Network Security Policy

Security and Privacy

It is the policy of [company] that all information contained on the network or computers attached to the network is
strictly confidential. Confidential information is not to be used or given to anyone, whether inside or outside
[company], unless there is an authorized business purpose and/or there is a legitimate need to know. It is the
responsibility of each person to honor this confidentiality and to report actual or suspected violations to the
appropriate authorities at [company]. Any violations of confidentiality or unauthorized computer access will be
investigated and disciplinary action, including termination, may result. Computer access will be audited by the IT
staff if it is suspected that it is being misused.
Passwords
Passwords are the entry point to our IT resources. Protecting access to our computer resources is pivotal in ensuring
that our systems and the confidential information they contain remain secure. While we have not been exploited, nor
do we expect to be, we must be diligent in guarding access to our resources and protecting them from threats both
inside and outside our organization.
Password Handling
Passwords for all systems are subject to the following rules:
• No passwords are to be spoken, written, e-mailed, hinted at, shared, or in any way known to anyone other than
the user involved. This includes supervisors and personal assistants.
• No passwords are to be shared in order to "cover" for someone out of the office. Contact IT, and it will gladly
create a temporary account if there are resources you need to access.
• Passwords are not to be displayed or concealed on your workspace.
Password Composition
• Passwords will change every 30/60 days.
• Your account will lockout after 5 tries. Your account will reset after 60 minutes. You can then try to remember
your password, or the Administrator will give you a new temporary password.
• Password may not contain
o All or part of the user's account name
o First name, middle name, or last name
o Company name
o Any portion of your social security number
o Any portion of your address
o Any portion of your date of birth
o Nickname
o Any term that could easily be guessed by someone who is familiar with you
• Password is at least eight characters long.
• Password contains characters from three of the following four categories:
o English uppercase characters (A…Z)
o English lowercase characters (a…z)
o Base 10 digits (0…9)
o Non-alphanumeric (exclamation point [!], dollar sign [$], pound sign [#], percent sign [%], etc.)
Administrative passwords
Administrative passwords are subject to stringent composition, frequent change, and limited access. This includes
passwords for routers, switches, WAN links, firewalls, servers, Internet connections, administrative-level network
operating system accounts, and any other IT resource.
Passwords for administrative resources must meet the following criteria:
• Password is at least 10 characters long.
• Password contains at least three nonalphnumeric characters.
• Password contains at least two numbers.
Creating Strong Passwords
You can construct a good password by using a sentence for your password.
For example, I like working at my job 9!
Take the first letters out of the sentence, leaving the password: Ilwamj9!
Personal information is often easy for users to remember. Tell each user to think of a significant event in their lives.
For example, “My second daughter was married in 2001.” Then tell the users to take the first letter of each word to
form a password. From this sentence, you’re given “Msdwmi2001.” Now tell them to make that password stronger.

[Company] Network Policies Page 1 of 4 Revised: 6/7/2004

 For example, “M2dWmI201” incorporates three of the four available character classes, which is a necessary
attribute of a strong password.
Want to make it even stronger? Make a password from the last letter of each word in the sentence. “M2dWmI201”
from our previous example becomes “Y2RSdn201.” Add another character class for added protection. For example,
separate the sample password’s characters with a symbol and you get “M2dW%mi201,” which is much stronger
than “12345” or “QWERTY.”
Computer Logoff
The user must “Logoff” the computer if the user will not have the computer they are using under direct observation
for any period of time (i.e., Logoff before going to use the restroom, etc.). The user may “lock” his computer if he
will only be gone for a few minutes. You can also have a screensaver set to automatically log off after a short period
of inactivity. You must also log out at the end of the workday or work session.
1) If you do not log off of your computer, and the server goes down, your files may be irretrievably corrupted.
2) The information on the server is backed up to tape each night, and if you are logged in and have files open,
they cannot be backed up.
3) There may be confidential information that a passerby could see on your computer monitor.
4) An unauthorized person could gain access to the network.
Physical Security
All servers and backup media are either locked in a secure room, or in a safety deposit box at the bank. All
workstations should be placed so that a casual passerby cannot see anything on the monitor.
Software and Configuration
Only the IT staff will install or upgrade any programs or software on the workstations or servers. Users should not
download or install any software or change the configuration of the workstation unless authorized by the IT staff.
File Storage
All files and other data will be stored on the file server. The file server is backed up night to tape and every week a
tape is taken offsite. If a user is not sure where their files are stored or they need a file restored, please contact the IT
staff.
Backup Strategy
A layered backup strategy gives the backup system multiple layers of redundancy.
1. Monday, Tuesday, Wednesday, Thursday tapes that are rotated every week.
2. At least 4 sets of Friday tapes that are rotated every Friday. These should be kept offsite.
3. At least 3 to 6 months of monthly tapes that get taken offsite.
Making an archive copy of critical data to a CD gives us another layer of redundancy.
Usage Policies
These computer systems, facilities and accounts are owned and operated by [Company]. [Company] reserves all
rights, including termination of service without notice, to the computing resources it owns and operates. These
procedures shall not be construed as a waiver of any rights of [Company], nor shall they conflict with applicable acts
of law. Users have rights that may be protected by federal, state and local laws.
[Company] provides its users with Internet access and electronic communications services as required for the
performance and fulfillment of job responsibilities. These services are for the purpose of increasing productivity and
not for non-business related activities.
Occasional and reasonable personal use of Internet and e-mail services is permitted, provided that this does not
interfere with work performance. These services may be used outside of scheduled hours of work, provided that
such use is consistent with professional conduct.
Users should have no expectation of privacy while using company-owned or company-leased equipment.
Information passing through or stored on company equipment can and will be monitored.
Violations of Internet and e-mail use include, but are not limited to, accessing, downloading, uploading, saving,
receiving, or sending material that includes sexually explicit content or other material using vulgar, sexist, racist,
threatening, violent, or defamatory language. Users should not use services to disclose corporate information
without prior authorization. Gambling and illegal activities are not to be conducted on company resources.
Infringements of this policy will be investigated on a case-by-case basis.
E-mail and Confidential Information
Internet E-mail should not be used to transfer confidential information. You should consider Internet e-mail to be the
equivalent security of a postcard.
Internal e-mail can be used to transfer confidential information, as the information doesn’t leave the internal secure
network.

[Company] Network Policies Page 2 of 4 Revised: 6/7/2004

Prohibited use
Users shall not use Internet or e-mail services to view, download, save, receive, or send material related to or
including:
• Offensive content of any kind, including pornographic material.
• Promoting discrimination on the basis of race, gender, national origin, age, marital status, sexual
orientation, religion, or disability.
• Threatening or violent behavior.
• Illegal activities.
• Commercial messages.
• Messages of a religious, political, or racial nature.
• Gambling.
• Sports, entertainment, and job information and/or sites.
• Personal financial gain.
• Forwarding e-mail chain letters, jokes, or stories.
• Sending business-sensitive information by e-mail or over the Internet.
• Dispersing corporate data to Company’s customers or clients without authorization.
• Opening files received from the Internet without performing a virus scan.
• Downloading and installing programs on the workstation.
Virus protection policy
It is the responsibility of everyone who uses the network to take reasonable measures to protect that network from
virus infections. This policy outlines how various viruses can infect the network, how the IT department tries to
prevent and/or minimize infections, and how the network users should respond to a virus if they suspect one has
infected the network.
How viruses can infect a network
There are actually three various types of computer viruses: true viruses, Trojan horses, and worms. True viruses
actually hide themselves, often as macros, within other files, such as spreadsheets or Word documents. When an
infected file is opened from a computer connected to the network, the virus can spread throughout the network and
may do damage. A Trojan horse is an actual program file that, once executed, doesn't spread but can damage the
computer on which the file was run. A worm is also a program file that, when executed, can both spread throughout
a network and do damage to the computer from which it was run.
Viruses can enter the network in a variety of ways:
E-mail—By far, most viruses are sent as e-mail attachments. These attachments could be working documents or
spreadsheets, or they could be merely viruses disguised as pictures, jokes, etc. These attachments may have been
knowingly sent by someone wanting to infect [organization name]'s network or by someone who does not know the
attachment contains a virus. However, once some viruses are opened, they automatically e-mail themselves, and the
sender may not know his or her computer is infected.
Forwarding jokes to friends is a very common vector for email viruses. Whenever you send, reply or forward a
message, your email address is included in the message. When the recipient forwards the message to someone else,
and they forward it to someone else, your email address can end up on hundreds of pc’s. If any one of those pc’s
gets infected by a virus, they can send a virus to your e-mail address, even though you may never have directly
emailed them. The virus will send a copy of itself to any address in their computer, including spam addresses, so
now you are getting viruses, and spam. With most new e-mail viruses, there is no way to trace who sent it, because
the source address is forged. Be careful who you give your email address to and who you email.
Disk, CD, Zip disk, or other media—Viruses can also spread via various types of storage media. As with e-mail
attachments, the virus could hide within a legitimate document or spreadsheet or simply be disguised as another type
of file.
Software downloaded from the Internet—Downloading software via the Internet can also be a source of infection.
As with other types of transmissions, the virus could hide within a legitimate document, spreadsheet, or other type of
file.
Instant messaging attachments—Although less common than e-mail attachments, more viruses are taking
advantage of instant messaging software. These attachments work the same as e-mail viruses, but they are
transmitted via instant messaging software.
How the IT department prevents and/or minimizes virus infections
Scanning Internet traffic—All Internet traffic coming to and going from our network must pass through company
servers and other network devices. Only specific types of network traffic are allowed beyond the organization’s
exterior firewalls.
Running server and workstation antivirus software—All servers run antivirus scanning software. This software
scans our file-sharing data stores, looking for suspicious code. Antivirus protection software is also installed on all
[Company] Network Policies Page 3 of 4 Revised: 6/7/2004
 organization workstations. This software scans all data written to or read from a workstation's hard drive. If it finds
something suspicious, it isolates the dubious file on the computer and automatically notifies the help desk.
Routinely updating virus definitions—Every morning, the firewall and server virus scanning programs check for
updated virus definitions. These definition files allow the software to detect new viruses. If a new virus definition
file is available, the virus scanning software is automatically updated, and then the system administrator is informed.
When end users turn on their computers at the beginning of the workday, the workstation virus protection program
checks with a server on the network for updates. The workstation program will then download and install the update
automatically, if one exists.
How to respond to and report a virus
Even though all Internet traffic is scanned for viruses and all files on the company’s servers are scanned, the
possibility still exists that a new or well-hidden virus could find its way to an employee’s workstation, and if not
properly handled, it could infect [Company]'s network.
The IT staff will attempt to notify all users of credible virus threats via e-mail or telephone messages. Because this
notification will automatically go to everyone in the organization, employees should not forward virus warning
messages. On occasion, well-meaning people will distribute virus warnings that are actually virus hoaxes. These
warnings are typically harmless; however, forwarding such messages unnecessarily increases network traffic.
As stated, it is the responsibility of all [Company] network users to take reasonable steps to prevent virus outbreaks.
Use the guidelines below to do your part:
1) Do not open unexpected e-mail attachments, even from coworkers or someone you know.
2) Never open an e-mail or instant messaging attachment from an unknown or suspicious source.
3) Never download freeware or shareware from the Internet without express permission of the IT department.
4) If a file you receive contains macros that you are unsure about, disable the macros.
Notify the IT department of suspicious files
If you receive a suspicious file or e-mail attachment, do not open it. Call [Company]'s help desk at extension [insert
extension number] and inform the support analyst that you have received a suspicious file. The support analyst will
explain how to handle the file.
If the potentially infected file is on a disk that you have inserted into your computer, the antivirus software on your
machine will ask you if you wish to scan the disk, format the disk, or eject the disk. Eject the disk and contact the
help desk at extension [insert extension number]. They will instruct you on how to handle the disk.
After the support analyst has neutralized the file, send a note to the person who sent/gave you the file notifying them
that they sent/gave you a virus. (If the file was sent via e-mail, the antivirus software running on our e-mail system
will automatically send an e-mail message informing the sender of the virus it detected.)
If the file is an infected spreadsheet or document that is of critical importance to [Company], the IT department will
attempt to scan and clean the file. The IT department, however, makes no guarantees as to whether an infected file
can be totally cleaned and will not allow the infected file to be used on [Company] computers.
Repetitive Strain Injury
Good Working Habits
• Take frequent breaks from typing.
• When typing, keep hands relaxed and fingers gently curved. Your hands should float easily above the keyboard.
• Avoid extended wrist positions.
• Sit with good posture without being too rigid; avoid slouching or leaning forward.
• Monitor should be at eye level or slightly lower. Keyboard and monitor should be directly in front of you, not
off to the side.
• With back straight, knees should be at an open (at least 90 degree) angle and slightly lower than hips.
• Keep foot on floor or on footrest.
• Make certain you are seated properly, and your keyboard and mouse are in a comfortable position.
Continuance
This policy is a living document and may be modified at any time by the IT manager, the IT steering committee, or
the human resources department.
Compliance
Your signature indicates that you have read [Company]’s Network Security policy. Signing this document does not
mean that you agree with each and every provision of the policy. However, it does mean that you will abide by the
regulations set forth in the above policy.
______________________________________________________________________________________
Employee Signature Date

[Company] Network Policies Page 4 of 4 Revised: 6/7/2004