any communication that is:
1. Discriminatory or harassing;
2. Derogatory to any individual or group;
3. Obscene, sexually explicit or pornographic;
41. 4. Defamatory or threatening;
5. In violation of any license governing the use of software; or
6. Engaged in for any purpose that is illegal or contrary to
_________[name of business or owner of computer system]
policy or business interests.
SECTION THREE.
PERSONAL USE
The computers, electronic media and services provided by
_________[name of business or owner of computer system] are
primarily for business use to assist employees in the
performance of their jobs. Limited, occasional, or incidental use
of electronic media (sending or receiving) for personal,
nonbusiness purposes is understandable and acceptable, and all
such use should be done in a manner that does not negatively
affect the systems' use for their business purposes. However,
employees are expected to demonstrate a sense of responsibility
and not abuse this privilege.
SECTION FOUR.
ACCESS TO EMPLOYEE COMMUNICATIONS
A. Generally, electronic information created and/or
communicated by an employee using e-mail, word processing,
utility programs, spreadsheets, voicemail, telephones, Internet
and bulletin board system access, and similar electronic media
is not reviewed by the company. However, the following
conditions should be noted:
_________[Name of business or owner of computer system]
does routinely gather logs for most electronic activities or
42. monitor employee communications directly, e.g., telephone
numbers dialed, sites accessed, call length, and time at which
calls are made, for the following purposes:
1. Cost analysis;
2. Resource allocation;
3. Optimum technical management of information resources;
and
4. Detecting patterns of use that indicate employees are
violating company policies or engaging in illegal activity.
B. _________[Name of business or owner of computer system]
reserves the right, at its discretion, to review any employee's
electronic files and messages to the extent necessary to ensure
electronic media and services are being used in compliance with
the law, this policy and other company policies.
C. Employees should not assume electronic communications are
completely private. Accordingly, if they have sensitive
information to transmit, they should use other means.
SECTION FIVE.
SOFTWARE
To prevent computer viruses from being transmitted through the
company's computer system, unauthorized downloading of any
unauthorized software is strictly prohibited. Only software
registered through _________[name of business or owner of
computer system] may be downloaded. Employees should
contact the system administrator if they have any questions.
SECTION SIX.
43. SECURITY/APPROPRIATE USE
A. Employees must respect the confidentiality of other
individuals' electronic communications. Except in cases in
which explicit authorization has been granted by company
management, employees are prohibited from engaging in, or
attempting to engage in:
1. Monitoring or intercepting the files or electronic
communications of other employees or third parties;
2. Hacking or obtaining access to systems or accounts they are
not authorized to use;
3. Using other people's log-ins or passwords; and
4. Breaching, testing, or monitoring computer or network
security measures.
B. No e-mail or other electronic communications can be sent
that attempt to hide the identity of the sender or represent the
sender as someone else.
C. Electronic media and services should not be used in a manner
that is likely to cause network congestion or significantly
hamper the ability of other people to access and use the system.
D. Anyone obtaining electronic assess to other companies' or
individuals' materials must respect all copyrights and cannot
copy, retrieve, modify or forward copyrighted materials except
as permitted by the copyright owner.
SECTION SEVEN.
ENCRYPTION
44. Employees can use encryption software supplied to them by the
systems administrator for purposes of safeguarding sensitive or
confidential business information. Employees who use
encryption on files stored on a company computer must provide
their supervisor with a sealed hard copy record (to be retained
in a secure location) of all of the passwords and/or encryption
keys necessary to access the files.
SECTION EIGHT.
PARTICIPATION IN ONLINE FORUMS
A. Employees should remember that any messages or
information sent on company-provided facilities to one or more
individuals via an electronic network—for example, Internet
mailing lists, bulletin boards, and online services—are
statements identifiable and attributable to _________[name of
business or owner of computer system].
B. _________[Name of business or owner of computer system]
recognizes that participation in some forums might be important
to the performance of an employee's job. For instance, an
employee might find the answer to a technical problem by
consulting members of a news group devoted to the technical
area.
SECTION NINE.
VIOLATIONS
Any employee who abuses the privilege of their access to e-mail
or the Internet in violation of this policy will be subject to
corrective action, including possible termination of
employment, legal action, and criminal liability.
SECTION TEN.
45. EMPLOYEE AGREEMENT ON USE OF E-MAIL AND THE
INTERNET
I have read, understand, and agree to comply with the foregoing
policies, rules, and conditions governing the use of the
Company's computer and telecommunications equipment and
services. I understand that I have no expectation of privacy
when I use any of the telecommunication equipment or services.
I am aware that violations of this guideline on appropriate use
of the e-mail and Internet systems may subject me to
disciplinary action, including termination from employment,
legal action and criminal liability. I further understand that my
use of the e-mail and Internet may reflect on the image of
_________[name of business or owner of computer system] to
our customers, competitors and suppliers and that I have
responsibility to maintain a positive representation of the
company. Furthermore, I understand that this policy can be
amended at any time.
Dated: _________.
[Signature of employee]
[Printed name of employee]
[Employee's computer account]
Sample Security Policies/Email_Policy.doc
<COMPANY NAME>Email Use Policy
1.0 Purpose
To prevent tarnishing the public image of <COMPANY NAME>
When email goes out from <COMPANY NAME> the general
46. public will tend to view that message as an official policy
statement from the <COMPANY NAME>.
2.0 Scope
This policy covers appropriate use of any email sent from a
<COMPANY NAME> email address and applies to all
employees, vendors, and agents operating on behalf of
<COMPANY NAME>.
3.0 Policy
3.1 Prohibited Use. The <COMPANY NAME> email system
shall not to be used for the creation or distribution of any
disruptive or offensive messages, including offensive comments
about race, gender, hair color, disabilities, age, sexual
orientation, pornography, religious beliefs and practice,
political beliefs, or national origin. Employees who receive any
emails with this content from any <COMPANY NAME>
employee should report the matter to their supervisor
immediately.
3.2 Personal Use.
Using a reasonable amount of <COMPANY NAME> resources
for personal emails is acceptable, but non-work related email
shall be saved in a separate folder from work related email.
Sending chain letters or joke emails from a <COMPANY
NAME> email account is prohibited. Virus or other malware
warnings and mass mailings from <COMPANY NAME> shall be
approved by <COMPANY NAME> VP Operations before
sending. These restrictions also apply to the forwarding of mail
received by a <COMPANY NAME> employee.
3.3 Monitoring
47. <COMPANY NAME> employees shall have no expectation of
privacy in anything they store, send or receive on the
company’s email system. <COMPANY NAME> may monitor
messages without prior notice. <COMPANY NAME> is not
obliged to monitor email messages.
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
5.0 Definitions
Term
Definition
Email
The electronic transmission of information through a mail
protocol such as SMTP or IMAP. Typical email clients include
Eudora and Microsoft Outlook.
Forwarded email
Email resent from an internal network to an outside point.
Chain email or letter
Email sent to successive people. Typically the body of the note
has direction to send out multiple copies of the note and
promises good luck or money if the direction is followed.
Sensitive information
Information is considered sensitive if it can be damaging to
<COMPANY NAME> or its customers' reputation or market
48. standing.
Virus warning.
Email containing warnings about virus or malware. The
overwhelming majority of these emails turn out to be a hoax and
contain bogus information usually intent only on frightening or
misleading users.
Unauthorized Disclosure
The intentional or unintentional revealing of restricted
information to people, both inside and outside <COMPANY
NAME>, who do not have a need to know that information.
6.0 Revision History
Sample Security Policies/email_retention.doc
Email Retention Policy
1.0 Purpose
The Email Retention Policy is intended to help employees
determine what information sent or received by email should be
retained and for how long.
The information covered in these guidelines includes, but is not
limited to, information that is either stored or shared via
electronic mail or instant messaging technologies.
All employees should familiarize themselves with the email
retention topic areas that follow this introduction.
Questions about the proper classification of a specific piece of
information should be addressed to your manager. Questions
about these guidelines should be addressed to Infosec.
49. 2.0 Scope
This email retention policy is secondary to <Company Name>
policy on Freedom of Information and Business Record
Keeping. Any email that contains information in the scope of
the Business Record Keeping policy should be treated in that
manner. All <Company Name> email information is
categorized into four main classifications with retention
guidelines:
Administrative Correspondence (4 years)
Fiscal Correspondence (4 years)
General Correspondence (1 year)
Ephemeral Correspondence (Retain until read, destroy)
3.0 Policy
3.1 Administrative Correspondence
<Company Name> Administrative Correspondence includes,
though is not limited to clarification of established company
policy, including holidays, time card information, dress code,
work place behavior and any legal issues such as intellectual
property violations. All email with the information sensitivity
label Management Only shall be treated as Administrative
Correspondence. To ensure Administrative Correspondence is
retained, a mailbox [email protected]<Company Name> has
been created, if you copy (cc) this address when you send email,
retention will be administered by the IT Department.
3.2 Fiscal Correspondence
<Company Name> Fiscal Correspondence is all information
50. related to revenue and expense for the company. To ensure
Fiscal Correspondence is retained, a mailbox
[email protected]<Company Name> has been created, if you
copy (cc) this address when you send email, retention will be
administered by the IT Department.
3.3 General Correspondence
<Company Name> General Correspondence covers information
that relates to customer interaction and the operational
decisions of the business. The individual employee is
responsible for email retention of General Correspondence.
3.4 Ephemeral Correspondence
<Company Name> Ephemeral Correspondence is by far the
largest category and includes personal email, requests for
recommendations or review, email related to product
development, updates and status reports.
3.5 Instant Messenger Correspondence
<Company Name> Instant Messenger General Correspondence
may be saved with logging function of Instant Messenger, or
copied into a file and saved. Instant Messenger conversations
that are Administrative or Fiscal in nature should be copied into
an email message and sent to the appropriate email retention
address.
3.6 Encrypted Communications
<Company Name> encrypted communications should be stored
in a manner consistent with <Company Name> Information
Sensitivity Policy, but in general, information should be stored
in a decrypted format.
51. 3.7 Recovering Deleted Email via Backup Media
<Company Name> maintains backup tapes from the email server
and once a quarter a set of tapes is taken out of the rotation and
they are moved offsite. No effort will be made to remove email
from the offsite backup tapes.
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
5.0 Definitions
Terms and Definitions
Approved Electronic Mail
Includes all mail systems supported by the IT Support Team.
These include, but are not necessarily limited to, [insert
corporate supported mailers here…]. If you have a business
need to use other mailers contact the appropriate support
organization.
Approved Encrypted email and files
Techniques include the use of DES and PGP. DES encryption is
available via many different public domain packages on all
platforms. PGP use within <Company Name> is done via a
license. Please contact the appropriate support organization if
you require a license.
Approved Instant Messenger
The Jabber Secure IM Client is the only IM that is approved for
52. use on <Company Name> computers.
Individual Access Controls
Individual Access Controls are methods of electronically
protecting files from being accessed by people other than those
specifically designated by the owner. On UNIX machines, this
is accomplished by careful use of the chmod command (use man
chmod to find out more about it). On Mac’s and PC's, this
includes using passwords on screensavers, such as Disklock.
Insecure Internet Links
Insecure Internet Links are all network links that originate from
a locale or travel over lines that are not totally under the control
of <Company Name>.
Encryption
Secure <Company Name> Sensitive information in accordance
with the Acceptable Encryption Policy. International issues
regarding encryption are complex. Follow corporate guidelines
on export controls on cryptography, and consult your manager
and/or corporate legal services for further guidance.
6.0 Revision History
28 July, 2003 Added discussion of backup media
Sample Security Policies/Extranet_Policy.doc
Extranet Policy
1.0 Purpose
This document describes the policy under which third party
organizations connect to <Company Name> networks for the
53. purpose of transacting business related to <Company Name>.
2.0 Scope
Connections between third parties that require access to non-
public <Company Name> resources fall under this policy,
regardless of whether a telco circuit (such as frame relay or
ISDN) or VPN technology is used for the connection.
Connectivity to third parties such as the Internet Service
Providers (ISPs) that provide Internet access for <Company
Name> or to the Public Switched Telephone Network does NOT
fall under this policy.
3.0 Policy
3.1 Pre-Requisites
3.1.1 Security Review
All new extranet connectivity will go through a security review
with the Information Security department (InfoSec). The
reviews are to ensure that all access matches the business
requirements in a best possible way, and that the principle of
least access is followed.
3.1.2 Third Party Connection Agreement
All new connection requests between third parties and
<Company Name> require that the third party and <Company
Name> representatives agree to and sign the Third Party
Agreement. This agreement must be signed by the Vice
President of the Sponsoring Organization as well as a
representative from the third party who is legally empowered to
sign on behalf of the third party. The signed document is to be
kept on file with the relevant extranet group. Documents
pertaining to connections into <Company Name> labs are to be
54. kept on file with the [name of team responsible for security of
labs].
3.1.3 Business Case
All production extranet connections must be accompanied by a
valid business justification, in writing, that is approved by a
project manager in the extranet group. Lab connections must be
approved by the [name of team responsible for security of labs].
Typically this function is handled as part of the Third Party
Agreement.
3.1.4 Point Of Contact
The Sponsoring Organization must designate a person to be the
Point of Contact (POC) for the Extranet connection. The POC
acts on behalf of the Sponsoring Organization, and is
responsible for those portions of this policy and the Third Party
Agreement that pertain to it. In the event that the POC changes,
the relevant extranet Organization must be informed promptly.
3.2 Establishing Connectivity
Sponsoring Organizations within <Company Name> that wish to
establish connectivity to a third party are to file a new site
request with the proper extranet group. The extranet group will
engage InfoSec to address security issues inherent in the
project. If the proposed connection is to terminate within a lab
at <Company Name>, the Sponsoring Organization must engage
the [name of team responsible for security of labs]. The
Sponsoring Organization must provide full and complete
information as to the nature of the proposed access to the
extranet group and InfoSec, as requested.
All connectivity established must be based on the least-access
principle, in accordance with the approved business
55. requirements and the security review. In no case will <Company
Name> rely upon the third party to protect <Company Name>'s
network or resources.
3.3 Modifying or Changing Connectivity and Access
All changes in access must be accompanied by a valid business
justification, and are subject to security review. Changes are to
be implemented via corporate change management process. The
Sponsoring Organization is responsible for notifying the
extranet management group and/or InfoSec when there is a
material change in their originally provided information so that
security and connectivity evolve accordingly.
3.4 Terminating Access
When access is no longer required, the Sponsoring Organization
within <Company Name> must notify the extranet team
responsible for that connectivity, which will then terminate the
access. This may mean a modification of existing permissions
up to terminating the circuit, as appropriate. The extranet and
lab security teams must conduct an audit of their respective
connections on an annual basis to ensure that all existing
connections are still needed, and that the access provided meets
the needs of the connection. Connections that are found to be
depreciated, and/or are no longer being used to conduct
<Company Name> business, will be terminated immediately.
Should a security incident or a finding that a circuit has been
deprecated and is no longer being used to conduct <Company
Name> business necessitate a modification of existing
permissions, or termination of connectivity, InfoSec and/or the
extranet team will notify the POC or the Sponsoring
Organization of the change prior to taking any action.
4.0 Enforcement
56. Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
5.0 Definitions
Terms
Definitions
Circuit
For the purposes of this policy, circuit refers to the method of
network access, whether it's through traditional ISDN, Frame
Relay etc., or via VPN/Encryption technologies.
Sponsoring Organization
The <Company Name> organization who requested that the
third party have access into <Company Name>.
Third Party
A business that is not a formal or subsidiary part of <Company
Name>.
6.0 Revision History
Sample Security Policies/Information_Sensitivity_Policy.doc
Information Sensitivity Policy
1.0 Purpose
The Information Sensitivity Policy is intended to help
57. employees determine what information can be disclosed to non-
employees, as well as the relative sensitivity of information that
should not be disclosed outside of <Company Name> without
proper authorization.
The information covered in these guidelines includes, but is not
limited to, information that is either stored or shared via any
means. This includes: electronic information, information on
paper, and information shared orally or visually (such as
telephone and video conferencing).
All employees should familiarize themselves with the
information labeling and handling guidelines that follow this
introduction. It should be noted that the sensitivity level
definitions were created as guidelines and to emphasize
common sense steps that you can take to protect <Company
Name> Confidential information (e.g., <Company Name>
Confidential information should not be left unattended in
conference rooms).
Please Note: The impact of these guidelines on daily activity
should be minimal.
Questions about the proper classification of a specific piece of
information should be addressed to your manager. Questions
about these guidelines should be addressed to Infosec.
2.0 Scope
All <Company Name> information is categorized into two main
classifications:
· <Company Name> Public
· <Company Name> Confidential
58. <Company Name> Public information is information that has
been declared public knowledge by someone with the authority
to do so, and can freely be given to anyone without any possible
damage to <Company Name> Systems, Inc.
<Company Name> Confidential contains all other information.
It is a continuum, in that it is understood that some information
is more sensitive than other information, and should be
protected in a more secure manner. Included is information that
should be protected very closely, such as trade secrets,
development programs, potential acquisition targets, and other
information integral to the success of our company. Also
included in <Company Name> Confidential is information that
is less critical, such as telephone directories, general corporate
information, personnel information, etc., which does not require
as stringent a degree of protection.
A subset of <Company Name> Confidential information is
"<Company Name> Third Party Confidential" information. This
is confidential information belonging or pertaining to another
corporation which has been entrusted to <Company Name> by
that company under non-disclosure agreements and other
contracts. Examples of this type of information include
everything from joint development efforts to vendor lists,
customer orders, and supplier information. Information in this
category ranges from extremely sensitive to information about
the fact that we've connected a supplier / vendor into <Company
Name>'s network to support our operations.
<Company Name> personnel are encouraged to use common
sense judgment in securing <Company Name> Confidential
information to the proper extent. If an employee is uncertain of
the sensitivity of a particular piece of information, he/she
should contact their manager
3.0 Policy
59. The Sensitivity Guidelines below provides details on how to
protect information at varying sensitivity levels. Use these
guidelines as a reference only, as <Company Name>
Confidential information in each column may necessitate more
or less stringent measures of protection depending upon the
circumstances and the nature of the <Company Name>
Confidential information in question.
3.1 Minimal Sensitivity: General corporate information; some
personnel and technical information
Marking guidelines for information in hardcopy or electronic
form.
Note: any of these markings may be used with the additional
annotation of "3rd Party Confidential".
Marking is at the discretion of the owner or custodian of the
information. If marking is desired, the words "<Company
Name> Confidential" may be written or designated in a
conspicuous place on or in the information in question. Other
labels that may be used include "<Company Name> Proprietary"
or similar labels at the discretion of your individual business
unit or department. Even if no marking is present, <Company
Name> information is presumed to be "<Company Name>
Confidential" unless expressly determined to be <Company
Name> Public information by a <Company Name> employee
with authority to do so.
Access: <Company Name> employees, contractors, people with
a business need to know.
Distribution within <Company Name>: Standard interoffice
mail, approved electronic mail and electronic file transmission
methods.
60. Distribution outside of <Company Name> internal mail: U.S.
mail and other public or private carriers, approved electronic
mail and electronic file transmission methods.
Electronic distribution: No restrictions except that it be sent to
only approved recipients.
Storage: Keep from view of unauthorized people; erase
whiteboards, do not leave in view on tabletop. Machines should
be administered with security in mind. Protect from loss;
electronic information should have individual access controls
where possible and appropriate.
Disposal/Destruction: Deposit outdated paper information in
specially marked disposal bins on <Company Name> premises;
electronic data should be expunged/cleared. Reliably erase or
physically destroy media.
Penalty for deliberate or inadvertent disclosure: Up to and
including termination, possible civil and/or criminal prosecution
to the full extent of the law.
3.2 More Sensitive: Business, financial, technical, and most
personnel information
Marking guidelines for information in hardcopy or electronic
form.
Note: any of these markings may be used with the additional
annotation of "3rd Party Confidential". As the sensitivity level
of the information increases, you may, in addition or instead of
marking the information "<Company Name> Confidential" or
"<Company Name> Proprietary", wish to label the information
"<Company Name> Internal Use Only" or other similar labels at
the discretion of your individual business unit or department to
61. denote a more sensitive level of information. However, marking
is discretionary at all times.
Access: <Company Name> employees and non-employees with
signed non-disclosure agreements who have a business need to
know.
Distribution within <Company Name>: Standard interoffice
mail, approved electronic mail and electronic file transmission
methods.
Distribution outside of <Company Name> internal mail: Sent
via U.S. mail or approved private carriers.
Electronic distribution: No restrictions to approved recipients
within <Company Name>, but should be encrypted or sent via a
private link to approved recipients outside of <Company Name>
premises.
Storage: Individual access controls are highly recommended for
electronic information.
Disposal/Destruction: In specially marked disposal bins on
<Company Name> premises; electronic data should be
expunged/cleared. Reliably erase or physically destroy media.
Penalty for deliberate or inadvertent disclosure: Up to and
including termination, possible civil and/or criminal prosecution
to the full extent of the law.
3.3 Most Sensitive: Trade secrets & marketing, operational,
personnel, financial, source code, & technical information
integral to the success of our company
Marking guidelines for information in hardcopy or electronic
form.
62. Note: any of these markings may be used with the additional
annotation of "3rd Party Confidential". To indicate that
<Company Name> Confidential information is very sensitive,
you may should label the information "<Company Name>
Internal: Registered and Restricted", "<Company Name> Eyes
Only", "<Company Name> Confidential" or similar labels at the
discretion of your individual business unit or department. Once
again, this type of <Company Name> Confidential information
need not be marked, but users should be aware that this
information is very sensitive and be protected as such.
Access: Only those individuals (<Company Name> employees
and non-employees) designated with approved access and signed
non-disclosure agreements.
Distribution within <Company Name>: Delivered direct -
signature required, envelopes stamped confidential, or approved
electronic file transmission methods.
Distribution outside of <Company Name> internal mail:
Delivered direct; signature required; approved private carriers.
Electronic distribution: No restrictions to approved recipients
within <Company Name>, but it is highly recommended that all
information be strongly encrypted.
Storage: Individual access controls are very highly
recommended for electronic information. Physical security is
generally used, and information should be stored in a physically
secured computer.
Disposal/Destruction: Strongly Encouraged: In specially
marked disposal bins on <Company Name> premises; electronic
data should be expunged/cleared. Reliably erase or physically
destroy media.
63. Penalty for deliberate or inadvertent disclosure: Up to and
including termination, possible civil and/or criminal prosecution
to the full extent of the law.
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
5.0 Definitions
Terms and Definitions
Appropriate measures
To minimize risk to <Company Name> from an outside business
connection. <Company Name> computer use by competitors and
unauthorized personnel must be restricted so that, in the event
of an attempt to access <Company Name> corporate
information, the amount of information at risk is minimized.
Configuration of <Company Name>-to-other business
connections
Connections shall be set up to allow other businesses to see
only what they need to see. This involves setting up both
applications and network configurations to allow access to only
what is necessary.
Delivered Direct; Signature Required
Do not leave in interoffice mail slot, call the mail room for
special pick-up of mail.
64. Approved Electronic File Transmission Methods
Includes supported FTP clients and Web browsers.
Envelopes Stamped Confidential
You are not required to use a special envelope. Put your
document(s) into an interoffice envelope, seal it, address it, and
stamp it confidential.
Approved Electronic Mail
Includes all mail systems supported by the IT Support Team.
These include, but are not necessarily limited to, [insert
corporate supported mailers here…]. If you have a business
need to use other mailers contact the appropriate support
organization.
Approved Encrypted email and files
Techniques include the use of DES and PGP. DES encryption is
available via many different public domain packages on all
platforms. PGP use within <Company Name> is done via a
license. Please contact the appropriate support organization if
you require a license.
Company Information System Resources
Company Information System Resources include, but are not
limited to, all computers, their data and programs, as well as all
paper information and any information at the Internal Use Only
level and above.
Expunge
To reliably erase or expunge data on a PC or Mac you must use
65. a separate program to overwrite data, supplied as a part of
Norton Utilities. Otherwise, the PC or Mac's normal erasure
routine keeps the data intact until overwritten. The same thing
happens on UNIX machines, but data is much more difficult to
retrieve on UNIX systems.
Individual Access Controls
Individual Access Controls are methods of electronically
protecting files from being accessed by people other than those
specifically designated by the owner. On UNIX machines, this
is accomplished by careful use of the chmod command (use man
chmod to find out more about it). On Mac’s and PC's, this
includes using passwords on screensavers, such as Disklock.
Insecure Internet Links
Insecure Internet Links are all network links that originate from
a locale or travel over lines that are not totally under the control
of <Company Name>.
Encryption
Secure <Company Name> Sensitive information in accordance
with the Acceptable Encryption Policy. International issues
regarding encryption are complex. Follow corporate guidelines
on export controls on cryptography, and consult your manager
and/or corporate legal services for further guidance.
One Time Password Authentication
One Time Password Authentication on Internet connections is
accomplished by using a one time password token to connect to
<Company Name>'s internal network over the Internet. Contact
your support organization for more information on how to set
this up.
66. Physical Security
Physical security means either having actual possession of a
computer at all times, or locking the computer in an unusable
state to an object that is immovable. Methods of accomplishing
this include having a special key to unlock the computer so it
can be used, thereby ensuring that the computer cannot be
simply rebooted to get around the protection. If it is a laptop or
other portable computer, never leave it alone in a conference
room, hotel room or on an airplane seat, etc. Make arrangements
to lock the device in a hotel safe, or take it with you. In the
office, always use a lockdown cable. When leaving the office
for the day, secure the laptop and any other sensitive material in
a locked drawer or cabinet.
Private Link
A Private Link is an electronic communications path that
<Company Name> has control over it's entire distance. For
example, all <Company Name> networks are connected via a
private link. A computer with modem connected via a standard
land line (not cell phone) to another computer have established
a private link. ISDN lines to employee's homes is a private
link. <Company Name> also has established private links to
other companies, so that all email correspondence can be sent in
a more secure manner. Companies which <Company Name> has
established private links include all announced acquisitions and
some short-term temporary links
6.0 Revision History
Sample Security
Policies/Internal_Lab_Security_Policy.docInternal Lab Security
Policy
67. 1.0 Purpose
This policy establishes information security requirements for
<Company Name> labs to ensure that <Company Name>
confidential information and technologies are not compromised,
and that production services and other <Company Name>
interests are protected from lab activities.
2.0 Scope
This policy applies to all internally connected labs, <Company
Name> employees and third parties who access <Company
Name>'s labs. All existing and future equipment, which fall
under the scope of this policy, must be configured according to
the referenced documents. DMZ Labs and stand-alone, air-
gapped labs are exempt from this policy. DMZ labs must
comply with the DMZ Lab Security Policy.
3.0 Policy
3.1 Ownership Responsibilities
1. Lab owning organizations are responsible for assigning lab
managers, a point of contact (POC), and a back-up POC for
each lab. Lab owners must maintain up-to-date POC information
with InfoSec and the Corporate Enterprise Management Team.
Lab managers or their backup must be available around-the-
clock for emergencies, otherwise actions will be taken without
their involvement.
2. Lab managers are responsible for the security of their labs
and the lab's impact on the corporate production network and
any other networks. Lab managers are responsible for adherence
to this policy and associated processes. Where policies and
procedures are undefined lab managers must do their best to
68. safeguard <Company Name> from security vulnerabilities.
3. Lab managers are responsible for the lab's compliance with
all <Company Name> security policies. The following are
particularly important: Password Policy for networking devices
and hosts, Wireless Security Policy, Anti-Virus Policy, and
physical security.
4. The Lab Manager is responsible for controlling lab access.
Access to any given lab will only be granted by the lab manager
or designee, to those individuals with an immediate business
need within the lab, either short-term or as defined by their
ongoing job function. This includes continually monitoring the
access list to ensure that those who no longer require access to
the lab have their access terminated.
5. The Network Support Organization must maintain a firewall
device between the corporate production network and all lab
equipment.
6. The Network Support Organization and/or InfoSec reserve
the right to interrupt lab connections that impact the corporate
production network negatively or pose a security risk.
7. The Network Support Organization must record all lab IP
addresses, which are routed within <Company Name> networks,
in Enterprise Address Management database along with current
contact information for that lab.
8. Any lab that wants to add an external connection must
provide a diagram and documentation to InfoSec with business
justification, the equipment, and the IP address space
information. InfoSec will review for security concerns and must
approve before such connections are implemented.
9. All user passwords must comply with <Company Name>'s
69. Password Policy. In addition, individual user accounts on any
lab device must be deleted when no longer authorized within
three (3) days. Group account passwords on lab computers
(Unix, windows, etc) must be changed quarterly (once every 3
months). For any lab device that contains <Company Name>
proprietary information, group account passwords must be
changed within three (3) days following a change in group
membership.
10. No lab shall provide production services. Production
services are defined as ongoing and shared business critical
services that generate revenue streams or provide customer
capabilities. These should be managed by a <proper support>
organization.
11. InfoSec will address non-compliance waiver requests on a
case-by-case basis and approve waivers if justified.
3.2 General Configuration Requirements
1. All traffic between the corporate production and the lab
network must go through a Network Support Organization
maintained firewall. Lab network devices (including wireless)
must not cross-connect the lab and production networks.
2. Original firewall configurations and any changes thereto must
be reviewed and approved by InfoSec. InfoSec may require
security improvements as needed.
3. Labs are prohibited from engaging in port scanning, network
auto-discovery, traffic spamming/flooding, and other similar
activities that negatively impact the corporate network and/or
non-<Company Name> networks. These activities must be
restricted within the lab.
4. Traffic between production networks and lab networks, as
70. well as traffic between separate lab networks, is permitted
based on business needs and as long as the traffic does not
negatively impact on other networks. Labs must not advertise
network services that may compromise production network
services or put lab confidential information at risk.
5. InfoSec reserves the right to audit all lab-related data and
administration processes at any time, including but not limited
to, inbound and outbound packets, firewalls and network
peripherals.
6. Lab owned gateway devices are required to comply with all
<Company Name> product security advisories and must
authenticate against the Corporate Authentication servers.
7. The enable password for all lab owned gateway devices must
be different from all other equipment passwords in the lab. The
password must be in accordance with <Company Name>'s
Password Policy. The password will only be provided to those
who are authorized to administer the lab network.
8. In labs where non-<Company Name> personnel have physical
access (e.g., training labs), direct connectivity to the corporate
production network is not allowed. Additionally, no <Company
Name> confidential information can reside on any computer
equipment in these labs. Connectivity for authorized personnel
from these labs can be allowed to the corporate production
network only if authenticated against the Corporate
Authentication servers, temporary access lists (lock and key),
SSH, client VPNs, or similar technology approved by InfoSec.
9. Infrastructure devices (e.g. IP Phones) needing corporate
network connectivity must adhere to the Open Areas Policy.
10. All lab external connection requests must be reviewed and
approved by InfoSec. Analog or ISDN lines must be configured
71. to only accept trusted call numbers. Strong passwords must be
used for authentication.
11. All labs networks with external connections must not be
connected to <Company Name> corporate production network
or any other internal network directly or via a wireless
connection, or via any other form of computing equipment. A
waiver from InfoSec is required where air-gapping is not
possible (e.g., Partner Connections to third party networks).
4.0 Enforcement
Any employee found to have violated this policy may be subject
to disciplinary action, up to and including termination of
employment.
5.0 Definitions
· Internal - A lab that is within <Company Name>'s corporate
firewall and connected to <Company Name>'s corporate
production network
· Network Support Organization - Any InfoSec approved
<Company Name> support organization that manages the
networking of non-lab networks.
· Lab Manager - The individual responsible for all lab activities
and personnel
· Lab - A Lab is any non-production environment, intended
specifically for developing, demonstrating, training and/or
testing of a product.
· External Connections (also known as DMZ ) - External
connections include (but not limited to) third-party data
network-to-network, analog and ISDN data lines, or any other
72. Telco data lines.
· Lab Owned Gateway Device - A lab owned gateway device is
the lab device that connects the lab network to the rest of
<Company Name> network. All traffic between the lab and the
corporate production network must pass through the lab owned
gateway device unless approved by InfoSec.
· Telco - A Telco is the equivalent to a service provider. Telcos
offer network connectivity, e.g., T1, T3, OC3, OC12 or DSL.
Telcos are sometimes referred to as "baby bells", although
Sprint and AT&T are also considered Telcos. Telco interfaces
include BRI, or Basic Rate Interface - a structure commonly
used for ISDN service, and PRI, Primary Rate Interface - a
structure for voice/dial-up service.
· Traffic - Mass volume of unauthorized and/or unsolicited
network Spamming/Flooding traffic.
· Firewall - A device that controls access between networks. It
can be a PIX, a router with access control lists or similar
security devices approved by InfoSec.
· Extranet - Connections between third parties that require
access to connections non-public <Company Name> resources,
as defined in InfoSec's Extranet policy (link).
· DMZ (De-Militarized Zone) - This describes network that
exists outside of primary corporate firewalls, but are still under
<Company Name> administrative control.
6.0 Revision History
Sample Security Policies/Internet_DMZ_Equipment_Policy.doc
Internet DMZ Equipment Policy
73. 1.0 Purpose
The purpose of this policy is to define standards to be met by
all equipment owned and/or operated by <Company Name>
located outside <Company Name>'s corporate Internet firewalls.
These standards are designed to minimize the potential exposure
to <Company Name> from the loss of sensitive or company
confidential data, intellectual property, damage to public image
etc., which may follow from unauthorized use of <Company
Name> resources.
Devices that are Internet facing and outside the <Company
Name> firewall are considered part of the "de-militarized zone"
(DMZ) and are subject to this policy. These devices (network
and host) are particularly vulnerable to attack from the Internet
since they reside outside the corporate firewalls.
The policy defines the following standards:
· Ownership responsibility
· Secure configuration requirements
· Operational requirements
· Change control requirement
2.0 Scope
All equipment or devices deployed in a DMZ owned and/or
operated by <Company Name> (including hosts, routers,
switches, etc.) and/or registered in any Domain Name System
(DNS) domain owned by <Company Name>, must follow this
policy.
74. This policy also covers any host device outsourced or hosted at
external/third-party service providers, if that equipment resides
in the "<Company Name>.com" domain or appears to be owned
by <Company Name>.
All new equipment which falls under the scope of this policy
must be configured according to the referenced configuration
documents, unless a waiver is obtained from InfoSec. All
existing and future equipment deployed on <Company Name>'s
un-trusted networks must comply with this policy.
3.0 Policy
3.1. Ownership and Responsibilities
Equipment and applications within the scope of this policy must
be administered by support groups approved by InfoSec for
DMZ system, application, and/or network management.
Support groups will be responsible for the following:
· Equipment must be documented in the corporate wide
enterprise management system. At a minimum, the following
information is required:
· Host contacts and location.
· Hardware and operating system/version.
· Main functions and applications.
· Password groups for privileged passwords.
· Network interfaces must have appropriate Domain Name
Server records (minimum of A and PTR records).
75. · Password groups must be maintained in accordance with the
corporate wide password management system/process.
· Immediate access to equipment and system logs must be
granted to members of InfoSec upon demand, per the Audit
Policy.
· Changes to existing equipment and deployment of new
equipment must follow and corporate governess or change
management processes/procedures.
To verify compliance with this policy, InfoSec will periodically
audit DMZ equipment per the Audit Policy.
3.2. General Configuration Policy
All equipment must comply with the following configuration
policy:
· Hardware, operating systems, services and applications must
be approved by InfoSec as part of the pre-deployment review
phase.
· Operating system configuration must be done according to the
secure host and router installation and configuration standards
[Insert a reference to any standards that you have]
· All patches/hot-fixes recommended by the equipment vendor
and InfoSec must be installed. This applies to all services
installed, even though those services may be temporarily or
permanently disabled. Administrative owner groups must have
processes in place to stay current on appropriate
patches/hotfixes.
· Services and applications not serving business requirements
must be disabled.