Information Security Policy

Information Security
Policy
III[Type text]
Page 0
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
Information Security Policy Manual
Programme
Audit findings
Sub-Prog /
Project
Document Record ID Key
MCLM-ISPM
Version Date
January 2014
Status
Pending Approval
Owner
CSS
Version
0.1
1
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
Amendment History:
Version Date
Amendment History
0.1
First draft for comment and review
15 March
2013
1.0
Reviewers:
This document must be reviewed by the following:
Name
Signature
Title / Responsibility
Date
Version
Director: Corporate
and Shared Services
Municipal Manager
Portfolio Head:
Corporate and Shared
Services (Section 80
Committee)
Approvals:
This document must be approved by the following:
Name
Signature
Title / Responsibility
Municipal Manager
Date
Version
Date
Version
Date
Version
Executive Mayor
Council Meeting
Owner:
This document must be owned by the following:
Name
Signature
Title / Responsibility
Director: Corporate and
Shared Services
Custodian:
This document must be in custody of:
Name
Signature
Title / Responsibility
ICT Manager
2
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
Distribution:
X- File
Intranet
Records
Location:
Merafong Local Municipality
Address: 3 Halite Street,
Postal Address: P.O Box 3,
Carletonville,
2499
Switchboard (018) 788 9500
Website: www.merafong.gov.za
3
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
Contents
1.
1.
Information Security Policy Manual ...................................................................6
1.
Purpose ............................................................................................................6
Any employee found to have violated this policy may be subject to disciplinary action.14
4. REMOTE ACCESS POLICY .......................................................................................... 15
5. INTERNET CONNECTION POLICY ........................................................................... 17
1. Overview
5.
17
APPROVED APPLICATION POLICY ...................................................................... 19
7. COMPUTER TRAINING POLICY ................................................................................ 19
9. ANTI-VIRUS POLICY 24
10. System Update Policy 26
10. USER PRIVILEGE POLICY ...................................................................................... 29
Appendix A - Services Recommended for Shutdown
33
14. SERVER MONITORING POLICY .............................................................................. 35
15. NETWORK DOCUMENTATION POLICY ................................................................ 36
16. SERVER DOCUMENTATION POLICY ..................................................................... 38
17. NETWORK SCANNING POLICY ............................................................................... 40
4.
Policy
4.1.
43
Preamble ....................................................................................................43
4.1.2. Operational Procedures
43
4.1.3. Documented Change
44
4.1.4. Risk Management
44
4.1.5. Change Classification
44
4.1.6. Testing
45
4.1.7. Changes shall be tested in an isolated, controlled, and representative
environment (where such an environment is feasible) prior to implementation to
minimise the effect on the relevant business process, to assess its impact on
operations and security and to verify that only intended and approved changes
were made.
45
4.1.8. Changes affecting SLA„s
45
4.1.9. Version control
45
4.1.10.
Approval
45
4.1.11.
Communicating changes
45
4.1.12.
Implementation
45
4
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
4.1.12.1
Implementation will only be undertaken after appropriate testing and
approval by stakeholders. All major changes shall be treated as new system
implementation and shall be established as a project. Major changes will be
classified according to effort required to develop and implement said changes. 45
4.1.13.
Fall back
45
4.1.14.
Documentation
46
4.1.15.
Business Continuity Plans (BCP)
46
4.1.16.
Emergency Changes
46
4.1.17.
Change Monitoring
46
5.
Compliance
46
6.
IT Governance Value statement .................................................................................. 46
7.
Policy Access Considerations ....................................................................................... 47
19. INCIDENT RESPONSE POLICY ................................................................................ 47
20. NETWORK RISK EVALUATION ............................................................................... 50
5
MCLM-ISPM: Adobted by Council:
1.
Item 9/2014
MCLM Council meeting of 27 March 2014
Information Security Policy Manual
Note: “Merafong” here is referred to Merafong City Local Municipality.
1. Purpose
1.1 Introduction and objectives
1.1.1 Through a comprehensive suite of information security control objectives and
supporting policy statements, this Information Security Policy Manual interprets
ISO/IEC 27002, the international standard code of practice for information security
management, in the context of Merafong. Its purpose is to communicate
management directives and standards of care to ensure consistent and appropriate
protection of information assets throughout Merafong. It is a key part of the
Information Security Management System as specified in ISO/IEC 27001.
1.2 Status and applicability
1.2.1.1 This manual will be reviewed by the Executive Directors (Exco), Councillors
and various other managers, and approved by the Council.
This policy manual is applicable:




Throughout Merafong City Local Municipality including any subsidiaries and
joint ventures in which Merafong has a controlling interest;
At all Merafong locations;
To all Merafong Municipality‟s employees and others working on behalf of
Municipality in a similar capacity including contractors, consultants, temporary
workers, student placements etc. (known collectively throughout t as
“workers”);
To all information/data, information processing/computer systems and
networks (collectively known as “information assets”) owned by Merafong
Municipality or those entrusted to Merafong by third parties.
1.2.1.3
1.2.1.4
Merafong Information Security Policy Manual.
The policy statements in this manual are supported by a range of
security controls documented within operating procedures, technical
controls embedded in information systems and other controls advised
to workers from time to time by management through information
security or indeed other standards, procedures and guidelines. The
supporting controls gain authority from the policy statements included in
this manual which in turn supports the information security principles
and axioms mandated by the Information Security Policy.
6
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
1.3 Intended audience
1.3.1.1 This policy manual is primarily intended for use by:
1.3.1.2 All workers meaning both Merafong employees (including
Directors,
Councillors
managers, staff, temporary employees such as student
placements) plus third
party employees (such as consultants, contractors,
support/maintenance staff)
working for Merafong Municipality . Users
will be informed of their specific security responsibilities through the terms
and conditions or contracts of
employment, security-related procedures
and guidelines, and a range of security awareness and training activities.
2. Policy Management
Policy Management refers to the practices and methods used to create and maintain
security policies to translate, clarify, and communicate management‟s position on
high-level security principles. Policy management includes development,
deployment, communication, updating, and enforcement of Merafong Municipality‟s
security policies. This policy will be independent of specific hardware and software
decisions to adapt to changes in Merafong„s business environment.
To be practical and effective, specific policies must be applied to Merafong
environmental and operational business and supported through standards,
guidelines, processes, and procedures. A policy framework must include:
High-Level
Merafong Policy
Standards, Guidelines, Processes and
Procedures that Support the Policy
Asset Protection
Data classification, access control, personnel practices,
change management, network security and disaster
recovery
Vulnerability
Change management, wireless, vulnerability testing,
application development
Threats
Incident management, penetration testing, audits,
firewalls, malware prevention
Awareness
User education, IT education, annual certification,
administrative rules
Appropriate Use
Education, Web filtering, content filtering, peer-to-peer,
resource use for personal purposes (i.e., instant
messaging, email, remote access, Internet, etc.)
Best Practices
•Merafong City Local Municipality will develop a formal approval
process and identify individuals and roles for approval of new policies
and changes to existing ones.
7
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
• Clearly identify security policy-related processes, including what
activities are to be performed, their frequency, and the position that is
responsible to perform the process.
• Ensure policies, standards, and guidelines address legislative,
regulatory, and contractual requirements.
• Establish policies and standards that clearly identify what can and
cannot be performed, stored, accessed and used through the
Merafong computing resources (e.g., acceptable use policy, peer-topeer policy, Internet use policy).
• Review policies periodically or when there have been changes in
internal processes, laws or regulations, standards, or any changes to
related policies, including the implementation of news systems or
applications.
• Once security policies and procedures have been established,
disseminate to all appropriate users, staff, management, and third
party providers.
• Enforce policies through automated means where technically
feasible.
• Obtain and maintain an established record of acknowledgement that
all appropriate users, staff, management, and third party providers
have read the policies and understand the consequences of noncompliance with the policies.
INFORMATION SECURITY POLICY STATEMENT
Merafong City Local Municipality
PURPOSE
The purpose of this Information Security Policy Statement is to comply and set
guidance to Minimum Information Security Standards.
OBJECTIVE
The objective of information security is to ensure business continuity of Merafong
Municipality and to minimize the risk of damage by preventing security incidents and
reducing their potential impact.
POLICY

The policy‟s goal is to protect the Merafong Municipality‟s assets against all
internal, external, deliberate or accidental threats.

The security ensures that:
 Information will be protected against any unauthorized access;
8
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014












Confidentiality of information will be assured;
Integrity of information will be maintained;
Availability of in information for business processes will be maintained;
Legislative and regulatory requirements will be met;
Business continuity plans will be developed ;maintained and tested;
Information security training will be available for all employees
All actual or suspected information security breaches will be
reported to the ICT manager and will be thoroughly investigated.
Procedures exist to support the policy, including virus control measures,
passwords and continuity plans.
Business requirements to availability of information and systems will be met.
The ICT manager is responsible for maintaining the policy and providing
support and advice during the implementation.
All Executive Directors and Managers are directly responsible for
implementing the policy and ensuring staff compliance in their respective
departments and sections.
Compliance with the information Security Policy is mandatory.
Signature
Date
Title
The policy will be submitted for review to Council on a 3 year cycle
9
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
1. PASSWORD POLICY
1. Overview
All employees and personnel that have access to Merafong Municipality computer
systems must adhere to the password policies defined below in order to protect the
security of the network, protect data integrity, and protect computer systems.
2. Purpose
The policy is designed to protect Merafong resources on the network by requiring
strong passwords along with protection of these passwords, and establishing a
minimum time between changes to passwords.
3. Scope
The policy applies to any and all personnel who have any form of computer account
requiring a password on Merafong network including but not limited to a domain
account and e-mail account.
4. Password Protection
1.
2.
3.
4.
5.
6.
7.
8.
Never write passwords down.
Never send a password through email.
Never include a password in a non-encrypted stored document.
Never tell anyone your password.
Never reveal your password over the telephone.
Never hint at the format of your password.
Never reveal or hint at your password on a form on the internet.
Never use the "Remember Password" feature of application programs such
as Internet Explorer, your email program, or any other program.
9. Report any suspicion of your password being broken to your to computer to
technician/helpdesk.
10.
If anyone asks for your password, refer them to your ICT computer
technician/helpdesk.
11.
Don't use common acronyms as part of your password.
12.
Don't use common words or reverse spelling of words in part of your
password.
13.
Don't use names of people or places as part of your password.
14.
Don't use part of your login name in your password.
15.
Don't use parts of numbers easily remembered such as phone
numbers, ID numbers, or street addresses.
16.
Be careful about letting someone see you type your password.
5. PASSWORD REQUIREMENTS
Those setting password requirements must remember that making the password
rules too difficult may actually decrease security if users decide the rules are
impossible or too difficult to meet. If passwords are changed too often, users may
tend to write them down or make their password a variant of an old password which
an attacker with the old password could guess. The following password requirements
will be set by the ICT section:
10
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
1. Minimum Length - 6 characters recommended
2. Maximum Length - 10 characters
3. Minimum complexity - Passwords should use three of four of the following
four types of characters:
a. Lowercase
b. Uppercase
c. Numbers
d. Special characters such as [email protected]#$%^&*(){}[]
4. Passwords are case sensitive and the user name or login ID is not case
sensitive.
5. Password history - Require a number of unique passwords before an old
password may be reused. This number should be no less than 24 months.
6. Maximum password age - 30 day
7. Account lockout threshold - 3 failed login attempts
8. Reset account lockout after - The time it takes between bad login attempts
before the count of bad login attempts is cleared. The recommended value
is 20 minutes. This means if there are three bad attempts in 20 minutes, the
account would be locked.
9. Password protected screen savers should be enabled and should protect
the computer within 5 minutes of user inactivity. Computers should not be
unattended with the user logged on and no password protected screen
saver active. Users should be in the habit of not leaving their computers
unlocked. They can press the CTRL-ALT-DEL keys and select "Lock
Computer".
6. Enforcement
Since password security is critical to the security of Merafong City Local Municipality
and everyone, employees that do not adhere to this policy may be subject to
disciplinary action.
7. Other Considerations
Administrator passwords should be protected very carefully. Administrator accounts
should have the minimum access to perform their function. Administrator accounts
should not be shared.
2. EMPLOYEE FRONT DESK COMMUNICATION & AWARENESS POLICY
1. Overview
1.1 The Social Engineering Awareness Policy is a collection of policies and
guidelines for employees of Merafong City Local Municipality. The Employer
Front Desk Communication Policy is the Social Engineering Awareness
Policy.
1.2 In order to protect the Merafong assets, all employees need to defend the
integrity and confidentiality of Merafong Municipality‟s resources.
11
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
2. Purpose
The policy has two purposes:
2.1 To make employees aware that (a) fraudulent social engineering attacks occur,
and (b) there are procedures that employees can use to detect attacks.
2.1.1 Employees are made aware of techniques used for such attacks, and they
are given standard procedures to respond to attacks.
2.1.2 Employees know who to contact in these circumstances.
2.1.3 Employees recognize they are an important part of Merafong Municipality‟s
security. The integrity of an employee is the best line of defense for
protecting sensitive information regarding Merafong Municipality‟s
resources.
2.2 To create specific procedures for employees to follow to help them make the best
choice when:
2.2.1 Someone is contacting the employee - via phone, in person, email, fax or
online - and elusively trying to collect Merafong Municipality‟s sensitive
information.
2.2.2 The employee is being “socially pressured” or “socially encouraged or
tricked” into sharing sensitive data.
3. Scope
All employees of Merafong Municipality, including temporary contractors or part-time
employees participating with help desk customer service.
4. Policy
4.1 Sensitive information of Merafong City Local Municipality will not be shared
with an unauthorized individual if he/she uses words and/ or techniques
such as the following:
a.1.1 An “urgent matter”
a.1.2 A “computer virus Emergency”
a.1.3 Any form of intimidation from “higher level management”
4.1.4
Any “name dropping” by the individual which gives the appearance that
it is coming from legitimate and authorized personnel.
4.1.5
The requester requires release of information that will reveal
passwords, model, serial number, or brand or quantity of Merafong
resources.
4.1.6 The techniques are used by an unknown (not promptly verifiable)
individual via phone, email, online, fax, or in person.
4.1.7 The techniques are used by a person that declares to be "affiliated"
with Merafong Municipality such as a sub-contractor.
12
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
4.1.8 The techniques are used by an individual that says he/she is a reporter for
a well-known press editor or TV or radio company.
4.1.9 The requester is using ego and vanity seducing methods, for example,
rewarding the front desk employee with compliments about his/her
intelligence, capabilities, or making inappropriate greetings (coming from a
stranger).
5. Action
All persons described in 3.0 MUST attend the security awareness training within six
months from the date of employment.
5.1.0 All persons described in section 3.0 MUST attend the security
awareness training within 6 from the date of employment.
5.1.1 If one or more circumstances described in 4.0 is detected by a person
described in 3.0, then the identity of the requester MUST be verified
before continuing the conversation or replying to email, fax, or online.
5.1.2
If the identity of the requester described in 5.1.1 CANNOT be promptly
verified, the person MUST immediately contact his/her supervisor or
direct manager.
5.1.3
If the supervisor or manager is not available, that person MUST
inform the Executive director.
5.1.4. If the director is not available, the person described in section 3.0
MUST immediately drop the conversation, email, online chat with the
requester, and report the episode to his/her supervisor before the end
of the business day.
6. Enforcement
6.1.0 All persons described in section 3.0 who (a) successfully detect
circumstances set forth in section 4.0 and (b) correctly complete an action
described in section 5.0 are entitled to be complemented and encouraged
by the management.
6.1.1 All persons described in section 3.0 who violate this policy must be
subjected to disciplinary action.
3. CLEAN DESK POLICY
1. Overview
1. The purpose for this policy is to establish a culture of security and
trust for all employees at Merafong City Local Municipality. An
effective clean desk effort involving the participation and support of
all Merafong Municipality employees can greatly protect paper
documents that contain sensitive information about our clients,
customers and vendors. All employees should familiarize
themselves with the guidelines of this policy.
13
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
2. Purpose
1. The main reasons for a clean desk policy are:
1. A clean desk can produce a positive image when our
customers visit the Merafong City Local Municipality.
2. It reduces the threat of a security incident as confidential
information will be locked away when unattended.
3. Sensitive documents left in the open can be stolen by a
malicious entity.
3. Responsibility
1. All staff, employees and entities working on behalf of Merafong City
Local Municipality are subject to this policy
4. Scope
1. At known extended periods away from your desk, such as a lunch
break, sensitive working papers are expected to be placed in locked
drawers.
2. At the end of the working day the employee is expected to tidy their
desk and to put away all office papers.
5. Action
1.
2.
3.
4.
5.
6.
7.
8.
Allocate time in your calendar to clear away your paperwork.
Always clear your workspace before leaving for longer periods of
time.
If in doubt - throw it out. If you are unsure of whether a duplicate
piece of sensitive documentation should be kept - it will probably be
better to destroy it.
Consider scanning paper items and filing them electronically in your
workstation.
Use the recycling bins for sensitive documents when they are no
longer needed.
Lock your desk and filing cabinets at the end of the day
Lock away portable computing devices such as laptops or PDA
devices
Treat mass storage devices such as External Hard drive, CDROM,
DVD or USB drives as sensitive and secure them in a locked
drawer
6. Enforcement
1. Any employee found to have violated this policy may be subject to
disciplinary action.
14
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
4. REMOTE ACCESS POLICY
1. Overview
This remote access policy defines standards for connecting to Merafong Municipality
network and security standards for computers that are allowed to connect to the
Merafong network.
This remote access policy specifies how remote users can connect to the main
Merafong network and the requirements for each of their systems before they are
allowed to connect. This will specify:
1. The anti-virus program remote users must use and how often it must be
updated.
2. What personal firewalls they are required to run.
3. Other protection against spyware or other malware.
The remote access policy defines the methods users can use to connect remotely
such as dial up or VPN. It will specify how the dial up will work such as whether the
system will call the remote user back, and the authentication method. If using VPN,
the VPN protocols used will be defined. Methods to deal with attacks should be
considered in the design of the VPN system.
2.
Purpose
The remote access policy is designed to prevent damage to the Merafong network or
computer systems and to prevent compromise or loss of data.
3.
Approval
Any remote access using either dial-in, VPN, or any other remote access to Merafong
network must be reviewed and approved by the appropriate supervisor. All
employees by default will have account settings set to deny remote access. Only
upon approval will the account settings be changed to allow remote access.
4. Remote Computer Requirements
1. The anti-virus product is required to be operating on the computer at all times
in real time protection mode.
1. The anti-virus product shall be operated in real time on the computer.
The product shall be configured for real time protection.
2. The anti-virus library definitions shall be updated at least once per day.
3. Anti-virus scans shall be done a minimum of once per week.
No one should be able to stop anti-virus definition updates and anti-virus
scans except for domain administrators.
2. The computer must be protected by a firewall at all times when it is connected
to the internet.
15
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
5. Remote Connection Requirements
The remote user shall use either dial-In or virtual private networking (VPN). Dial-In is
typically used when the user in a local calling area. VPN is typically used when the
user would need to dial a long distance number to connect with a dial-in connection.
VPN uses a local connection to an internet service provider (ISP) and creates a
tunnel through the local ISP connection to Merafong network.
5.1 Dial-In Requirements
1. Number check - The dial in settings shall be set to perform one or the other of:
a. Verify Caller ID to a specific number - Use this option if caller ID is
available
b. Always call back to a specific number - If the user must connect from a
location other than their designated location such as their home, they
should use VPN.
2. Client Check - A requirement that must be set for Dial-In clients is that a
firewall must be installed and operational. If the Dial-In client does not meet
the criteria, either the connection is not allowed or the client can only access a
limited area where they can get the software needed to meet the requirement.
3. Authentication - For authentication of the user, the dial in connection shall use
one of the appropriate programs.
4. Connection Encryption - This requirement will depend on the data you expect
the remote user to be transmitting over the dial-in connection.
5.2
VPN Requirements
1. Client Check - A requirement that must be set for VPN clients is that a firewall
must be installed and operational. Also Anti-virus software must be installed
and operational. If the VPN client does not meet the criteria, either the
connection is not allowed or the client can only access a limited area where
they can get the software needed to meet the requirement.
2. The connection choices are PPTP, L2TP, IPSec, and SSL. The connection
shall use IPSec which encrypts the data sent through the connection.
Authentication - For authentication of the user, the dial in connection shall use
Internet Key Exchange (IKE) with digital certificates. The other choice is Internet Key
Exchange (IKE) with a pre-shared key.
16
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
5. INTERNET CONNECTION POLICY
1. Overview
The internet connection policy has components of a user compliance policy and an
internal IT policy. The user compliance section specifies how users are allowed to
connect to the internet and provides for ICT section approval of all connections to the
internet or other private network. It requires all connections such as connections by
modems or wireless media to a private network or the internet be approved by the
ICT section and what is typically required for approval such as the operation of a
firewall to protect the connection. The internet connection policy requires users to use
the internet for business only and requires users to malicious web sites which could
compromise security.
2 Physical Internet Connection
avoid going to malicious web sites which could compromise security. It informs the
users that their internet activity may be logged and monitored and defines whether
user activity on the network will be logged and to what extent. The system will be
used to prevent unauthorized viewing of sites and what system will log internet usage
activity. A proxy server will be used for user internet access. The network will be
protected to prevent users from going to malicious web sites.
3. Purpose
The policy is designed to protect Merafong resources against intrusion by malware
that may be brought into the network by users as they use the internet. It is also
designed to prevent unauthorized and unprotected connections to the internet which
may allow a host of unsafe content to enter the Merafong network and compromise
data integrity and system security across the entire network.
All physical internet connections or connections to other private networks shall be
authorized and approved by the ICT section. Most users will access the internet
through the connection provided for their office by the ICT section. Any additional
connections must be approved by the ICT section. These additional connections
include but are not limited to:
1. Modem connection from a computer or communication device which may
allow a connection to the network.
2. Any multipurpose printing and FAX machines which have both a phone and
network connection must be examined and approved for use by the ICT
section.
3. Wireless access points or devices with wireless capability are not allowed
unless approved by the ICT section. If any computers or other devices have
wireless capability, the wireless capability must be turned off before connecting
to the network unless it is approved for wireless operation by the ICT section
17
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
when connected to the network.
Any additional internet connections not provided by the ICT section must be reviewed
and approved by the ICT section. Typically any additional connections from the
Merafong network to the internet or other private network will be required.
a. An ICT section approved firewall operating at all times and properly
configured.
b. Some communications through the connection may require encryption subject
to a review of data to be transmitted by the IT department.
4. Use of the Internet
1. All employee use of the internet shall be for business purposes only.
2. Employee use of the internet may be monitored and logged including all sites
visited, the duration of the visits, amount of data downloaded, and types of
data downloaded. The time of recorded activity may also be logged.
3. Employees are urged to use caution when visiting unknown internet sites and
through user training set and keep their browser configured to IT approved
standards in order to protect against infections of malware. Employees will be
trained in the latest IT approved standards to protect against malware when
appropriate.
5. Internet Control and Logging System
A system will be required to operate on the network with the following capabilities:
1. The ability to prevent users from visiting inappropriate, pornographic, or
dangerous web sites. It will have its database of categorized websites updated
regularly.
2. The ability to log user internet activity including:
1. Time of the internet activity.
2. Duration of the activity.
3. The website visited.
4. Data and type of data downloaded
5. Whether the system will cache web pages to increase the internet
connection speed. This requires a proxy server.
3. The system requires a login ID or it will use the current network login to identify
users.
6. Enforcement
Since improper use of mobile computers can bring in hostile software which may
destroy the integrity of network resources and systems and the prevention of
these events is critical to the security of the Merafong and all individuals,
employees that do not adhere to this policy may be subject to disciplinary.
18
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
5. APPROVED APPLICATION POLICY
1. Overview
All employees and personnel that have access to Merafong computer systems must
adhere to the approved application policy in order to protect the security of the
network, protect data integrity, and protect computer systems.
2. Purpose
This policy is designed to protect the Merafong resources on the network by requiring
all network users to only run or install application programs deemed safe by the ICT
section.
3. Approved Applications
All employees may operate programs on the IT approved application list. If an
employee wants to use an application not on the list, they should submit the
application program to the IT section for approval prior to using the program on a
system connected to the Merafong network.
If the employee causes a security problem on the network by installing and running
an unapproved program they risk disciplinary action.
4. Exceptions
Special exception may be made to this policy for specific employees depending on
the required job function and the skills of the employee. Some reasons for exception
include:
1. The employee may be the person who needs to test new applications on a test
network, then on the main network.
7. COMPUTER TRAINING POLICY
1. Overview
This policy defines the minimum training for users on the network to make them aware of
basic computer threats to protect both themselves and the network. This policy
especially applies to employees with access to sensitive or regulated data.
2. Purpose
This policy is designed to protect the Merafong resources on the network and increase
19
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
employee efficiency by establishing a policy for user training. When users are trained
about computer use and security threats, they work more efficiently and are better able
to protect Merafong resources from unauthorized intrusion or data compromise. This
policy will help prevent the loss of data and Merafong assets.
3. Training Categories
Training categories will include but not be limited to the following areas:
 Basics:
1. What files are
2. How to set view for details and show extensions for known file types
3. Why not seeing file extensions is a security hazard to you
4. File storage size - how to determine
5. Mail attachments
6. Where to store files
 How to use your network drive
 What your network drive is and what it means to you
7. How to copy files
8. Ways to increase efficiency on the computer such as keyboard shortcuts
 Ways to get malware:
1. Through email
2. Through browser
3. By connecting
4. By installing unapproved programs
 Email viruses:
1. How they spread
2. Spoofing sender
3. Dangerous attachments
 Email SPAM
1. Protect your email address
2. Filtering spam
 Hoaxes:
1. Phishing
2. Fraud methods
 Email use
1. How to set up email for remote users or with your ISP with POP3
2. How to set up out of office reply
3. How to set mail filtering rules
4. How to use, import, and export personal folders
5. What an undeliverable response to an email message means
 Use of web browser
1. Safe browser?
2. Avoid adware and spyware - ignore ads that may compromise your
computer or get you to install an illicit program
3. How to change browser settings for better security
4. Products to prevent malware.
 Passwords
1. Why protect my password?
20
MCLM-ISPM: Adobted by Council:
2.
3.
4.
5.
 Other
1.
2.
3.
4.
5.
Item 9/2014
MCLM Council meeting of 27 March 2014
Why do I need to change my password every 30 days
How to change your password
How to choose strong passwords that you can remember
If I log in on a website can someone see my password?
Reasons for firewall -- worms and others
Why worry about malware?
What is a vulnerability?
Why not run all services?
Social engineering
2. The employee may be a developer that must run applications developed by
themselves in order to test their own work.
3. Network administrator may be allowed the ability to operate and test new
software.
5. Enforcement
Running safe programs is critical to the security of the Merafong, employees that do
not adhere to this policy may be subject to disciplinary action.
4. Training Opportunities
Basic training as listed in section 3.0 shall be provided internally by the Merafong and
shall include the following opportunities:
1. Scheduled training seminars for 1 to 4 hours per day.
2. training for up to 1 hour per day on one or two days per week.
5. Requirements
All Merafong staff shall make measurable and continuous progress in the training
areas listed in bullet 3. Each employee manager shall be responsible for ensuring
that employees under their supervision make progress in the required training areas.
Each employee must retain knowledge about training in areas listed in bullet 3 within
the first year of employment.
6. Enforcement
Since training is very important to the security of the Merafong, auditing shall be used
as a mechanism to be sure the training policy is being followed. Auditors may test
employees at random about their knowledge in the areas listed in section 3.
21
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
8. WIRELESS USE POLICY
1. Overview
The wireless use policy defines the use of wireless devices in the Merafong and
specifies how wireless devices shall be configured when used.
2. Purpose
The policy is designed to protect the Merafong resources against intrusion by those
who would use wireless media to penetrate the network.
3. Scope
The policy applies to all wireless devices in use by the Merafong or those who
connect through a wireless device to any Merafong network.
4. Risk Assessment
The use of wireless technology has historically been a serious security risk to
Merafong. This is because it can be an easy access point to gain access to
Merafong network. In addition data sent across it may be readable sometimes even
when it is encrypted due to some of the vulnerabilities of the encryption schemes
used. Therefore this policy requires a risk assessment any time a new type of
wireless device is added to the network. Several items must be assessed including:
1. Is this a new technology?
2. Does this device use encryption and if so how well tested is the encryption
protocol?
3. What is the cost of implementing a secure encryption protocol?
4. Has this type of device been used on our network before?
5. Can this device be configured to only allow authorized users to access it or the
network through it?
6. How easy will it be for an attacker to fool this device into allowing unauthorized
access? What methods may be used?
7. What secure authentication schemes are available and what cost or overhead
is associated with their implementation and maintenance?
8. How practical is wireless use considering the cost, potential loss, and added
convenience?
4.1
Authentication
The authentication mechanisms of all approved wireless devices to be used must be
examined closely. The authentication mechanism should be used to prevent
unauthorized entry into the network. One authentication method shall be chosen. The
following must be considered.
1. How secure is the authentication mechanism to be used?
2. How expensive is the authentication mechanism to be used?
22
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
a.2 Encryption
Encryption mechanisms of all approved wireless devices to be used must be
examined closely. The encryption mechanism will be used to protect data from
being disclosed as it travels through the air. The following must be considered.
1. How secure is the encryption mechanism?
2. How sensitive is the data traveling through the wireless device?
3. How expensive is the encryption mechanism?
4.3 Configuration
The SSID of the wireless device shall be configured in such manner so it does not
contain or indicate any information about the Merafong, its departments, or its
personnel including Merafong name, department name, employee name, employee
phone number, email addresses, or product identifiers.
4.4 Access Points
All wireless access points and wireless devices connected to the Merafong network
must be registered and approved by the designated ICT section representative. All
wireless devices are subject to ICT section audits and penetration tests without
notice.
5. Authority
ICT manager shall have final authority over the management and security of wireless
devices and wireless networking. The ICT manager may delegate the responsibility
to the Network Administrator.
This policy requires that parts of the network containing and supporting wireless
devices directly (the wireless network) be separated from the part of the network that
does not support wireless connections. The part of the network supporting wireless
devices or connections shall be considered less trusted than the part of the network
that does not. All file servers and internal domain controlling servers shall be
separated from the wireless network using a firewall. One or more intrusion detection
devices shall monitor the wireless network for signs of intrusion and log events. The
type of logged events will be determined by the network administrator.
6. Allowable Wireless Use
1. Only wireless devices approved by make and model shall be used.
2. All wireless devices must be checked for proper configuration by the ICT
section prior to being placed into service.
3. All wireless devices in use must be checked monthly for configuration or setup
problems.
23
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
7. Enforcement
Since improper use of wireless technology and wireless communications can open
the network to additional sniffing and intrusion attacks, authorized and proper use of
wireless technology is critical to the security of the Merafong and all individuals.
Employees that do not adhere to this policy may be subject to disciplinary action.
9. ANTI-VIRUS POLICY
1. Overview
This policy is an internal IT policy which defines anti-virus policy on every computer
including how often a virus scan is done, how often updates are done, what programs
will be used to detect, prevent, and remove malware programs. It defines what types of
files attachments are blocked at the mail server and what anti-virus program will be run
on the mail server. It may specify whether an anti-spam firewall will be used to provide
additional protection to the mail server. It may also specify how files can enter the trusted
network and how these files will be checked for hostile or unwanted content. For
example it may specify that files sent to the enterprise from outside the trusted network
be scanned for viruses by a specific program.
2. Purpose
This policy is designed to protect the Merafong resources against intrusion by viruses
and other malware.
3. Anti-Virus Policy
Merafong will use a single anti-virus product for anti-virus protection. The following
minimum requirements shall remain in force.
1. The anti-virus product shall be operated in real time on all servers and client
computers. The product shall be configured for real time protection.
2. The anti-virus library definitions shall be updated at least once per day.
3. Anti-virus scans shall be done a minimum of once per week on all user controlled
workstations and servers.
No one should be able to stop anti-virus definition updates and anti-virus scans except
for domain administrators.
4.
Email Server Policy
The email server will have additional protection against malware since email with
malware must be prevented from entering the network.
24
MCLM-ISPM: Adobted by Council:
4.1
Item 9/2014
MCLM Council meeting of 27 March 2014
Email Malware Scanning
In addition to having the standard anti-virus program, the email server or proxy
server will additionally include extra programs which will be used to scan all email
for viruses and/or malware. This scanner will scan all email as it enters the server
and scan all email before it leaves the server. In addition, the scanner may scan
all stored email once per week for viruses or malware.
When a virus is found or malware is found, the policy shall be to delete the email
and not to notify either the sender or recipient. The reason for this is that most
viruses fake the sender of the email and sending them a notice that they sent a
message with a virus may alarm them unnecessarily since it would not likely be
true. It would simply cause an additional help desk call by the notified person and
most likely waste system administrator's time needlessly. Notifying the recipient
that someone tried to send them a virus would only alarm them needlessly and
result in an increased number of help desk calls.
4.2 Blocked Attachment Types
The email server or proxy server will block all emails with certain attachment types
When an email breaks the rules and contains an illegal file attachment the
following will be done:
b. the email will be deleted, sender and recipient notified
4.3
Proxy or anti-spam Server
To increase mail security, anti-spam server or proxy mail server will be added
to the network. This reduces the mail server to the threat of being intruded
upon and an anti-spam server can significantly reduce the load on the mail
server, not to mention the reduction of spam. Periodic updates should also be
defined.
5.
File Exchange Policy
This part of the policy specifies methods that are allowed to be used when files
are sent into the network by members of the public or employees of the
Merafong. It specifies:
1. All legitimate methods used including:
1. FTP transfer to a FTP server.
2. File transfer to a Web server with a legitimate file upload program.
3. Any other method.
2. The method and type of software to be used to scan the files for hostile
content before they are completely transferred into the network. It will also
specify the update frequency for the scanning software.
3. The point in time when the files will be scanned.
25
MCLM-ISPM: Adobted by Council:
6.
Item 9/2014
MCLM Council meeting of 27 March 2014
Network Exploit Protection
This part of the policy should specify how hostile software that uses network exploits
should be prevented. This policy will not cover system updates but may refer to the
system update policy. This policy combined with other quoted policies should prevent
worms from entering the network. This policy may also refer to the remote user policy
and mobile computer policy.
This policy will specify that all systems be protected by a firewall any time they are
connected to the internet. It would specify that systems on the Merafong network be
connected to a part of the network that is protected from the internet or untrusted
network by an approved firewall system. It will also specify or refer to policy that
requires computers operating outside the Merafong network to have a local firewall
software program operational at all times when these computers are connected to the
internet. It should specify one or more acceptable software firewall products. This
policy may refer to the mobile computer policy which may require users of mobile
computers to have their computers checked for malware before connecting to the
main network.
7.
Other Malware Policy
This policy should cover any other possible malware including adware and spyware.
It may specify methods to prevent and remove this type of malware. It may specify
acceptable prevention and removal software. If the anti-virus product is a product that
also handles other types of malware such as adware or spyware, it should be stated
here.
Applicable Training
1. Blocked email attachments
2. How viruses work and avoidance
Adware and spyware avoidance
10. System Update Policy
1. Overview
This policy is an internal IT policy which defines how often computer system updates
are done and under what conditions they are done.
2. Purpose
The policy is required to establish a minimum process for protecting the Merafong
computers on the network from security vulnerabilities. This policy shall determine
how updates are done for both servers and workstations, and who is responsible for
performing the updates along with specifying the tools used to perform system
updates.
26
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
3. Update Requirement Determination
This section defines methods used to determine what updates should be done and
when they should be applied.
3.1 Update Types
Several types of updates may be required on any computer and all the types
should be considered for the below listed computer system components. They
include:
1. The computer BIOS.
2. The operating system.
3. Application updates.
3.2 Update Checking
There are several methods to determine when updates should be performed.
1. Review of posted security flaws and patches for each type of update
applicable to the computer system.
2. An automatic scanning of the system to determine available updates not
yet applied to the system or application.
The review of posted security flaws and patches should always be used for the
computer operating system, BIOS, and applications. The manufacturer website
should be used and there may also be other appropriate sites posting relevant
bulletins. If automatic update ability is available, it should be compared to the
listing of posted updates to be sure it is accurate.
3.3 Update Vulnerability Types
The update considerations should address vulnerabilities caused by:
1. Code errors
Misconfigurations not covered by patches - An example would be a configuration
problem with a mail server allowing non authenticated users to relay email using
the mail server.
3.4
Update Information
Before approving updates, administrators should know:
1.
2.
3.
4.
5.
6.
The addressed vulnerability
What previous patches are required or what system update is required.
What programs are affected by the change
What may be broken by the change
How to undo the change.
It is recommended that new patches be tested in a controlled environment
that mimics the infrastructure of the production environment before
patches are applied. Backup must be taken before applying a patch. Each
27
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
server should have documentation including a list of applications running
on it and a patch history.
7. All patches approved for client computers or applied to client computers
should be documented.
3.5 Support Procedures
To support the update requirements definition and update, the following
documents should be created to provide a managed response for system
updates:
1. A procedure for identifying vulnerabilities, patches, and configuration
changes.
2. Procedures for determining how appropriate the patch or configuration
change is to each system.
3. Test procedures
4. Prioritization rules
5. Guidelines for implementing patches or configuration changes.
4. Server Updates
Server updates shall be done by the system administrator. Updates for servers shall
be checked no less than monthly to determine whether any new updates to any
computer system components are required. The system administrator shall
determine the following:
1. Whether the update applies to the computer system under consideration.
2. Whether the update is safe to apply or whether it make /break an application
or some other part of the operating system where functionality is required.
A test environment should be used to determine whether updates may break
functionality prior to implementation of production environments. The ability to
provide a test environment and thoroughness of determining whether any
functionality is broken by the update will vary from Merafong to Merafong depending
on available resources.
5.
Workstation Updates
Workstation updates may be done using any provided tools depending on the type of
workstations and their operating systems. In this policy workstation updates shall be
performed using Microsoft system update server. System update server will save a
great deal of time and expense since all systems may be updated from one server at
the same time. All workstations shall be Microsoft Windows 2008 Professional.
Merafong systems administrator shall review available updates weekly. Normally
updates shall be applied in the test environment two to three days before being
applied to the main Merafong.
28
MCLM-ISPM: Adobted by Council:
10.
1.
Item 9/2014
MCLM Council meeting of 27 March 2014
USER PRIVILEGE POLICY
Overview
The user privilege policy is an internal IT policy and defines the privileges various
users on the Merafong network are allowed to have, specifically defining what groups
of users have privileges to install computer programs on their own or other systems.
This policy defines the users who have access to and control of sensitive or
regulated data.
This policy defines internet access to specific sites for some users or other ways they
may or may not use their computer systems.
2. Purpose
The policy is designed to minimize risk to Merafong resources and data by
establishing the privileges of users of data and equipment on the network to the
minimum allowable while still allowing users to perform job functions without undue
inconvenience.
3. Local Computer Privileges
There are three main categories of users on a computer or network. These
categories include:
1. Restricted user - Can operate the computer and save documents but can't
save system settings.
2. Standard user (power user) - Can change many system settings and install
programs that don't affect Windows system files.
3. Administrators - Have complete access to read and write any data on the
system and add or remove any programs or change system settings. The
majority of users on most common networks should be restricted users on
their local computers. This is because many viruses and adware or spyware
may be installed in a subtle manner by tricking the user or the installation may
be completely transparent to the computer user. If the user does not have the
ability to install programs or change settings to a more vulnerable setting, most
of these potential security problems can be prevented.
Therefore only users that demonstrate a need and ability for power user or
administrator access on local machines shall be permitted to have this level of
access. Upon demonstration of a special need for additional access, the ICT
manager must approve the access before it can be made effective. Groups that may
be allowed this type of access include:
1. Domain Administrators
2. Help Desk personnel
3. Application developers (BIQ, MAXIMO,GIS and QPR) for testing purposes.
29
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
4. Network Privileges
Most network users will have access to the following types of network resources.
1. Email - Most users will have full access to their own email. They will not be
able to transfer ownership to someone else.
2. A personal network drive on a networked file server (Y- drive) - This is a folder
on a drive that only the primary user of this drive can read and write exclusive
of domain administrators. The user will not be able to transfer ownership to
someone else.
3. A shared group or Merafong division's drive (X-drive) - This is a folder that
members of specific groups or divisions in the Merafong may access. Access
may be read or write and may vary by Merafong requirements.
4. Access to databases - There may be additional databases that may be stored
on a shared drive or on some other resource. Most databases will have a
standard user level which gives users appropriate permissions to enter data
and see report information. However only the database administrators will
have full access to all resources on a database. Database administrator will
only have full access to the database that they administer.
Groups that may be allowed additional access include:
1. Backup operator - Allowed to read data on the domain for the purpose of
saving files to backup media. This group cannot write all data on the domain.
2. Account operator - Can manage and view information about user accounts on
the domain.
3. Server operator - Has full privileges on servers including reading and writing of
data, installing programs, and changing settings.
4. Domain administrator - Has full privileges on all computers in the domain
including servers and workstations. Privileges include reading and writing data,
installing programs, and changing settings.
5.
Enforcement
Since data security and integrity along with resource protection is critical to the
operation of the Merafong; employees that do not adhere to this policy may be
subject to disciplinary action.
Note:
Server operators (Technicians) will have full access on some servers but not others.
Help desk personnel (Help desk administrator) may have full access on some local
computers but not in all groups in Merafong.
30
MCLM-ISPM: Adobted by Council:
12.
Item 9/2014
MCLM Council meeting of 27 March 2014
APPLICATION IMPLEMENTATION POLICY
1. Overview
This policy is a policy to be used to assess the security impact of new applications.
When new applications are developed to provide new functionality to users or
internal groups, the impact of the new functionality must be assessed in order to keep
the network stable. Starting with a data assessment process will help this process
flow smoothly.
2. Purpose
This policy is designed to protect the Merafong resources on the network by defining
requirements for new applications in the Merafong. This policy requires a security
assessment including an assessment of data security levels, media the data will
travel over, a risk evaluation, and determination of system requirements which will
mitigate the most serious part of additional security risks.
3.
Process
Merafong ICT section shall work together with service providers to assess data
requirements for any new applications. Merafong shall specify their requirements for
the applications and application developers (service providers) will work with
Merafong Municipality to identify and categorize data according to the Application
Development Security Assessment Process.
Once the data and application requirements are established, ICT section can then
evaluate risk and determine methods, processes, equipment, and procedures to
mitigate known risks. The computer technicians, users, and service providers will
work together to provide required and reasonable access capability to systems and
data both during development and final project implementation while providing the
best computer security possible. Under no circumstances should the overall security
of the network be seriously compromised for the benefit of any project.
The data assessment, risk evaluation, and system requirements should be done
early in the project life cycle since without this information, the overall cost of the
project cannot be accurately assessed.
The security assessment shall be conducted according to the Security Assessment
Questionnaire and data shall be evaluated according to the Data Assessment
Process document.
31
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
13. SYSTEM LOCKDOWN POLICY
1. Overview
This system lockdown policy is an internal IT policy and defines a general process
that should be used to lock down servers and workstations.
2. Purpose
This policy is designed to minimize risk to Merafong resources and data by
establishing a process for increasing the security of servers and workstations by
stopping unneeded services and testing for vulnerabilities.
3. Server Lockdown and Hardening
describes a general process used to lock down servers. When they are initially
installed and configured. Types of servers or equipment that need hardening include
but are not limited to file sharing servers, email servers, Web servers, FTP servers,
DNS servers, DHCP servers, Database servers, Domain controllers, Directory
servers, Network devices such as firewalls, routers, and switches.
1. List services that will be required to run on the server. Examples include:
1. DNS
2. HTTP
3. SMTP
4. POP3
2. List services that are running on the server and turn off any that the
administrator is sure are not needed.
3. Do a port scan on the server - Use a security tool to test and determine any
ports that the server is responding to.
4. Shut down any services that are not on the required list of services for the
server. Especially remember to shut down services listed in Appendix A Services Recommended for Shutdown
5. Remove any unnecessary programs, services, and drivers from the server
especially those not loaded by default on the server.
6. Patch the server with the latest patches and patch all services running on the
server.
7. Disable or change the password of any default accounts on the server or
related to any operating services.
8. Be sure all passwords used to access the system or used by services on the
system meet minimum requirements including length and complexity
parameters.
9. Be sure all users and services have minimum required rights and do not have
rights to items not needed.
10.
Be sure file share and file permissions are as tight as possible.
11.
Perform a vulnerability assessment scan of the server.
12.
Patch or fix any vulnerability found.
13.
Where appropriate, install and run additional security programs such as:
32
MCLM-ISPM: Adobted by Council:
14.
15.
16.
17.
18.
19.
20.
21.
a.
b.
c.
d.
22.
Item 9/2014
MCLM Council meeting of 27 March 2014
Firewall
Intrusion detection software - Some approved host based intrusion
detection software is recommended to be run on all servers.
Change of system and system files detection
All this software should have the latest updates installed.
Set security parameters on all software such as where anti-virus
programs will scan, how often it will scan, and how often it will get virus
definition updates.
Enable audit logging to log any unauthorized access.
Perform another vulnerability assessment scan of the server, and fix
any discrepancies.
Take additional account management security measures including:
Disable the guest account
Rename default administrator accounts
Set accounts for minimum possible access
Be sure all accounts have passwords meeting minimum complexity and
length rules.
Test the server to be sure all desired services are operating properly.
5. Enforcement
Locking down servers is critical to the security of the Merafong and everyone;
this policy must be enforced by management through review and auditing.
Appendix A - Services Recommended for Shutdown
1. File and Printer Sharing for Microsoft Networks - Uninstallation of this service
is recommended. This service is not needed unless you want to share a printer
on your local computer or share folders on your local computer with other
computers.
2. Messenger - Disable this service in the Services applet of Administrative Tools.
This service has some serious security bugs and problems and has very little
use for managing the network.
3. Remote registry service - This service should be set to manual or disabled
since it allows people from remote locations to modify your registry. It is a
serious security risk and should only be run if required by network
administrators. Set this service to manual or disabled in the Services applet of
Administrative Tools.
4. Secondary Logon service - If it is not necessary for lower privileged users to
use the "Run As" command to run commands that only administrators or
power users can run, this service should be disabled.
5. Universal Plug and Play Device Host service - It broadcasts unnecessary
information about the computer running the service. It may be used by MSN
messenger. This service is a high security risk and should be disabled unless
dependent services are required.
6. Wireless Zero Configuration service - Used to support wireless connections. If
you are not using wireless, this should be disabled. This service is a high
security risk and should be disabled unless needed.
33
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
7. NetMeeting Remote Desktop sharing - A person on a remote computer can
access your desktop to help you. This service may be used by network
administrators to help users with tasks. Normally this service should be
disabled unless needed. Running this service is a moderate security risk.
9. Remote Desktop Help Session Manager service - A person on a remote
computer can access your desktop to help you. This service may be used by
network administrator to help users with tasks. Normally this service should be
disabled unless needed. Running this service is a moderate security risk.
10.
Network DDE Service - Provides network transport and security for
Dynamic Data Exchange (DDE) for programs running on the same
computer or on different computers. It allows two running programs to
share the same data on the same computer or on different computers.
Running this service is a moderate security risk. Normally this service
should be disabled unless needed.
11.
Network DDE DSDM Service - Manages DDE network shares. Running
this service is a moderate security risk. Normally this service should be
disabled unless needed.
12.
NT LM Security support provider - Used for backward compatibility with
older Microsoft operating systems. Running this service is a moderate
security risk. Normally this service should be disabled unless needed or
set to manual.
13.
SSDP Discovery service - Allows the computer to connect with
networked plug and play devices on the network. This service does not
support internal PnP devices. This service should be disabled unless
the computer needs to connect to external networked plug and play
devices.
14.
Telnet service - The telnet service allows a terminal connection to or
from a remote computer but sends passwords in the clear. Running this
service is a moderate security risk. Normally this service should be
disabled unless needed or set to manual.
15.
Terminal services - Allows a remote connection from a remote computer
usually used by network administrators to help users. Running this
service is a moderate security risk. Normally this service should be
disabled unless needed or set to manual. This service is commonly
used by system administrators to administer servers remotely.
16.
Alerter service - The alerter service allows system administrators to
send messages to selected users. This service should be disabled
unless specifically needed.
Types of servers that need hardening (This list is not inclusive of all devices that
should be hardened):
1.
2.
3.
4.
5.
6.
7.
File sharing
Email Servers
Web servers
FTP servers
DNS servers
DHCP servers
Database servers
34
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
8. Domain controllers
9. Directory servers
10.
VoIP servers and switches
11.
Network devices such as firewalls, routers, switches and VoIP
gateways
14. SERVER MONITORING POLICY
1. Overview
The server monitoring policy is an internal IT policy and defines the monitoring of
servers in the Merafong for both security and performance issues.
2. Purpose
The policy is designed both to protect the Merafong against loss of service by
providing minimum requirements for monitoring servers. It provides for monitoring
servers for file space and performance issues to prevent system failure or loss of
service.
3. Scope
The policy applies to all production servers and infrastructure support servers
including but not limited to the following types of servers:
1.
2.
3.
4.
5.
6.
7.
8.
File servers
Database servers
Mail servers
Web servers
Application servers
Domain controllers
FTP servers
DNS servers
4. Daily Checking
All servers shall be checked manually on a daily basis the following items shall be
checked and recorded:
1. The amount of free space on each drive shall be recorded in a server log.
2. The system log shall be checked and any major errors shall be checked and
recorded in the server log.
3. Services shall be checked to determine whether any services have failed.
4. The status of backup of files or system information for the server shall be
checked daily.
5. External Checks
Essential servers shall be checked using either a separate computer from the ones
being monitored or a server monitoring service. The external monitoring service shall
have the ability to notify multiple IP personnel when a service is found to have failed.
35
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
Servers to be monitored externally include:
1.
2.
3.
4.
5.
The mail server
The web server
External DNS servers
Externally used application servers.
Database or file servers supporting externally used application servers or web
servers.
15. NETWORK DOCUMENTATION POLICY
1. Overview
The network documentation policy is an internal ICT policy and defines the
requirements for network documentation referring to both data and voice in the
converged and native environment. This policy defines the level of network
documentation required such as documentation of which switch ports connect to
what rooms, computers and telephone handset. It defines who will have access to
read network documentation and who will have access to change it. It also defines
who will be notified when changes are made to the network.
2.
Purpose
The policy is designed to provide for network stability by ensuring that network
documentation is complete and current. This policy should complement disaster
management and recovery by ensuring that documentation is available in the event
that systems should need to be rebuilt. This policy will help reduce troubleshooting
time by ensuring that appropriate personnel are notified when changes are made to
the network.
3.
Documentation
The network structure and configuration shall be documented and provide the
following information:
1. IP addresses of all devices on the network with static IP addresses.
2. Server documentation on all servers as outlined in the "Server Documentation"
document.
3. Network drawings showing:
a. The locations and IP addresses of all hubs, switches, routers, and
firewalls on the network.
b. The various security zones on the network and devices that control
access between them.
c. The locations of every network drop and the associated switch and port
on the switch supplying that connection.
d. The interrelationship between all network devices showing lines running
between the network devices.
e. All subnets on the network and their relationships including the range of
IP addresses on all subnets and netmask information.
36
MCLM-ISPM: Adobted by Council:
4.
5.
6.
7.
4.
Item 9/2014
MCLM Council meeting of 27 March 2014
1. All wide area network (WAN) or metropolitan area network (MAN)
information including network devices connecting them and IP
addresses of connecting devices.
Configuration information on all network devices including:
a. Switches
b. Routers
c. Firewalls
Configuration shall include but not be limited to:
a. IP Address
b. Netmask
c. Default gateway
d. Vlans
e. DNS server IP addresses for primary and secondary DNS servers.
a. Any relevant WINS server information.
Network connection information including:
a. Type of connection to the internet or other WAN/MAN including T1,T3,
frame relay.
b. Provider of internet/WAN/MAN connection and contact information for
sales and support.
c. Configuration information including netmask, network ID, and gateway.
d. Physical location of where the cabling enters the building and circuit
number.
e. Cabinet naming.
DHCP server settings showing:
a. Range of IP addresses assigned by all DHCP servers on all subnets.
b. Subnet mask, default gateway, DNS server settings, WINS server
settings assigned by all DHCP servers on all subnets.
c. Lease duration time.
Access
The ICT networking and some enterprise security staff shall have full access to all
network documentation. The ICT networking staff shall have the ability to read and
modify network documentation. Designated enterprise security staff shall have
access to read and change network documentation but those not designated with
change access cannot change it. Help desk staff shall have read access to network
documentation.
5.
Change Notification
The help desk staff, server administrator, application developer and ICT management
shall be notified when network changes are made including.
1. Reboot of a network device including switches, routers, and firewalls.
2. Changes of rules or configuration of a network device including switches,
routers, and firewalls.
3. Upgrades to any software on any network device.
4. Additions of any software on any network device.
5. Changes to any servers which perform significant network functions whether
configuration or upgrade changes are made. These servers include:
37
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
1. DHCP
2. DNS
3. Domain controllers
4. WINS
Notification shall be through email to designated groups of people.
6. Documentation Review
The network or ICT manager shall ensure that network documentation is kept current
by performing a monthly review of documentation or designating a staff member to
perform a review. The remedy or help desk requests within the last month should be
reviewed to help determine whether any network changes were made. Also any
current or completed projects affecting network settings should be reviewed to
determine whether there were any network changes made to support the project.
7. Storage Locations
Network documentation shall be kept either in written form or electronic form in a
minimum of two places. It should be kept in two facilities at least two kilometres apart
so that if one facility is destroyed, information from the other facility may be used to
help construct the ICT infrastructure. Information in both facilities should be updated
monthly at the time of the documentation review.
16. SERVER DOCUMENTATION POLICY
1. Overview
This policy is an internal IT policy and defines the requirements for server
documentation. This policy defines the level of server documentation required such
as configuration information and services that are running. It defines who will have
access to read server documentation and who will have access to change it. It also
defines who will be notified when changes are made to the servers.
2. Purpose
The policy is designed to provide for network stability by ensuring that network
documentation is complete and current. This policy should complement disaster
management and recovery by ensuring that documentation is available in the event
that systems should need to be rebuilt. This policy will help reduce troubleshooting
time by ensuring that appropriate personnel are notified when changes are made to
any servers.
3. Documentation
For every server on a secure network, there are a list of items that must be
documented and reviewed on a regular basis to keep a private network secure. This
list of information about every server should be created as servers are added to the
network and updated regularly.
38
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
1.
2.
3.
4.
Server name
Server location
The function or purpose of the server.
Hardware components of the system including the make and model of each
part of the system.
5. List of software running on the server including operating system, programs,
and services running on the server.
6. Configuration information about how the server is configured including:
1. Event logging settings
2. A comprehensive list of services that are running.
3. Configuration of any security lockdown tool or setting
4. Account settings
5. Configuration and settings of software running on the server.
7. Types of data stored on the server.
8. The owners of the data stored on the server.
9. The sensitivity of data stored on the server.
10.
Data on the server that should be backed up along with its location.
11.
Users or groups with access to data stored on the server.
12.
Administrators on the server with a list of rights of each administrator.
13.
The authentication process and protocols used for authentication for
users of data on the server.
14.
The authentication process and protocols used for authentication for
administrators on the server.
15.
Data encryption requirements.
16.
Authentication encryption requirements.
17.
List of users accessing data from remote locations and type of media
they access data through such as internet or private network.
18.
List of administrators administrating the server from remote locations
and type of media they access the server through such as internet or
private network.
19.
Intrusion detection and prevention method used on the server.
20.
Latest patch to operating system and each service running.
21.
Groups or individuals with physical access to the area the server is in
and the type of access, such as key or card access.
22.
Emergency recovery disk and date of last update.
23.
Disaster recovery plan and location of backup data.
Mail Server Documentation
1. Account size limit where the person receives warnings about mailbox size
2. Account size limit where the person cannot send mail anymore.
3. Account size limit where the person cannot receive mail anymore.
4. Access
The ICT server administrator and the ICT manager shall have full read and change
access to server documentation for the server or servers they are tasked with
administering. The ICT network administrator and help desk staff shall have the
ability to read all server documentation.
39
MCLM-ISPM: Adobted by Council:
5.
Item 9/2014
MCLM Council meeting of 27 March 2014
Change Notification
The help desk staff, network administrator, and ICT manager shall be notified by
Service providers (QPR and BIQ) when changes are made to servers. Notification
shall be through email to designated groups of people.
6. Documentation Review
The network administrator and server administrator shall ensure that server
documentation is kept current by performing a monthly review of documentation or
designating a staff member to perform a review. The remedy or help desk requests
within the last month should be reviewed to help determine whether any server
changes were made. Also any current or completed projects affecting server settings
should be reviewed to determine whether there were any server changes made to
support the project.
7. Storage Locations
Server documentation shall be kept either in written form or electronic form in a
minimum of two places. It should be kept in two facilities at least two kilometres apart
so that if one facility is destroyed, information from the other facility may be used to
help construct the IT infrastructure. Information in both facilities should be updated
monthly at the time of the documentation review.
17. NETWORK SCANNING POLICY
1. Network Scan Types and Scope
This network scanning policy defines network scan types, identifies reasons for
scanning, identifies times when network scanning is allowed, who should approve
network scanning, and specifies who should be notified when network scanning is
done.
1. Network device location scan - This scan may use different means to
determine IP addresses of active devices on the network. Methods:
1. ARP Scan - An ARP broadcast can be sent to network IP addresses
asking what is the MAC address of the host with IP address x.x.x.x. If a
response occurs, there is an active host at that address.
2. Internal full port scan - Checks to determine what services are running on
each host. This may be done against selected hosts or all hosts including
servers and workstations. Methods:
1. Socket connect scan - Tries to complete a socket connection to a port
on a host computer this scan allows the host computer to log the
connection.
2. SYN scan - Sends a SYN packet to the host indicating that it wants to
open a socket. But when the host responds it does not finishing
establishing the connection.
40
MCLM-ISPM: Adobted by Council:
3.
4.
5.
6.
7.
8.
Item 9/2014
MCLM Council meeting of 27 March 2014
3. FIN scan - Sends a FIN packet to a host port. If a service is not running,
the port responds with a reset signal. If the port has a service running
on it, the signal is ignored.
External full port scan - Checks to determine what services are running on
each host. This test is done from outside the firewall and is directed toward
any IP addresses owned by the Merafong being tested. It may use the socket
connect scan method, the SYN scan method, or the FIN scan method.
Internal vulnerability scan - Tests the server to see if it is vulnerable to known
flaws in the operating system, services, and applications that are running. This
test may be directed toward one or more hosts including servers and
workstations. This test goes beyond performing a full port scan. It attempts to
get information about the operating system and services running on the host. It
will attempt to determine the version of the services running on the host. and
may even do a penetration test.
External vulnerability scan - Same as the internal vulnerability scan except it is
done from outside the Merafong network and is directed toward any IP
addresses owned by the Merafong being tested.
Internal Denial of service scan - This is a scan using packets which are
intentionally designed to make a system crash or tie up resources. The scan is
directed against ports but the data sent is usually misconfigured in some
unusual way.
External denials of service scan - Similar to the internal denial of service scan
except it is directed against IP addresses owned by the Merafong being
tested.
Password Cracking - This test may send default passwords and brute force
password guessing against accounts on specified systems. This is really not
like a network scan but is covered in this policy since it could potentially
disrupt service depending on the password policies of the Merafong.
Many scanning services will offer some combinations of these types of scans.
This policy covers all types of network and host scanning.
2. Network Scanning Reasons
Network scanning may be performed for several reasons
1. To determine whether computer systems are vulnerable to attack and fix them.
2. To show company we interact with that our servers are reasonably secure.
3. To fulfil regulatory requirements.
Network scanning shall not be performed without written permission.
3.0 Network Scanning Disruptions
Network scanning can be very disruptive to both a network and hosts that are
operating on a network. No network scanning shall be allowed without close
adherence to this policy and the associated procedures. Network scanning can
cause systems to crash and network devices to become unreliable which can
become very disruptive to the business operations.
4.0 Authorizers of Network Scanning and allowable hours
The head of the IT department shall determine who is authorized to perform network
scans. Those who perform network scans must have authorization in writing and a
41
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
specified time period when they are permitted to perform network scans. This policy
may limit the hours that scanning may be done so scanning is not done during
business hours. Specified time periods may provide for the following constraints:
1. Scanning shall be done between the hours of18h00 and 06h00 This may be to
prevent disruptions during business hours.
.
5. Scanning Notifications
When scanning is to be done, the following groups of people must be notified on a
daily basis:
1. The IT manager
2. The systems administrator.
3. The users of computer systems that will be scanned.
6. Scanning Procedure
scanning procedure shall be created for all computer systems to be scanned. For
each server to be scanned a list of people to be notified shall be maintained. For
workstations to be scanned, users may be notified using a group email.
7. Enforcement
Since network scanning can be disruptive to the operations of the network and the
Merafong, employees that do not adhere to this policy may be subject to disciplinary
action up to and including dismissal.
18. CHANGE MANAGEMENT AND CONTROL POLICY
1. Introduction
1.
Operational change management brings discipline and quality control to
ICT. Attention to governance and formal policies and procedures will
ensure its success. Adopting formalised governance and policies for
operational change management delivers a more disciplined and efficient
infrastructure. This formalisation requires communication; the
documentation of important process workflows and personnel roles; and
the alignment of automation tools, where appropriate. By defining
processes and policies, ICT organisations can demonstrate increased
agility in responding predictably and reliably to new business demands.
2.
Merafong Municipality management has recognised the importance of
change management and control and the associated risks with ineffective
change management and control and have therefore formulated this
Change Management and Control Policy in order to address the
opportunities and associated risks.
42
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
2. Scope
The policy applies to all users operating within the Merafong‟s network
environment or utilising Information Resources. It covers the data
networks, LAN servers and personal computers (stand-alone or networkenabled), located at company offices and company production related
locations, where these systems are under the jurisdiction and/or
ownership of Merafong or , and any personal computers, laptops, mobile
device and or servers authorised to access the company‟s data
networks.
3. Purpose
The purpose of this policy is to establish management direction and highlevel objectives for change management and control. This policy will
ensure the implementation of change management and control strategies
to mitigate associated risks such as:
 Information being corrupted and/or destroyed;
 Computer performance being disrupted and/or degraded;
 Productivity losses being incurred; and
 Exposure to reputational risk.
4. Policy
4.1.
Preamble
4.1.1.1. Changes to information resources shall be managed and executed
according to a formal change control process. The control process will
ensure that changes proposed are reviewed, authorised, tested,
implemented, and released in a controlled manner; and that the status of
each proposed change is monitored.
4.1.1.2. In order to fulfil this policy, the following statements shall be adhered to:
4.1.2.
Operational Procedures
4.1.2.1. The change control process shall be formally defined and documented. A
change control process shall be in place to control changes to all critical
Merafong information resources (such as hardware, software, system
documentation and operating procedures). This documented process shall
include management responsibilities and procedures.
Wherever
practicable, operational and application change control procedures should
be integrated.
4.1.2.2. At a minimum the change control process should include the following
phases:
Logged Change Requests;
Identification, prioritization and initiation of change;
Proper authorization of change;
43
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
Requirements analysis;
Inter-dependency and compliance analysis;
Impact Assessment;
Change approach;
Change testing;
User acceptance testing and approval;
Implementation and release planning;
Documentation;
Change monitoring;
Defined responsibilities and authorities of all users and IT personnel;
Emergency change classification parameters.
4.1.3.
Documented Change
4.1.3.1. All change requests shall be logged whether approved or rejected on a
standardised and central system. The approval of all change requests and
the results thereof shall be documented.
4.1.3.2. A documented audit trail, maintained at a sectional Level, containing
relevant information shall be maintained at all times. This should include
change request documentation, change authorization and the outcome of
the change. No single person should be able to effect changes to
production information systems without the approval of other authorised
personnel.
4.1.4.
Risk Management
4.1.4.1. A risk assessment shall be performed for all changes and dependant on the
outcome, an impact assessment should be performed.
4.1.4.2. The impact assessment shall include the potential effect on other
information resources and potential cost implications. The impact
assessment should, where applicable consider compliance with legislative
requirements and standards.
4.1.5.
Change Classification
4.1.5.1. All change requests shall be prioritised in terms of benefits, urgency, effort
required and potential impact on operations.
44
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
4.1.6.
Testing
4.1.7.
Changes shall be tested in an isolated, controlled, and representative
environment (where such an environment is feasible) prior to
implementation to minimise the effect on the relevant business process, to
assess its impact on operations and security and to verify that only intended
and approved changes were made.
4.1.8.
Changes affecting SLA„s
4.1.8.1. The impact of change on existing SLA‟s shall be considered. Where
applicable, changes to the SLA shall be controlled through a formal change
process which includes contractual amendments.
4.1.9.
Version control
4.1.9.1. Any software change and/or update shall be controlled with version control.
Older versions shall be retained in accordance with corporate retention and
storage management policies.
4.1.10. Approval
4.1.10.1. All changes shall be approved prior to implementation. Approval of changes
shall be based on formal acceptance criteria i.e. the change request was
done by an authorised user, the impact assessment was performed and
proposed changes were tested.
4.1.11. Communicating changes
4.1.11.1. All users, significantly affected by a change, shall be notified of the change.
The user representative shall sign-off on the change. Users shall be
required to make submissions and comment prior to the acceptance of the
change.
4.1.12. Implementation
4.1.12.1 Implementation will only be undertaken after appropriate testing and
approval by stakeholders. All major changes shall be treated as new system
implementation and shall be established as a project. Major changes will be
classified according to effort required to develop and implement said
changes.
4.1.13. Fall back
4.1.13.1. Procedures for aborting and recovering from unsuccessful changes shall be
documented. Should the outcome of a change be different to the expected
result (as identified in the testing of the change), procedures and
responsibilities shall be noted for the recovery and continuity of the affected
areas. Fall back procedures will be in place to ensure systems can revert
back to what they were prior to implementation of changes.
45
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
4.1.14. Documentation
4.1.14.1. Information resources documentation shall be updated on the completion of
each change and old documentation shall be archived or disposed of as per
the documentation and data retention policies.
4.1.14.2. Information resources documentation is used for reference purposes in
various scenarios i.e. further development of existing information resources
as well as ensuring adequate knowledge transfer in the event of the original
developer and/or development house being unavailable. It is therefore
imperative that information resources documentation is complete, accurate
and kept up to date with the latest changes. Policies and procedures,
affected by software changes, shall be updated on completion of each
change.
4.1.15. Business Continuity Plans (BCP)
4.1.15.1. Business continuity plans shall be updated with relevant changes, managed
through the change control process. Business continuity plans rely on the
completeness, accuracy and availability of BCP documentation. BCP
documentation is the road map used to minimise disruption to critical
business processes where possible, and to facilitate their rapid recovery in
the event of disasters.
4.1.16. Emergency Changes
4.1.16.1. Specific procedures to ensure the proper control, authorisation, and
documentation of emergency changes shall be in place. Specific
parameters will be defined as a standard for classifying changes as
Emergency changes.
4.1.17. Change Monitoring
4.1.17.1. All changes will be monitored once they have been rolled-out to the
production environment. Deviations from design specifications and test
results will be documented and escalated to the solution owner for
ratification.
5. Compliance
5.1.1.1. Any person, subject to this policy, who fails to comply with the provisions as
set out above or any amendment thereto, shall be subjected to appropriate
disciplinary or legal action in accordance with Merafong Disciplinary Code
and Procedures. Merafong Information Security policies, standards,
procedures and guidelines shall comply with legal, regulatory and statutory
requirements.
6. IT Governance Value statement
6.1.1.1. Changes that materially affect the financial process must be evaluated and
reported quarterly. Financial system upgrades or replacements will require
new certification. The implication is that MFMA compliance is reliant on the
changes you make to the operational systems and procedures.
46
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
7. Policy Access Considerations
7.1.1.1. Access to this policy shall be granted to:
All IT personnel
All Users
Managers
Executive Directors
19. INCIDENT RESPONSE POLICY
1. Overview
This incident response defines what constitutes a security incident and outlines the
incident response phases. This incident response plan document discusses how
information is passed to the appropriate personnel, assessment of the incident,
minimising damage and response strategy, documentation, and preservation of
evidence. The incident response plan will define areas of responsibility and establish
procedures for handing various security incidents. This document discusses the
considerations required to build an incident response plan.
2. Purpose
The policy is designed to protect the Merafong resources against intrusion.
3. Incident Response Goals
1.
2.
3.
4.
5.
6.
7.
8.
Verify that an incident occurred.
Maintain or Restore Business Continuity.
Reduce the incident impact.
Determine how the attack was done if the incident happened.
Prevent future attacks or incidents.
Improve security and incident response.
Prosecute illegal activity.
Keep management informed of the situation and response.
4. Incident Definition
An incident is any one or more of the following:
1. Loss of information confidentiality (data theft)
2. Compromise of information integrity (damage to data or unauthorized
modification).
3. Theft of physical IT asset including computers, storage devices, printers, etc.
4. Damage to physical IT assets including computers, storage devices, printers,
etc.
5. Denial of service.
47
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
6. Misuse of services, information, or assets.
7. Infection of systems by unauthorized or hostile software.
8. An attempt at unauthorized access.
9. Unauthorized changes to Merafong hardware, software, or configuration.
10.
Reports of unusual system behaviour.
11.
Responses to intrusion detection alarms.
5. Incident planning
In the incident response plan, the following will be done:
1. Define roles and responsibilities
2. Establish procedures detailing actions taken during the incident.
1. Detail actions based on type of incident such as a virus, hacker
intrusion, data theft, system destruction.
2. Procedures should consider how critical the threatened system or data
is.
3. Consider whether the incident is on-going or done.
6. Incident Response Life cycle
1. Incident Preparation
1. Policies and Procedures
1. Computer Security Policies - These involve many policies
including password policies, intrusion detection, computer
property control, data assessment, and others.
2. Incident Response Procedures
3. Backup and Recovery Procedures
2. Implement policies with security tools including firewalls, intrusion
detection systems, and other required items.
3. Post warning banners against unauthorized use at system points of
access.
4. Establish Response Guidelines by considering and discussing possible
scenarios.
5. Train users about computer security and train IT staff in handling
security situations and recognizing intrusions.
6. Establish Contacts - Incident response team member contact
information should be readily available. An emergency contact
procedure should be established. There should be one contact list with
names listed by contact priority.
7. Test the process.
2. Discovery - Someone discovers something not right or suspicious. This may
be from any of several sources:
1. Helpdesk
2. Intrusion detection system
3. A system administrator
4. A firewall administrator
5. A business partner
48
MCLM-ISPM: Adobted by Council:
3.
4.
5.
6.
7.
8.
Item 9/2014
MCLM Council meeting of 27 March 2014
6. A monitoring team
7. A manager
8. The security department or a security person.
9. An outside source.
Notification - The emergency contact procedure is used to contact the incident
response team.
Analysis and Assessment - Many factors will determine the proper response
including:
1. Is the incident real or perceived?
2. Is the incident still in progress?
3. What data or property is threatened and how critical is it?
4. What is the impact on the business should the attack succeed? Minimal,
serious, or critical?
5. What system or systems are targeted, where are they located physically
and on the network?
6. Is the incident inside the trusted network?
Response Strategy - Determine a response strategy.
1. Is the response urgent?
2. Can the incident be quickly contained?
3. Will the response alert the attacker and do we care?
Containment - Take action to prevent further intrusion or damage and remove
the cause of the problem. May need to:
1. Disconnect the affected system(s)
2. Change passwords.
3. Block some ports or connections from some IP addresses.
Prevention of re-infection
1. Determine how the intrusion happened - Determine the source of the
intrusion whether it was email, inadequate training, attack through a
port, attack through an unneeded service, attack due to unpatched
system or application.
2. Take steps to prevent an immediate re-infection which may include one
or more of:
1. Close a port on a firewall
2. Patch the affected system
3. Shut down the infected system until it can be re-installed
4. Re-install the infected system and restore data from backup. Be
sure the backup was made before the infection.
5. Change email settings to prevent a file attachment type from
being allow through the email system.
6. Plan for some user training.
7. Disable unused services on the affected system.
Restore Affected Systems - Restore affected systems to their original state. Be
sure to preserve evidence against the intruder by backing up logs or possibly
the entire system. Depending on the situation, restoring the system could
include one or more of the following
1. Re-install the affected system(s) from scratch and restore data from
backups if necessary. Be sure to preserve evidence against the intruder
by backing up logs or possibly the entire system.
2. Make users change passwords if passwords may have been sniffed.
49
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
3. Be sure the system has been hardened by turning off or uninstalling
unused services.
4. Be sure the system is fully patched.
5. Be sure real time virus protection and intrusion detection is running.
6. Be sure the system is logging the correct items
9. Documentation - Document what was discovered about the incident including
how it occurred, where the attack came from, the response, whether the
response was effective.
10.
Evidence Preservation - Make copies of logs, email, and other
documentable communication. Keep lists of witnesses.
11.
Notifying proper external parties as defined in the Minimum Information
Security Standards (MISS) - Notify the police if prosecution of the
intruder is possible.
12.
Assess damage and cost - Assess the damage to the Merafong and
estimate both the damage cost and the cost of the containment efforts.
13.
Review response and update policies - Plan and take preventative
steps so the intrusion can't happen again.
a. Consider whether an additional policy could have prevented the
intrusion.
b. Consider whether a procedure or policy was not followed which allowed
the intrusion, then consider what could be changed to be sure the
procedure or policy is followed in the future.
c. Was the incident response appropriate? How could it be improved?
d. Was every appropriate party informed in a timely manner?
e. Were the incident responses procedures detailed and cover the entire
situation? How can they be improved?
f. Have changes been made to prevent a re-infection of the current
infection? Are all systems patched, systems locked down, passwords
changed, anti-virus updated, email policies set, etc.?
g. Have changes been made to prevent a new and similar infection?
h. Should any security policies be updated?
i. What lessons have been learned from this experience?
20. NETWORK RISK EVALUATION
The purpose of this document is to list all network security risks and help the user
determine where the greatest threats lie on their network. The network administrator
should list their opinion of the severity of each threat and how common they believe it
to be on their network. Then the number of times per month that this threat has
materialized should be listed.
There are several main items to consider when listing threats and their ability to
threaten the network. These include:
1. The threat such as virus, spyware, worms, computer hack and others.
2. The computer type - This will be one of server, desktop, mainframe, or laptop.
3. The entry method - Describes the transport mechanism the threat used to
enter the network whether it was the DMZ or trusted network. This could be
carried physically in, through email, through a browser such as typical adware
or spyware infections, or through a firewall.
50
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
4. The infected Zone - The zone the infected computer was in. It should be noted
whether the infection spread and what zones it spread to, but there is no place
in the table for this. If spreading happened, the item should be stared or
numbered with an incident explanation at the bottom of the sheet.
5. The perceived threat severity
6. How common or often the threat is realized on the network.
7. Occurrences per month. This should be the actual average number of
occurrences in the last 6 to 12 months.
Compromise of client computers
1. Hostile software through email borne viruses into client computers
2. Unauthorized user installed program - Users bringing their own programs into
the network on disks or memory sticks
3. Hostile software through user web browser due to misconfiguration and/or
software vulnerability.
Compromise of server computers:
1. Threats from compromised client computers.
2. Attacks through vulnerable applications.
3. Attacks through vulnerabilities in services such as web server and mail
services.
4. Attacks through operating system vulnerabilities.
5. Attacks due to misconfiguration of services or system such as allowing
relaying on mail server allowing spam to be sent, not locking down Internet
Information Server (IIS) leaving it vulnerable, or leaving default administrator
accounts with default passwords set.
Items to consider:
1. Consider where all systems lie on the network and where traffic is limited
between different areas. Include firewalls and routers along with descriptions
or lists of permitted and disallowed traffic.
2. Consider where the most security violations have occurred both in type such
as virus and the type of computer infected.
1. Consider whether the servers should be in a network zone
separate from the client computers if client computers are
compromised more often, statistically, than other groups of
computers (such as servers in the DMZ).
51
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
Appendix B: Acceptable Use Security Policy
< MERAFONG CITY LOCAL MUNICIPALITY> POLICY
INFORMATION SECURITY NUMBER: MCLM-ISMS
EFFECTIVE:
REVISED DATE:
SUBJECT: ACCEPTABLE USE
APPROVED:
SECTION 1 – INTRODUCTION
Information Resources are strategic assets of the Merafong and must be treated and
managed as valuable resources. Merafong provides various computer resources to
its employees for the purpose of assisting them in the performance of their jobrelated duties. State law permits minimal and incidental access to state resources for
personal use. This policy clearly documents expectations for appropriate use of
Merafong assets. This Acceptable Use Policy, in conjunction with the corresponding
standards, is established to achieve the following:
1. To establish appropriate and acceptable practices regarding the use of
Municipal information.
2. To ensure compliance with applicable Government and other rules and
regulations regarding the management of information.
3. To educate employees who may use these information resources with respect
to their responsibilities.
ROLES AND RESPONSIBILITIES
1. Merafong management will establish a periodic reporting requirement to
measure the compliance and effectiveness of this policy.
2. Merafong management is responsible for implementing the requirements of this
policy, or documenting non-compliance via the method described under
exception handling.
3. Merafong Managers, in cooperation with ICT section, are required to train
employees on policy and document issues with policy compliance.
4. All Merafong employees are required to read and acknowledge the reading of
this policy.
POLICY DIRECTIVES
Acceptable Use Management Requirements
Merafong will establish formal standards and processes to support the on-going
development and maintenance of the Merafong Acceptable Use Policy.
The Merafong Executive Directors and managers will commit to the on-going training
and education of Merafong staff responsible for the administration and/or
52
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
maintenance and/or use of Merafong information resources. At a minimum, skills to
be included or advanced include user training and awareness.
1. The Merafong Executive Directors and managers will use metrics to
establish the need for additional education or awareness in order to
facilitate the reduction in the threat and vulnerability profiles of Merafong
assets and information resources.
2. The Merafong Executive Directors and managers will establish a formal
review cycle for all acceptable use initiatives.
3. Any security issues discovered will be reported to the ICT manager for
follow-up investigation.
Ownership
Electronic files created, sent, received, or stored on information resources owned,
leased, administered, or otherwise under the custody and control of Merafong are
the property of Merafong and employee use of these files is neither personal nor
private. Authorized Merafong ICT employees may access all such files at any time
without knowledge of the user or owner. Merafong management reserves the
right to monitor and/or log all employee use of Merafong information with or
without prior notice.
Acceptable Use Requirements
1. Users must report any weaknesses in Merafong computer security to the
appropriate security staff. Weaknesses in computer security include
unexpected software or system behaviour, which may result in
unintentional disclosure of information or exposure to security threats.
2. Users must report any incidents of possible misuse or violation of this
Acceptable Use Policy through the use of documented misuse reporting
processes associated with the Internet, Intranet, and email use standards.
3. Users must not attempt to access any data, documents, email
correspondence, and programs contained on <Merafong>systems for
which they do not have authorization.
4. Systems administrators and authorized users must not divulge remote
connection modem phone numbers or other access points to
<Merafong>computer resources to anyone without proper authorization.
5. Users must not share their account(s), passwords, Personal Identification
Numbers (PIN), security tokens (i.e., Smartcard), or similar information or
devices used for identification and authorization purposes.
6. Users must not make unauthorized copies of copyrighted or Merafong
owned software.
7. Users must not use non-standard shareware or freeware software without
the appropriate Merafong management approval.
53
MCLM-ISPM: Adobted by Council:
Item 9/2014
MCLM Council meeting of 27 March 2014
8. Users must not purposely engage in activity that may harass, threaten, or
abuse others or intentionally access, create, store, or transmit material
which Merafong may deem to be offensive, indecent, or obscene, or that is
illegal according to the law of the country.
9. Users must not engage in activity that may degrade the performance of
information resources; deprive an authorized user access to Merafong
resources; obtain extra resources beyond those allocated; or circumvent
Merafong computer security measures.
10. Users must not download, install or run security programs or utilities such
as password cracking programs, packet sniffers, or port scanners that
reveal or exploit weaknesses in the security of a Merafong computer
resource unless approved by Merafong ICT.
11. Merafong information resources must not be used for personal benefit,
political activity, unsolicited advertising, unauthorized fund raising, or for
the solicitation of performance of any activity that is prohibited by any local,
provincial, or national law.
12. Access to the Internet from Merafong owned, home based, computers
must adhere to all the policies. Employees must not allow family members
or other non-employees to access non-public accessible Merafong
computer systems.
13. Any security issues discovered will be reported to the ICT section, for
follow-up investigation
Minimal and Incidental Use
1. Minimal and incidental personal use of email, Internet access, fax
machines, printers, and copiers is restricted to Merafong approved users
only and does not include family members or others not affiliated with
Municipality
2. Minimal and incidental use must not result in direct costs to Merafong
cause legal action against, or cause embarrassment to Merafong
3. Minimal and incidental use must not interfere with the normal performance
of an employee‟s work duties.
4. Storage of personal email messages, voice messages, files, and
documents within Merafong‟s computer resources must be nominal.
ENFORCEMENT, AUDITING, REPORTING
1. Violation of this policy may result in disciplinary action that may include
termination for employees and temporaries; termination of employment
relations in the case of contractors or consultants; dismissal for interns and
volunteers. Additionally, individuals are subject to loss of Merafong information
resources access privileges, civil, and criminal prosecution.
54