Last Update Status: Updated February 2017
This policy is concerned with the management and security of The Mission’s information assets (an information asset is defined to be an item or body of information, an information storage system or an information processing system which is of value to The Mission) and the use made of these assets by its staff and others who may legitimately process The Mission information on behalf of The Mission.
An effective Information Security Policy provides a sound basis for defining and regulating the management of information systems and other information assets. This is necessary to ensure that information is appropriately secured against the adverse effects of failures in confidentiality, integrity, availability and compliance which would otherwise occur.
The Information Security Policy applies to all information assets which are owned The Mission, or used by, for business purposes or which are connected to any networks managed by The Mission. The guidelines in the Information Security Policy, apply to all information which The Mission processes, irrespective of ownership or form. This Information Security Policy applies to all members of The Mission and any others who may process information on behalf of The Mission.
Information Security Principles
The Mission has adopted the following principles, which continue to underpin this policy:
- Information will be protected in line with all relevant The Mission policies and
- legislation, notably those relating to data compliance.
- Each information asset will have a nominated owner who will be assigned responsibility for defining
- the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.
- Information will be made available solely to those who have a legitimate need for access.
- All information will be classified according to an appropriate level of security.
- The integrity of information will be maintained.
- It is the responsibility of all individuals who have been granted access to information to handle it appropriately in accordance with its classification.
- Information will be protected against unauthorised access.
- Compliance with the Information Security policy will be enforced.
This policy document has been approved by The Mission Board. Substantive changes may only be made with the further approval of the Board and will be reviewed annually.
Acceptable Use Policy
Internet/Intranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of The Mission. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Effective security is a team effort involving the participation and support of every The Mission employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
This policy applies to the use of information, electronic and computing devices, and network resources to conduct The Mission business or interact with internal networks and business systems, whether owned or leased by The Mission, the employee, or a third party. Employees, contractors, consultants, temporary, and other workers at The Mission and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with The Mission policies and standards, and local laws and regulation. This policy applies to all equipment that is owned or leased by The Mission.
General Use and Ownership
- The Mission proprietary information stored on electronic and computing devices whether owned or leased by The Mission, the employee or a third party, remains the sole property of The Mission. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.
- You have a responsibility to promptly report the theft, loss or unauthorized disclosure of The Mission proprietary information.
- You may access, use or share The Mission proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.
- Employees are responsible for exercising good judgment regarding the reasonableness of personal use and if there is any uncertainty, employees should consult their manager.
- For security and network maintenance purposes, authorized individuals within The Mission may monitor equipment, systems and network traffic at any time.
- The Mission reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Security and Proprietary Information
All mobile and computing devices that connect to the internal network must comply with all relevant policies including Access Control Policy, Logical Access Management Policy.
- System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
- All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes. You must lock the screen or log off when the device is unattended.
- Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
Under no circumstances is an employee of The Mission authorized to engage in any activity that is illegal under local or international law while utilizing The Mission -owned equipment or resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
System and Network Activities
The following activities are strictly prohibited, with no exceptions:
- Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by The Mission.
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which The Mission or the end user does not have an active license is strictly prohibited.
- Accessing data, a server or an account for any purpose other than The Mission business, even if you have authorized access, is prohibited.
- Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, etc.).
- Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
- Using a The Mission computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties.
- Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
- Circumventing user authentication or security of any host, network or account.
- Providing information about, or lists of, The Mission employees to parties outside The Mission.
Email and Communication Activities
When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company".
- Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
- Any form of harassment via email, telephone or messaging, whether through language, frequency, or size of messages.
- Unauthorized use, or forging, of email header information.
- Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
Blogging and Social Media
- Blogging by employees, whether using The Mission’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of The Mission systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner,does not otherwise violate The Mission policy, is not detrimental to The Mission best interests, and does not interfere with an employee's regular work duties.
- Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of The Mission and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments.
- Employees may also not attribute personal statements, opinions or beliefs to The Mission when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of The Mission. Employees assume any and all risk associated with blogging.
Access Control Policy
This User Management Policy sets out the requirements for the effective management of user accounts and access rights. This management is essential in order to ensure that access to The Mission’s information and information systems is restricted to authorised users.
All information systems used to conduct The Mission’s business, or which are connected to The Mission’s network must be managed in accordance with this policy.
User accounts will only be provided for:
- Current The Mission Limited’s staff.
- Guests of The Mission Limited who may be granted temporary access to The Mission’s network.
- Visitors to The Mission who may be granted temporary access to The Mission’s network.
Authorisation to manage
The management of user accounts and privileges on The Mission information systems is restricted to authorised members of staff.
Account and privilege management
- Accounts will only be issued to those who are eligible for an account and whose identity has been verified.
- When an account is created, a unique identifier (userID) will be assigned to the individual user for his or her individual use. This userID may not be assigned to any other person at any time (userIDs will not be recycled).
- On issue of account credentials, users must be informed of the requirement to comply with the The Mission’s Information Security policy.
- Access rights granted to users will be restricted to the minimum required in order for them to fulfil their roles.
- Procedures shall be established for all information systems to ensure that users’ access rights are adjusted appropriately and in a timely manner to reflect any changes in a user’s circumstances (e.g. when a member of staff changes their role or a member of staff leaves The Mission).
- Privileged accounts are accounts used for the administration of information systems and are distinct from user accounts. These accounts must only be used by system administrators when undertaking specific tasks which require special privileges. System administrators must use their user account at all other times.
- Passwords for new staff will be set upon starting employment at The Mission.
Exceptionally, the new member may be informed of an initial, temporary password, which must be
communicated in a secure way and must be changed by the new member immediately.
This change should be enforced automatically wherever possible.
Logical Access Management Policy
Access to The Mission information systems and data is controlled by the implementation of
an appropriate access control policy to manage accounts and define the processes of authentication,
authorization, administration, and termination of access rights. The purpose of this policy is to establish the requirements for managing access and all accounts for any information system, application, or data supported by The Mission.
Authority, Responsibility and Duties
The Information Security Management roles and responsibilities are assigned to individuals, and may differ from the actual role title or working title of the individual’s position. Individuals may be assigned multiple roles, as long as the multiple role assignments provide adequate separation of duties, provide adequate protection against the possibility of fraud, and do not lead to a conflict of interests.
The IT Manager is responsible for the following relative to the systems he/she administers:
- Using an administrative account only when performing system administration and a separate user level account for other non-system related tasks.
- Cooperating with authorized management investigating security incidents.
- Establishing the roles and access levels for the system based on the principle of “least privilege”.
- Approving all access requests from top level management to the system.
The Systems Administrator is responsible for the following relative to the accounts and access he/she administers:
- Setting up only authorized accounts with the approval of the system owner.
- Disabling accounts of user’s that change roles within The Mission or are separated from their relationship with The Mission.
- Modifying user accounts to accommodate situations such as name changes or access privileges.
- Reviewing existing accounts periodically for validity (at least annually) and obtaining departmental approval/sign-off.
Human Resources is responsible for:
- Providing timely information regarding new employees and termination or modification of employment status to managers and system administrators.
- Providing a list of terminated employees for the purpose of auditing system accounts upon request.
All users of Electronic Resources and Systems
All users of electronic resources and systems are accountable for any activity on the system performed with the use of their account.
- This Logical Access Control policy applies to all information systems, applications, and data housed within or supported by The Mission and to all individuals who have access to those systems, applications or data, including employees.
- This policy applies whether access is to the Local Area Network, Wireless “Wi-Fi” Network, and/or Virtual Private Network.
- It is the policy of The Mission that all user accounts and access to systems will be managed and controlled according to the requirements identified in the following sections.
- If a The Mission system is classified as sensitive, the use of guest accounts is prohibited.
- The use of shared accounts on all The Mission systems is prohibited. Systems residing on the guest network are exempt for this requirement.
- If a The Mission system is classified as sensitive, requests for and approvals of emergency or temporary access is required such that:
- The access is documented according to standard practice and maintained on file;
- Access attributes for the emergency account are included in the documentation;
- All accounts must be uniquely identifiable using the assigned user name.
- All accounts must be set up to require the user to reset the password on the first use.
- Access to IT systems and data is to be based on the principle of least privilege.
- All passwords must meet the requirements of The Mission’s Password Policy.
- All accounts must have a password expiration that complies with The Mission’s Password Policy.
- All account users’ identities must be verified using information already on file before resetting a users’ password.
- The use of guest or shared accounts on sensitive systems is prohibited (only execption for encypted mac laptops, as not possible with Filevault).
- All account access levels must be associated with group membership and must be a member of at least one user group.
- Displaying of the user’s last login name on the logon screen is prohibited.
- Local Administrator, or the equivalent on IT systems are restricted to authorized IT staff and business specific staff.
- System Administrators are required to have both an individual administrative account and at least one user account and require that administrators use their administrative accounts only when performing tasks that require administrative privileges.
Authentication is the process of ensuring that the individual is who he/she claims to be. Proper identification is required, and must be reviewed and accepted by an appropriate authority before an individual may receive an account for access to any The Mission system. Acceptable forms of identification include a driver’s license or passport.
Authorization is the process of providing permission to perform specific functions with respect to the use of servers, application systems, or accessing data. Each authorization action must be documented according to this policy, and such documentation must be retained for a minimum of three years beyond the termination of that authorization.
- An IT Access Request Form must be completed with the user’s name, department, job title and email, the system name(s), and role of the user.
- An IT Access Request Form must be signed by the user, the user’s manager, and the system owner.
- The Information Security Policy must be signed by the user.
Administration and Termination of Accounts and Access
Every change in the employment status of members of the workforce must be reported immediately by the employing manager to the IT Manager and Human Resources.
- Upon notification, the Systems Administrator shall disable user accounts for terminated or separated employees, effective on the last day of work at The Mission.
- Managers/ HR must submit an IT Access Modification Form. Upon receipt, the Systems Administrator shall modify the account access as designated by the manager to maintain the principle of least privilege.
- Accounts must be deactivated upon termination. They must be retained on the system but in disabled state with no access to systems or data.
Password Protection Policy
Passwords are an important aspect of computer security. A poorly chosen password may result in
unauthorized access and/or exploitation of The Mission’s resources. All users, including contractors and vendors with access to The Mission systems, are responsible for taking the appropriate
steps, as outlined below, to select and secure their passwords.
- All user-level and system-level passwords must conform to the Password Construction Guidelines.
- Users must not use the same password for The Mission Ltd accounts as for other non The Mission Ltd access (for example, personal mail accounts, etc).
- Where possible, users must not use the same password for various The Mission Ltd access needs.
- User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges.
- All system-level passwords (for example, root, enable, admin, application administration accounts, and so on) must be changed on at least a yearly basis.
- All user-level passwords (for example, email, web, desktop computer, and so on) must be changed at least every six months. The recommended change interval is every four months.
- Passwords must not be shared with anyone. All passwords are to be treated as sensitive, Confidential The Mission information.
- Passwords must not be inserted into email messages, or other forms of electronic communication.
- Passwords must not be revealed over the phone to anyone.
- Do not reveal a password on questionnaires or security forms.
- Do not hint at the format of a password (for example, "my family name").
- Do not share The Mission passwords with anyone, including administrative assistants, managers, colleagues while on holiday, and family members.
- Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.
- Do not use the "Remember Password" feature of applications (for example, web browsers).
- Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.
- Application developers must ensure that their programs contain the following security precautions:
- Applications must support authentication of individual users, not groups.
- Applications must not store passwords in clear text or in any easily reversible form.
- Applications must not transmit passwords in clear text over the network.
- Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.
Password Construction Guidelines
Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or the network. This guideline provides best practices for creating secure passwords.
The purpose of these guidelines is to provide best practices for the creation of strong passwords. These guidelines apply to employees, contractors, consultants, temporary and other workers at The Mission, including all personnel affiliated with third parties. These guidelines apply to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection and local router logins.
All passwords should meet or exceed the following guidelines. Strong passwords have the following
- Must not contain users account name, or parts of the users full name.
- Contain at least 8 alphanumeric characters.
- Contain both upper and lower case letters.
- Contain at least one number (for example, 0-9).
- Contain at least one special character.
Poor, or weak, passwords have the following characteristics:
- Contain less than eight characters.
- Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
Workstation Security Protection Policy
The purpose of this policy is to provide guidance for workstation security for The Mission workstations in order to ensure the security of information on the workstation and information the workstation may have access to.
This policy applies to all The Mission employees, contractors, workforce members, vendors and agents with a The Mission owned or personal-workstation connected to the The Mission network.
Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information and that access to sensitive information is restricted to authorized users.
- Workforce members using workstations shall consider the sensitivity of the information that may be accessed and minimize the possibility of unauthorized access.
- The Mission will implement physical and technical safeguards for all workstations that access electronic protected information to restrict access to authorized users.
Appropriate measures include:
- Restricting physical access to workstations to only authorized personnel.
- Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
- The password must comply with The Mission’s Password guidelines.
- Ensuring workstations are used for authorized business purposes only.
- Never installing unauthorized software on workstations.
- Storing all sensitive information on encrypted network servers
- Keeping food and drink away from workstations in order to avoid accidental spills.
- Installing privacy screen filters or using other physical barriers to alleviate exposing data.
- Ensuring workstations are left on but logged off in order to facilitate after-hours updates.
Software Installation Policy
The purpose of this policy is to outline the requirements around installation software on The Mission’s computing devices. To minimize the risk of loss of program functionality, the exposure of sensitive information contained within The Mission’s computing network, the risk of introducing malware, and the legal exposure of running unlicensed software.
This policy applies to all The Mission employees, contractors, vendors and agents with a The Mission owned mobile devices. This policy covers all computers, servers, smartphones, tablets and other computing devices operating within The Mission.
- Employees may not install software on The Mission computing devices operated within the The Mission Limited network.
- Software requests must first be approved by the requester’s manager and then be made to the Information Technology department in writing or via email.
- Software must be selected from an approved software list, unless no selection on the list meets the requester’s need.
- The Information Technology Department will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.
Information Logging Policy
Logging from critical systems, applications and services can provide key information and potential
indicators of compromise. Although logging information may not be viewed on a daily basis, it is critical to have from a forensics standpoint.
All systems that handle confidential information, accept network connections, or make access control (authentication and authorization) decisions shall record and retain audit-logging information sufficient to answer the following questions:
- What activity was performed?
- Who or what performed the activity, including where or on what system the activity was performed from?
- What the activity was performed on (object)?
- When was the activity performed?
- What tool(s) was the activity performed with?
- What was the status (such as success vs. failure), outcome, or result of the activity?
Activities to be Logged
Therefore, logs shall be created whenever any of the following activities are requested to be performed by the system:
- Create, read, update, or delete confidential information, including confidential authentication information such as passwords.
- Initiate a network connection.
- Accept a network connection.
- User authentication and authorization for activities covered in #1 or #2 such as user login and logout.
- Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes.
- Application process startup, shutdown, or restart.
- Application process abort, failure, or abnormal end, especially due to resource exhaustion or reaching a resource limit or threshold (such as for CPU, memory, network connections, network bandwidth, disk space, or other resources), the failure of network services such as DHCP or DNS, or hardware fault; and
- Detection of suspicious/malicious activity such as from an Intrusion Detection or Prevention
- System (IDS/IPS), anti-virus system, or anti-spyware system.
Elements of the Log
Such logs shall identify or contain at least the following elements, directly or indirectly.
- Type of action – examples include authorize, create, read, update, delete, and accept network connection.
- Subsystem performing the action – examples include process or transaction name, process or transaction identifier.
- Identifiers (as many as available) for the subject requesting the action – examples include user name, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation.
- Identifiers (as many as available) for the object the action was performed on – examples include file names accessed, unique identifiers of records accessed in a database, query parameters used to determine records accessed in a database, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation.
- Before and after values when action involves updating a data element, if feasible.
- Date and time the action was performed, including relevant time-zone information.
- Whether the action was allowed or denied by access-control mechanisms.
Formatting and Storage
Mechanisms known to support these goals include but are not limited to the following:
- Microsoft Windows Event Logs collected by a centralized log management system.
- Logs in a well-documented format sent via syslog, spiceworks to a centralized log management system.
Remote Access Policy
The purpose of this policy is to define standards for connecting to The Mission network from any host. These standards are designed to minimize the potential exposure to The Mission from damages which may result from unauthorized use of The Mission resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical The Mission internal systems, etc.
This policy applies to all The Mission employees, contractors, vendors and agents with a The Mission -owned or personally-owned computer or workstation used to connect to the The Mission network. This policy applies to remote access connections used to do work on behalf of The Mission, including reading or sending email and viewing intranet web resources. Remote access implementations that are covered by this policy include, but are not limited to DSL,
It is the responsibility of The Mission employees, contractors, vendors and agents with remote access privileges to The Mission corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to The Mission. General access to the Internet for recreational use by immediate household members through the The Mission Network on personal computers is permitted. The Mission employee is responsible to ensure the family member does not violate any The Mission policies, does not perform illegal activities, and does not use the access for outside business interests. The Mission employee bears responsibility for the consequences should the access be misused.
- Secure remote access must be strictly controlled. Control will be enforced via Sonicwall SRA 4200 VPN hardware using Active Directory credentials.
- At no time should any The Mission employee provide their login or email password to anyone, not even family members.
- The Mission employees and contractors with remote access privileges must ensure that their The Mission-owned or personal computer or workstation, which is remotely connected to The Mission corporate network, is not connected to any other network at the same time.
- The Mission employees and contractors with remote access privileges to The Mission corporate network must not use non- The Mission email accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct The Mission business, thereby ensuring that official business is never confused with personal business.
- Non-standard hardware configurations must be approved by Information Security configurations for access to hardware.
- All hosts that are connected to The Mission internal networks via remote access technologies must use the most up-to-date anti-virus software.
- The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, business tool reports, internal and external audits, and feedback to the policy owner.
- Any exception to the policy must be approved by the Board in advance.
- An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.