System and Network Activities
E- mail and Communications Activities
Sending unsolicited e-mail messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
Unauthorized use, or forging, of e-mail header information.
Solicitation of e-mail for any other e-mail address, other than that of the poster’s account, with the intent to harass or to collect replies.
Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type. Use of unsolicited e-mail originating from within <Company Name>’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by <Company Name> or connected via <Company Name>’s network.
Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
4.4. Blogging
Blogging by employees, whether using <Company Name>’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of <Company Name>’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate <Company Name>’s policy, is not detrimental to <Company Name>’s best interests, and does not interfere with an employee’s regular work duties. Blogging from <Company Name>’s systems is also subject to monitoring.
<Company Name>’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any <Company> confidential or proprietary information, trade secrets or any other material covered by <Company>’s Confidential Information policy when engaged in blogging.
Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/ or goodwill of <Company Name> and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by <Company Name>’s Non-Discrimination and Anti-Harassment policy.
Employees may also not attribute personal statements, opinions or beliefs to <Company Name> when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of <Company Name>. Employees assume any and all risk associated with blogging.
Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, <Company Name>’s trademarks, logos and any other <Company Name> intellectual property may also not be used in connection with any blogging activity.
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6.0 Definitions
Term
Definition
Blogging Writing a blog. A blog (short for weblog) is a personal online journal that is frequently updated and intended for general public consumption.
Spam Unauthorized and/or unsolicited electronic mass mailings.
7.0 Revision History
This section is used to record version changes.
More Information
To find out more on the creation and testing of policy visit the following sites: The SANS Policy Web site
www.sans.org/resources/policies/
The SANS Secu rity Policy Resource page is a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You’ll find a great set of resources posted here already including policy templates for twenty-four impor- tant security requirements.
Information Security Policy - A Development Guide for Large and Small Companies
www.sans.org/reading_room/whitepapers/policyissues/1331.php
A security policy should fulfill many purposes. It should: protect people and informa- tion; set the rules for expected behavior by users, system administrators, management, and security personnel; ttze security personnel to monitor, probe, and investigate; define and authorize the consequences of violation; define the company consensus baseline stance on security; help minimize risk; and help track compliance with regulations and legislation.
SANS Policy Primer
www.sans.org/resources/policies/Policy_Primer.pdf
This short w on developing and writing security policies was taken from Michele D. Guel’s full day tutorial titled “Security Governance – A Strong Foundation for a Secure Enterprise.
RUsecure Information Security Policies
www.information-security-policies.com/
A commercial Policy creation program
Technical Writing for IT Security Policies in Five Easy Steps
www.sans.org/reading_room/whitepapers/policyissues/492.php ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
As management requires more policies, staff comfort levels drop. As policy writers include complex, confusing, and incomprehensible language, staff comfort levels con- tinue to drop. Therefore, IT Security policy writers need a writing resource, not just a policy resource. This paper points new policy technical writers in the right direction and provides a solid foundation from which to start. Follow these five easy steps when writing IT Security policies. Your management and employees will thank you. Security Policy Roadmap - Process for Creating Security Policies
www.sans.org/reading_room/whitepapers/policyissues/494.php
Information is an important business asset and is valuable to an organization. Thus, it needs to be protected to ensure its confidentiality, integrity and availability. The very first thing in information security is to set up policies and procedures on how to protect information. This paper presents a systematic approach in developing computer security policies and procedures. All the processes in the Policy Life Cycle will be discussed. In particular, it will list all the issues and factors that must be considered when setting up the policies. It makes some recommendations and suggestions on relevant areas and produces a framework for setting security policies and procedures SANS Score - Security Consensus Operational Readiness Evaluation
www.sans.org/score/
SCORE is a cooperative effort between SANS/GIAC and the Center for Internet Security(CIS). SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. After consensus is reached and best practice recommendations are validated, they may be formalized by CIS as best practice and minimum standards benchmarks for general use by industry at large.
SCORE Objectives:
Promote, develop and publish security checklists.
Build these checklists via consensus, and through open discussion through SCORE mailing lists.
Use existing references, recruit GIAC-certified professionals, and enlist subject matter experts, where and when possible.
These are but a few of the many places where information and frameworks are available that can be used in the creation of an information security policy program.
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
Summary
The security manager must seek first to understand when creating policy. Understand how the stakeholders would view the policy; understand the tradeoffs; understand the impact on people under the scope of the policy and avoid “policy tax”, if at all possible; and, finally, understand what is going on in the reader’s mind when they read the policy, how do they perceive it? Better policy is worth the effort - people cannot follow a policy if they cannot understand what it says.
Security policy needs to fulfill several purposes. It needs to: Protect people and information;
Set the rules for expected behavior by employees and other users, system administrators, management, and security personnel;
Provides authorization that enables security personnel to monitor, probe, and investigate incidents;
Defines and authorizes actions associated with the consequences of a violation;
Defines the organizational consensus baseline stance on security and helps make staff aware of the views of the organization and senior management; and
Aids in creating an environment that minimizes risk; and
Aids in remaining compliant to the regulations and legislation that applies to the organization. ■ ■ ■ ■ ■ ■ ■
149