Versions Compared

Old Version 1

changes.mady.by.user Dayna Harp

Saved on

compared with

New Version 2

changes.mady.by.user Dayna Harp

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The organization’s CEO will be responsible for the planned review, conducting an in-briefing and an exit-briefing with the security verification audit team.  He will also be responsible for conducting organization team meetings as required, making decisions about what recommendations are appropriate for the IT system and preparation of the draft and final “IT Security Verification Audit Report.”

 

 

MALICIOUS SOFTWARE

A.    Purpose

...

  • Establish controls for local area networks that prevent anyone except the system administrator or other authorized staff from loading software on file servers.  Ensure that operating system files and other executable files are read-only. 
  • If possible, disable the network mail facility from transferring executable files.  This will help prevent network worm programs from spreading through the network. Insiders most often introduce Trojan horses and other similar malicious software programs and it is not unusual for larger systems to be the target. The best protection against attacks of this type is to establish good management procedures.  Effective controls include separation of duties, limiting individual access and allowed actions to what is needed and no more, formal change control and configuration management procedures, separation and testing of development versus production software and control over installation of new software versions.  Frequent backups of the system and data will allow recovery should an incident occur.

...

H.Authorized Software

It is imperative that machine-readable software and data files be obtained from reliable sources. Viruses are often spread through free or shared programs, games, demonstration programs, and programs downloaded from bulletin boards.  Employees must not use privately owned software or take software from their office without management approval.  A violation will result in disciplinary action up to and including termination.  Commercial software must be obtained through appropriate channels.  In-house developed software must be done in accordance with established procedures and have prior management approval.

...

Log files should be reviewed periodically to detect unusual activity.  Terminals, workstations and networked PCs should never be left unattended when logged in. 

Malicious Software Indicators

If the organization’s IT system seems to be acting different than usual, a malicious software incident may have occurred.  Below are a few signs that may indicate that a system has been infected.

...

(If a system demonstrates any of the above, it could indicate that malicious software is present.)

 H.    Elimination, Recovery and Reporting

If there is suspicion that a virus or other malicious software program has attacked the IT system or network, do not attempt to fix the problems, but immediately report it to a manager.  The appropriate action to control the damage will be determined and a written report of the incident will be made.  It is important that the particular virus or other malicious software program, source, and potential for proliferation be identified and controlled.

...

  • Impact on operations;
    • Severity, including hours devoted to recovery and any additional costs incurred;
    • Proliferation, number of machines or media infected;
    • Action taken - how malicious software was cleared, who was notified, including outside organizations, and what steps were taken to identify the source;

 


I.      Computer and E-mail Usage

Computers, computer files, the e-mail system, fax and software furnished to employees are [ENTER ORGANIZATION’S NAME HERE] property intended for business use. Employees should not use a password, access a file, or retrieve any stored communication without authorization. To ensure compliance with this policy, computer and e-mail usage may be monitored. 

[ENTER ORGANIZATION’S NAME HERE] strives to maintain a workplace free of harassment and sensitive to the diversity of its employees. Therefore, [ENTER ORGANIZATION’S NAME HERE]prohibits the use of computers and the e-mail system in ways that are disruptive, offensive to others, or harmful to morale.  For example, the display or transmission of sexually explicit images, messages, and cartoons is not allowed. Other such misuse includes, but is not limited to, ethnic slurs, racial comments, off-color jokes, or anything that may be construed as harassment or showing disrespect for others.

 

E-mail may not be used to solicit others for commercial ventures, religious or political causes, outside organizations, or other non-business matters.

 

[ENTER ORGANIZATION’S NAME HERE] purchases and licenses the use of various computer software for business purposes and does not own the copyright to this software or its related documentation. Unless authorized by the software developer, [ENTER ORGANIZATION’S NAME HERE] does not have the right to reproduce such software for use on more than one computer.

 

Employees may only use software on local area networks or on multiple machines according to the software license agreement. [ENTER ORGANIZATION’S NAME HERE] prohibits the illegal duplication of software and its related documentation. 

Employees should notify their immediate supervisor, the Department Manager or any member of management upon learning of violations of this policy. Employees who violate this policy will be subject to disciplinary action, up to and including termination of employment.

 

J.      Internet Usage

...

 

Internet access to global electronic information resources on the World Wide Web is provided by [ENTER ORGANIZATION’S NAME HERE] to assist employees in obtaining work-related data and technology. The following guidelines have been established to help ensure responsible and productive Internet usage. 

All Internet data that is composed, transmitted, or received via our computer communications systems is considered to be part of the official records of [ENTER ORGANIZATION’S NAME HERE] and, as such, is subject to disclosure to law enforcement or other third parties. Consequently, employees should always ensure that the business information contained in Internet e-mail messages and other transmissions is accurate, appropriate, ethical, and lawful.

 

The equipment, services, and technology provided to access the Internet remain at all times the property of [ENTER ORGANIZATION’S NAME HERE]. As such, [ENTER ORGANIZATION’S NAME HERE] reserves the right to monitor Internet traffic, and retrieve and read any data composed, sent, or received through our online connections and stored in our computer systems. 

Employees who violate this policy will be subject to disciplinary action, up to and including termination.

...