Information Security Policy Framework Document /
Information Security Policy Framework Document
<Insert Company Name>
eSentire has created this document to helpfirms better describe their security posture for personnel, potential investors, and regulators. This document is released under a Creative Commons license (Creative Commons Attribution Non-Commercial (by-nc), permitting extremely broad, non-commercial use of the source material as long as the source material is attributed to eSentire.
This document is updated regularly. Please visit to download updated versions as they become available.
Table of Contents
Table of Contents
Overview and Purpose
Primary Information Security Objectives
Document Objectives
Risk Exposure
Enforcement
Information Security Sub-Policies
Acceptable Use Policy
Account/Credentials Management Policy
Anti-Virus and Anti-Malware Policy
Clean Desk Policy
Cloud Services Policy
Data Classification and User Access Rights Policy
Electronic Equipment, Data and Media Destruction Policy
Email Policy
Encryption Policy
Incident Response/Security Event Management Policy
Instant Messaging Policy
Monitoring Policy
Network Access Policy
Password Usage Policy
Patch Management/System Update Policy
Personal/Mobile Devices Policy
Personally-Identifiable and/or Sensitive Information Policy
Personnel Security Training Policy
Physical Security Policy
Remote Access/Virtual Private Network Policy
Removable Media Policy
Reporting Security Violations Policy
Social Media/Networking Policy and Procedures
Software Usage and Licensing Policy
Vendor Access Policy
Visitor Access Policy
Wireless Network (Wi-Fi) Communications Policy
About eSentire®
Questions and Comments
Creative Commons Attribution 4.0 International Public License
Overview and Purpose
This Information Security Policy Framework document encompasses a baseline framework of Information Security Policies to provide personnel (a definition including all employees, temporary staff, consultants, contractors and third party vendors) guidance regarding operational aspects of Information Technology, including and especially regarding the confidentiality, availability, and integrity of corporate assets, systems, and data information within the firm.
All information systems (and the data hosted within) will be protected from unauthorized use, disclosure, modification, destruction, or misrepresentation. To this purpose, appropriate information security controls (including technical means, processes, standards, and practices) are implemented to ensure that the data is not compromised and the firm’s reputation is neither tarnished nor misrepresented.
Primary Information Security Objectives
The primary information security objectives within the firm are as follows:
»Ensure all personnel have authorized and appropriate access to the firm’s information and assets.
»Ensure personnel understand their responsibilities and duties regarding information security.
»Ensure that appropriate security controls are implemented and effective.
»Ensure compliance with the established security policies.
»Ensure all deviations from security policy (including but especially unauthorized access attempts) are monitored, documented, reported, and escalated as appropriate.
Document Objectives
The objectives of this document are as follows:
»Document the current status of the firm’s security stance.
»Provide a framework for any new or modified security policies as required.
»Document, track, monitor, and review information security incidents and/or breaches.
»Document access requirements to the organization (including third-party access).
This document should be sufficiently detailed so that it can satisfy multiple general purposes, including:
»Provide security guidance to personnel.
»Detail security stance to investors as part of a Due Diligence Questionnaire
»Detail security stance to regulators to fulfill requirements of an Audit
Risk Exposure
Inappropriate use of computer systems exposes the firm to risks including malware attacks, data extrusion/theft and misuse, compromise of network infrastructure and services, reputation, service availability and legal liability. In addition, the firm may be held accountable by a regulator or a client for illegal or inappropriate behavior of usersaccessing the Internet through their facilities.
Data collected by the firm should never be mailed to unauthorized recipients or stored on unauthorized media. Accidental leakage must be reported to the Office of the CTO immediately.
Personnel must report to the Office of the CTO immediately if they suspect that their computer has been compromised through any vector (including malware or social engineering).
Hard copies of confidential documents should be kept in a locked, secure place while in the office. Personnel are forbidden from removing paper documents (especially materials deemed Confidential) from the office without prior approval.
Enforcement
Any personnel found to have violated the policies (and sub-policies) listed within this document may be subject to disciplinary action, up to and including termination of employment or contract and legal proceedings following such termination.
Information Security Sub-Policies
This Information Security Framework document consists of sub-policies created to detail the firm’s Information Security practices (as has been deemed appropriate to the culture of the firm). It is critical that all personnel both interpret and follow these sub-policies in a consistent manner.
»Acceptable Use Policy
»Account/Credentials Management Policy
»Anti-Virus and Anti-Malware Policy
»Clean Desk Policy
»Cloud Services Policy
»Data Classification and User Access Rights Policy
»Electronic Equipment, Data and Media DestructionPolicy
»Email Policy
»Encryption Policy
»Incident Response/Security EventPolicy
»Instant Messaging Policy
»Monitoring Policy
»Network Access Policy
»Password Usage Policy
»Patch Management/System Update Policy
»Personal/Mobile Devices Policy
»Personally-Identifiable and/or Sensitive Information Policy
»Personnel Security Training Policy
»Physical Security Policy
»Remote Access/Virtual Private NetworkPolicy
»Removable Media Policy
»Reporting Security Violations Policy
»Social Media/Networking Policy
»Software Usage and Licensing Policy
»Vendor Access Policy
»Visitor Access Policy
»Wireless Network (Wi-Fi) Communications Policy
Acceptable Use Policy
The primary purpose of firm information assets (including but not limited to computer systems, software, storage media, communications systems and accounts providing email and Internet access) is to support the ongoing operation of the firm. Under no circumstances are personnel authorized or permitted to engage in any activity considered illegal (under local, state, federal, or international law) while using firm information assets.
Personnel must adhere to all practices stipulated in the Employee Handbook and the formal Acceptable Use Policy in order to keep the firm shielded from risks including malware, compromise of systems and services, and legal issues.
Account/Credentials Management Policy
Accounts give personnel access to systems and data otherwise not available. There are different categories of accounts, including “regular” user accounts, administration accounts, and service accounts. Each category will have specific requirements regarding usage. However, for each of these types of users, it is critical that account management (establishment, suspension, termination, and removal of user accounts) be carefully monitored and documented. Each account must be assigned the minimum required privilege level for business operation. If unauthorized access is detected, it must be investigated.
Anti-Virus and Anti-Malware Policy
All systems, where possible (including servers, workstations, laptops and tablets), whether connected to the network or standalone, must only use firm-approved anti-virus and anti-malware software. The anti-virus and anti-malware software standardized within the firm are:[insert anti-virus/anti-malware/endpoint software here].
Anti-virus updates are to be pushed automatically to all non-server systems (includingworkstations, tablets, and laptops). A manual check may be performed regularly. If malicious code is detected, it must be reported to the Office of the CTO as soon as possible so that further investigation may be performed (if deemed necessary) as part of the Security Event/Incident Management program.
Anti-virus updates to servers are to be pushed manually on a defined regular basis [insert frequency here].
Clean Desk Policy
The firm requires all employees to maintain a clean desk environment. This policy is intended to minimize inappropriate access to sensitive data (including personally-identifiable information). At the end of each business day, employees must securely store all sensitive or critical information (including PII and confidential information) in hardcopy form in a locked file cabinet.
Cloud Services Policy
In order to maintain rigor regarding data privacy and access standards within the firm, cloud services (including online backup) may only be used with explicit written permission from the Office of the CTO. Cloud services permitted within the organization are: [insert cloud service providers here].Additional security controls may be required when using these services (including additional encryption and/or tokenization methods). As well, information classified as critical or confidential (especially PII) must not be stored within Cloud Services.
Data Classification and User Access Rights Policy
All data used within the firm will be classified according to the following template:
Data Source
Description
Classification [Critical| Confidential | Proprietary | Public]
Encryption
Data Residence
Server
Domicile/Location
Data Flow
From
To
Personnel with Read Access
Personnel with Modify Access
Data Loss/Logging
Loss Mitigation Methods
Audit/Logging Methods
The data classifications being defined as such:
Critical
»Data of a highly sensitive nature, where its loss, destruction, or disclosure would severely impact the firm’s operation due to a violation of federal or state law, violation of contract, a violation of privacy. This would include personally-identifiable information (PII).
Confidential
»Data of a sensitive nature, where its loss, destruction, or disclosure would impact the firm’s operation through a loss of reputation/credibility.
Proprietary/Internal Use
»Data of a sensitive nature, where its loss, destruction or disclosure would result in minimal impact to the firm but is not intended for public consumption
Public
»Data generally available to the public, where its loss would not impact the firm.
Personnel, according to their position and need, will require access to various data sources. It is critical that depending on the classification of the data of which access is needed, users understand the serious nature of the data and its impact on the firm if loss, destruction, or disclosure would occur.
When personnel leave the firm, an exit checklist is followed to ensure that data access has been fully revoked.
Electronic Equipment, Data and Media DestructionPolicy
At all equipment’s end-of-life, sensitive data must be properly erased, destroyed, or as otherwise made unreadable. This is to ensure that all appropriate legal measures are taken (to comply with software license agreements, non-disclosure agreements, to keep critical and/or confidential information (including personally-identifiable information) safeguarded). Repurposed equipment must have hard drives removed and destroyed before reuse. Physical media disposal performed by an external party must have appropriate attestation subject to audit.
Email Policy
Personnel are granted access as deemed appropriate to the firm’semail systems. Email communications written or stored using the firm’s resources (including those of a personal nature) are deemed to be company property. Personnel acknowledge that the firm and its authorized agents have the right to access, obtain, and review all emails, including personal emails that users send or receive through the firm’s electronic resources. Personnel expressly consent to such monitoring and review of all emails by the firm and/or its authorized agents.
Personnel must not access email accounts or messages to which they do not have explicit permission and must not “forge” spoofed email messages that may look as though they were sent from another user.
All emailsand associated attachmentssent from, received by, or processed on the firm’s email systems will be retained in a searchable archive for [insert number of years here]and may be subject to inspection by regulatory bodies or law enforcement. This archive will include email messages deleted from user mailboxes.
Inbound email is generally acknowledged to be the largest inbound vector for malicious content for exploit. An upstream anti-spam service is in place so that the majority of phishing attempts are caught before there is a chance that they can reach the internal network.Through the upstream anti-spam service and other technical methods, the firm reserves the right to block certain email messages and attachments to protect the firm’s infrastructure from malicious attack attempts.
Users should not open attachments, click links, execute macros, or download files from unknown or suspicious sources. Users should be kept aware of general indicators of malicious content. When inbound email has attachments, personnel should verify that it:
»Comes from an individual that appears legitimate
»the format/content/naming is expected
»Does not look odd with unusual spelling or characters
»Attachments pass an anti-virus scan
»Hyperlinks pass a “hover” test (where the cursor hovers over the link to show the actual URL)
Personnel are strictly prohibited from using personal email services (such as Gmail, Yahoo, and Hotmail) for any business purpose. All personnel also should be aware that in the past both regulatory and law enforcement agencies have subpoenaed individuals’ personal email correspondence. Personnel may make reasonable personal use of their business email account so long as it does not interfere with the firm’s business activities or involve a meaningful amount of time or the firm's resources.
Encryption Policy
Encryption technology is used within the firm to keep data secure both in motion (transmission security) and at rest. As appropriate to the data and access being protected, strong encryption technology must be used on all laptops, portable computing devices and removable media.
The email servers are configured to use TLS (Transport Layer Security) to provide a transparent encryption process when email is exchanged between servers configured appropriately. Internet-facing systems that require credentials for access are configured to use HTTPS. Where possible and appropriate (as per legislation and regulation), HTTPS (supported by strong encryption ciphersuites) must be used when accessing critical or sensitive data. One excellent resource regarding optimal web server encryption is:
Incident Response/Security Event Management Policy
The firm’s Incident Response/Security Event Management Policy is established to better co-ordinate a duplicable response to information security events. This includes phases of discovery/detection, initiation, escalation, reporting, and remediation appropriate to the type of event that occurs, including malware attack, data egress/loss or misuse, or specific activities that contradict the firm’s Acceptable Use Policy.
In order to ensure that sufficient data exists for analysis when a security event occurs, logging includes:
»Authentication Systems (including Active Directory, remote access, two factor authentication).
»Security logging on servers for both operating systems and application software.
»Networking equipment (including firewalls, switches, access control systems).
Security logs (including executive reports and access logs) are audited on a [insert frequency here] basis. These Security logs may include changes seen on Active Directory, File, Exchange, and SQL Servers and may require further investigation. Personnel must to report any anomalies in system performance to the Office of the CTO.
Instant MessagingPolicy
Instant messaging is archived on an ongoing basis and is subject to review as is all communication.
Users may not, under any circumstances, use instant messaging software that has not been approved and installed by the Office of the CTO to send or receive correspondence directly or indirectly related to the firmand its business (this includes subcomponents within websites – e.g. Facebook Chat or Skype Chat).
Monitoring Policy
The firm reserves the right to monitor and ensure the appropriate use of company computing resources in a manner consistent with all applicable laws (including national, state, and local jurisdictions). These actionsmay includeperiodic assessments of software use, unannounced inspections of the firm’s computers, email stores, workstation hard drives, mobile devices, monitoring of website visits and network traffic, and the removal of any software found on the firm’s property for which a valid license or proof of purchase cannot be located or is determined to be inappropriate.
Any source may be appropriate, including (yet not exclusive to):
»Authentication logs (including Active Directory, Kerberos, ActiveSync, NAC, TACACS)
»Network Activity logs (including WWW Proxy/Content Filtering, full network traffic capture/analysis sources, DHCP)
»Intrusion Detection/Prevention logs(including host and/or network IDP and firewall sources)
»Application logs (including information generated during testing/debugging)
»Network vulnerability assessment logs/reports
»Backup/recovery caches and logs
»Forensic images created for investigative purposes
As needed, these sources will be used within the context of the investigation of a security event for incident response purposes.
The firm reserves the right to limit access to any program, service, or capability accessed through the firm’s network or Internet that is deemed to pose a threat to information systems, violates any company policy, or impacts the productivity of the firm’s staff.
Network Access Policy
The firm’s network provides an access vector to the firm’s confidential and business-critical information and assets. Only computer equipment with express authorization to be connected to the firm’s network may be given appropriate access. All other equipment must require advance written approval by the Office of the CTO before installed or connected. In many cases, installation by an appropriate member of the Office of the CTO will be required. When personnel leave the firm, an exit checklist is followed to ensure that network access has been fully revoked.