GRIT P-IT001 Information Security and Acceptable Use ......INFORMATION SECURITY AND ACCEPTABLE USE...

INFORMATIONSECURITYANDACCEPTABLEUSEPOLICY

1

InformationSecurityandAcceptableUsePolicy


2

1. INTRODUCTION

1.1 PurposeThe purpose of this policy is to outline the acceptable use of computer equipment andinformation assets at the Company. These rules are in place to protect GRIT and allemployees/contractors. Inappropriate use exposes the Company to risks includingunauthorised disclosure of information, virus attacks, compromise of network systems andservices,andpotentiallegalissues.

1.2 DefinitionofInformationSecurityInformation security encompasses the management processes, technology and assurancemechanismsthatwillallowbusiness to trust their transactions (integrity), the information isusableandcanappropriatelyresistandrecoverfromfailuresduetoerror,deliberateattacksordisaster(availability),andthatconfidentialinformationiswithheldfromthosewhoshouldnothaveaccesstoit(confidentiality).

1.3 ScopeThispolicyappliestoemployees,contractors,consultants,temporaries,andotherworkersatthe Company, including all personnel affiliated with third parties. This policy applies to allequipmentthatisownedorleasedbytheCompany.

1.4 CommunicationAwarenessofthispolicywillbeincludedinallinductiontrainingfornewGRITstaffandwillbeincludedasappropriateonrefreshertrainingcoursesforexistingstaff.

All employeeswill be requested to sign-off this policy on an annual basis (unless otherwisedeterminedbyexecutivemanagement)andcopieswillbeplacedonpersonalfilesforrecordkeepingpurposes.

Allnewemployeeswillreceiveacopyofthisdocumenttogetherwiththejobofferandnon-disclosure agreement and be requested to hand over a signed copy on the first day ofemployment.

1.5 Policyreview

Thispolicywillbereviewedannually.


3

2. TheInternetandE-mailPolicy

TheInternet isavery large,publiclyaccessiblenetworkthathasmillionsofconnectedusersandorganisationsworldwide.OnepopularfeatureoftheInternetise-mail.

2.1 PolicyAccesstotheInternetisprovidedtoemployeesforthebenefitofGRITanditscustomers.

Employees are able to connect to a variety of business information resources around theworld.GRITprovidesitsuserswithInternetaccessandelectroniccommunicationsservicesasrequiredfortheperformanceandfulfilmentofjobresponsibilities.Theseservicesareforthepurposeofincreasingproductivityandnotfornon-businessactivities.

Inordertoensurethecontinuousavailabilityandusabilityofthee-mailsystem,itisnecessarytoimplementthefollowingcontrols:

a) Mailbox sizes are limited to 50GB per e-mail account. Users will be informedautomaticallywhentheyreach50GBincapacity.Oncethethresholdisreached,sendingofe-mailswillnotbeallowed.Onreaching50GBbothsendingandreceivingfacilitieswillbe suspended. Please note that this is a system enforced policy and therefore allemployees shouldmanage their e-mail accounts (download to workstation for regularback-ups).Allmembersoftheexecutiveteamwillbetreatedonanindividualbasis.

b) Allemails areprocessedandstoredbyanexternalmail solution for security, archiving,complianceandother requiredcorporatepurposes.Thecurrentsolution isprovidedbyMimeCast.

c) Outgoing mails will be limited to 25Mb per mail no matter when it is send. Only theCorporate Dropbox and the local authorized user computers may be used for storingcompanydata.Any synchronisationofpersonal fileswhileon the corporatenetwork ismaybemonitored.

TheInternetisalsorepletewithrisksandinappropriatematerial.Toensurethatallemployeesare responsible and productive Internet users and to protect the company’s interests, thefollowingguidelineshavebeenestablishedforusingtheInternetande-mail.

2.2 AcceptableUseEmployeesusing the Internet are representing the company. Employees are responsible forensuringthattheInternetisusedinaneffective,ethical,andlawfulmanner.OccasionalandreasonablepersonaluseofGRIT’sInternetande-mailservicesispermitted,providedthatthisdoesnotinterferewithworkperformance.Theseservicesmaybeusedoutsideofscheduledhoursofwork,providedthatsuchuseisconsistentwithprofessionalconduct.


4

AccessingandcommunicatingonsocialnetworkssuchasFacebook isdoneona reasonableusage basis. Staff are entrusted to ensure that any social media usage does not impactnegatively on their work. Staff are responsible and accountable for posting any content tosocialmediaorotherpublicforumsthatmaybeassociatedwiththecompanyinanyway.Itisaseriousbreachofthispolicytopostitemstosocialmediathatmaybringthecompanyintodisreputeoraffectitspublicprofilenegativelyinanyway.

Informationpassingthroughorstoredoncompanyequipmentandinfrastructurecanandwillbemonitored.Examplesofacceptableuseare:

a. UsingWebbrowserstoobtainbusinessinformationfromcommercialWebsites.

b. Accessingdatabasesforinformationasneeded.

c. Usinge-mailforbusinesscontacts.

d. Usingcompanyissuedmobiledevicesandsmartphonesforbusinesspurposes.

2.3 UnacceptableUseEmployeesmustnotuse the Internet forpurposes thatare illegal,unethical,harmful to thecompany,ornon-productive.Examplesofunacceptableuseare:

a. Sendingorforwardingchaine-mail,i.e.,messagescontaininginstructionstoforwardthemessagetoothers.

b. Createand/orsend"spam."Spamisdefinedasanyunsolicitedelectroniccommunicationthat is sent to anynumberof recipientswhodidnot specifically requestor express aninterestinthematerialadvertisedinthecommunication.Itwillbeconsideredagreateroffence if the company's electronic communications resources are exploited to amplifytherangeofdistributionofthesecommunications.

c. Conducting personal business using company resources. Internet banking is consideredacceptableuse.

d. Accessing, downloading, uploading, saving, receiving, or sendingmaterial that includessexuallyexplicitcontentorothermaterialusingvulgar,sexist,racist,threatening,violent,ordefamatorylanguage.

e. Accessing and or listening to radio and streaming non work related content over theInternet, as such activities severely degrade bandwidth and in so doing hampers theoverallproductivityofthecompany.


5

f. UsingyourownpersonalcomputerormobiledeviceontheGRITnetworkforwhateverpurposes(thismayposeaseriousriskasyourcomputermaynotbeuptodatewiththelatestpatchesandanti-virussignatures).

g. “Testing”thesecurityconfigurationofGRITinanywaywhatsoever(vulnerabilityscansbyitselfmaycontainharmfulcodethusexposingGRITtoseriousbreachesinsecurity).

h. BypasstheproxyserverthatprovidesaccesstotheInternet(thismayintroducemaliciouscodeandbreachthesecuritysettingofGRIT)

i. Have simultaneous dual connections for example through the network cable and awirelessmodem(suchconnectionwillbypasstheGRITfirewall,interconnectingtheGRITsecurenetworkwiththenon-secureInternet).

2.4 EmployeeResponsibilitiesNon work related file downloads from the Internet are not permitted unless specificallyauthorisedbytheapplicableLineManager.

2.5 ITDepartmentResponsibilitiesThe IT Department shall ensure that all staffmembers have access to e-mail facilities. Thisinvolvescreatingmailboxes.InthecreationofmailboxesITshall:

a. Ensurethatnooneotherthantheuserwillhaveaccesstothatmailbox.

b. Ensure that the formatof thee-mail address is consistentwith thecompany [email protected]

c. GRITaligns itself tothe latestcomplianceasprovided inMauritiusandalso in linewiththe appropriate legislation and regulations of Mauritius, or other locations as it maydeemrelevant.UponwrittenapprovalfromtheCEOand/orHeadofHumanCapital,TheITDepartmentwill beallowedaccess toanyemployee’se-mail, internetusage logs,orotherhistoricelectronicinformation.

d. Implementtechnicalcontrolstoenforcethepolicyrequirementsasstipulatedabove.

e. Mauritiusregulationasperpointc)aboveappliestoallemployeesoperatingunderthejurisdictionofMauritius legislation. However, the sameprinciplewill apply inallothercountries where there is a valid legal requirement (e.g. a police investigation) thatrequiresaccesstoaspecific individual’scomputerormobiledeviceandtheinformationstoredonit.


6

2.6 EmployeeResponsibilitiesAnemployeewhousestheInternetore-mailshall:

a. ReadtheirE-mailsregularly.

b. Ensure thatall communicationsare forofficialpurposesand that theydonot interferewithhis/herproductivity.E-mailmessagesofapersonalnature(sellinggoods,advertisingmeetings, etc) should only be issued in accordance with the standard proceduresdeterminedbyHumanCapitalforallsuchcommunications.

c. Know and abide by all applicable company policies dealing with security andconfidentialityofcompanyrecordsandinformation.

d. Avoid transmissionof non-public (sensitive) customer information. If it is necessary totransmit non-public information, employees are required to take steps reasonablyintendedtoensurethatinformationisdeliveredtotheproperpersonwhoisauthorisedtoreceivesuchinformationforalegitimateuse.

e. Not download and/or distribute pornographic or other offensive material from theInternet and/or Email. Users found downloading any forms of pornography or otheroffensivematerialwillbe liable todisciplinaryaction (asper thenormalHumanCapitalDisciplinary Procedures). Participating in the download or distribution of any form ofpornographic material involving children is a criminal offence and must by law, bereportedtothePoliceServices.

f. Report the receipt of pornographic or offensive material to IT Department and theInformationSecurityOfficer.Userswhofailtoreportwillbeliabletodisciplinaryaction.

g. Notdownloadnon-workrelateddataorapplicationsfromtheInternet.

h. Use file compression services (ZIP, RAR) todecrease file sizes before transmissionoverthenetwork.

2.7 CopyrightsEmployees using the Internet are not permitted to copy, transfer, rename, add, or deleteinformationorprogramsbelongingtoothersunlessgivenexpresspermissiontodosobytheowner.Failuretoobservecopyrightorlicenseagreementsmayresultindisciplinaryactionbythe organisation and/or legal action by the copyright owner. Please bear in mind thatapprovalhastobeobtainedfromthe ITDepartmentto load/saveanysoftwarenot formingpartoftheGRITstandard.


7

2.8 MonitoringAllmessagescreated,sent,ortransferredovertheInternetand/orIntranetisthepropertyofthe company.GRIT reserves the right to access the contents of anymessages sent over itsfacilitiesifthecompanybelieves,initssolejudgment,thatithasabusinessneedtodosoorwherethereissuspicionofabuse.

Allcommunications,includingtextandimages,canbedisclosedtolawenforcementorotherthirdpartieswithoutpriorconsentofthesenderorthereceiver.


8

3. MOBILEDEVICESECURITY

3.1 Background

Thegeneraluseofmobiledevicesforbusinesspurposeshasincreasedconsiderablyovertherecentpast.Mobiledevicesinclude,butarenotlimitedto,notebookcomputers,TabletPCs,smartphones,compactdiscs,DVDdiscs,memorysticks,USBdrives,andothersimilardevices.

Small,powerfulandconnectedtoessentialenterpriseinformation,mobiledeviceshavebeenembracedbyprofessionalsandarefastbecomingastandardenterpriseproductivitytool.Itispreciselythissmallsizeandenterpriseconnectivity,however,thatmakethemobiledeviceapotential risk to the enterprise. While they may contain vital data similar to a desktop orlaptop,mobiledevicesarefarmorevulnerabletoloss,theftormalicioususe.

3.2 ITResponsibilitiesa. Provide mechanisms and procedures to protect mobile devices against a breach of

confidentiality(encryption,authenticationandself-destructfunction).

b. Establishreportingchannelsandincidenthandlingintheeventofacompromise.

c. Ensure thatalldevicesarecleaned (data removed)beforedisposalorwhenswitchingusers.

d. Providemechanismstoprotectagainstmaliciouscodeandgeneralviruses.

e. EnsurethatalldevicesarescannedbeforebeingallowedaccesstotheGRITnetwork.

f. Provideusereducationonthesecureuseofmobiledevices.

3.3 EmployeeResponsibilitiesa. All mobile devices must be password protected. Choose and implement a strong

password–pleaserefertothesectionlaterinthedocumentontheselectionanduseofstrongpasswords.

b. Thephysicalsecurityofthesedevicesistheresponsibilityoftheemployeetowhomthedevicehasbeen assigned. Devices shall be kept in the employee’s physical presencewheneverpossible. Whenever a device is being stored, it shall be stored in a secureplace,preferablyoutof-sight.

c. Ifamobiledevice is lostorstolen,promptlyreport the incident tothe ITDepartmentHelpDeskandproperauthorities.


9

d. Sensitive or confidential documents, if stored on the device, should be encrypted ifpossible.

e. Mobile device options and applications that are not in use should be disabled (forexampleBluetoothorWireless).

f. Sensitive and confidential information should be removed from the mobile devicebeforeitisreturned,exchangedordisposed.

g. Wheneverpossibleallmobiledevicesshouldenablescreenlockingandscreentimeoutfunctions.

h. Nopersonal information shall be storedonmobile devices unless it is encrypted andpermissionisgrantedbythedataowner.

i. BeforeamobiledeviceisconnectedtoGRITITsystems,itshallbescannedforviruses(theuserriskshavingfilesonthedevicedeletedifanyvirusesaredetected).

j. If media mobile device is used for transitional storage (for example copying databetween systems), the data shall be securely deleted from the mobile deviceimmediatelyuponcompletion.

k. Information stored on memory sticks shall be protected by using strong passwordsand/orencryption technologies. Sensitive informationonmemorysticksmayonlyberemovedfromthepremisesifapprovedbytheinformation/dataowner.

l. Justaswithstaticdevices(e.g.desktopcomputers),userremainresponsibletoensurethattheinformationisbacked-upandavailableasandwhenrequired.


10

4. COMPUTERVIRUSPOLICY(MALICIOUSCODE)

Background: Computer viruses are programs designed to make unauthorised changes toprogramsanddata.Therefore,virusescancausedestructionofcorporateresources.ItistheresponsibilityofeveryonewhousesGRIT’scomputernetworkstotakereasonablemeasuresto protect the network from virus infections. This policy outlines how various viruses caninfectGRIT’snetwork,howGRIT’sITDepartmenttriestopreventand/orminimiseinfections,and howGRIT’s network users should respond to a virus if they suspect one has infectedGRIT’snetworkortheircomputers.

There aremainly three types of computer viruses: true viruses, Trojan horses, andworms.True viruses actually hide themselves, often as macros, within other files, such asspreadsheets or Word documents. When an infected file is opened from a computerconnected to GRIT’s network, the virus can spread throughout the network and may dodamage.ATrojanhorseisanactualprogramfilethat,onceexecuted,doesn'tspreadbutcandamage thecomputeronwhich the filewas run. Aworm isalsoaprogramfile that,whenexecuted,canbothspreadthroughoutanetworkanddodamagetothecomputerfromwhichitwasrun.VirusescanenterGRIT’snetworkinavarietyofways,suchas:

a) E-mail:Byfar,mostvirusesaresentase-mailattachments.Theseattachmentscouldbeworkingdocumentsorspreadsheets,ortheycouldbemerelyvirusesdisguisedaspictures,jokes,etc.TheseattachmentsmayhavebeenknowinglysentbysomeonewantingtoinfectGRIT’snetworkorbysomeonewhodoesnotknowtheattachmentcontainsavirus.However,oncesomevirusesareopened,theyautomaticallye-mailthemselves,andthesendermaynotknowthathisorhercomputerisinfected.

b) Disk,CD,USBflashdisk,orothermedia:Virusescanalsospreadviavarioustypesofstoragemedia.Aswithe-mailattachments;theviruscouldhidewithinalegitimatedocumentorspreadsheetorsimplybedisguisedasanothertypeoffile.

c) Software downloaded from the Internet:Downloading software via the Internetcan also be a source of infection. As with other types of transmissions, the viruscouldhidewithinalegitimatedocument,spreadsheet,orothertypeoffile.

d) Instant messaging attachments:Although less common than e-mail attachments,more viruses are taking advantage of instant messaging software. Theseattachmentswork the samease-mail viruses,but theyare transmittedvia instantmessagingsoftware.Itisimportanttoknowthat:

• Computervirusesaremucheasiertopreventthantocure.• Defences against computer viruses include protection against unauthorised

access tocomputersystems,usingonly trustedsources fordataandprograms,andmaintainingvirus-scanningsoftware.


11

4.1 ITResponsibilitiesTheITDepartmentshall:

a) Installandmaintainappropriateantivirussoftwareonallcomputers.b) Installandmaintainappropriategatewayande-mailantivirussoftware.c) Installandmaintainappropriateantivirussoftwareonallfileservers.d) Routinelyupdatingvirusdefinitions:Everymorning,thecomputerantivirussoftware

and server virus scanning programs check the Internet site for updated virusdefinitions.Thesedefinitionfilesallowthesoftwaretodetectnewviruses. Ifanewvirusdefinitionfileisavailable,thevirusscanningsoftwareisautomaticallyupdated.

e) Configure anti-virus software to notify and inform the IT support staff of detectedviruses.

f) Respondtoallvirusattacks,destroyanyvirusdetected,anddocumenteachincident.

4.2 EmployeeResponsibilitiesEventhoughallInternettrafficisscannedforvirusesandallfilesonthecompany’sserversarescanned, the possibility still exists that a new orwell hidden virus could find itsway to anemployee’sworkstation, and if not properly handled, it could infectGRIT’s network. The ITstaffwillattempttonotifyallusersofcrediblevirusthreatsviae-mailortelephonemessages.Because this notification will automatically go to everyone in the organisation, employeesshouldnotforwardviruswarningmessages.Onoccasion,well-meaningpeoplewilldistributeviruswarningsthatareactuallyvirushoaxes.Thesewarningsaretypicallyharmless;however,forwarding such messages unnecessarily increases network traffic. As stated, it is theresponsibilityofallGRITnetworkusers to takereasonablesteps topreventvirusoutbreaks.Thefollowingguidelineswillassistyouinminimisingtheriskofvirusinfections:

a) Donotknowinglyintroduceacomputervirusintocompanycomputers.b) Donotloaddisks/flashdrivesofunknownorigin&incomingdisks/flashdrivesshallbe

scannedforvirusesbeforetheyareread.c) Ifafileyoureceivecontainsmacrosthatyouareunsureabout,disablethemacros.d) Never open an e-mail or instant messaging attachment from an unknown or

suspicioussource.e) Any employeewho suspects that his/herworkstation has been infected by a virus

shall IMMEDIATELYDISCONNECTTHEWORKSTATIONFROMTHENETWORKandcalltheITDepartmentHelpDesk.

f) Donotuninstall(remove)ordisabletheofficialanti-virusprogramonyourcomputer,norinstallaprogramofyourchoice.


12

4.3 SpywareSpywareandadwarecancompromisesystemperformanceandallowsensitiveinformationtobetransmittedoutsidetheorganisation.Spywareinstallationprogramscanlaunchevenwhenusers are performing legitimate operations, such as installing a company-approvedapplication.Asaresult,combatingspywarerequiresuservigilanceaswellasITmanagementandcontrol.


a) Installandupdateappropriateanti-spywaremeasures.

b) Respondtoallreportsofspywareinstallation,removespywaremodules,restoresystemfunctionality,anddocumenteachincident.

4.5 EmployeeResponsibilitiesThesedirectivesapplytoallemployees:

a) Employees shall not knowingly allow spyware to install on the organisationcomputers.

b) Employees shall perform anti-spyware updates and run anti-spyware programsregularly, as directed by the IT Department (as a rule, anti-spyware software willformpartoftheanti-virussoftwareimplementedbyGRIT).

c) Employeesshall immediatelyreportanysymptomsthatsuggestspywaremayhavebeeninstalledontheircomputertotheITDepartment.


13

5. SOFTWAREPOLICY

5.1 AcceptableuseThis section defines the boundaries for the “acceptable use” of the company’s electronicresources, including software, hardware devices, and network systems. Hardware devices,softwareprograms,andnetworksystemspurchasedandprovidedbythecompanyaretobeusedonly for creating, researching, andprocessing company-relatedmaterials.Byusing thecompany’shardware,software,andnetworksystemsyouassumepersonalresponsibility fortheirappropriateuseandagreetocomplywiththispolicy.

5.2 SoftwareAllsoftwareacquiredfororonbehalfofthecompanyordevelopedbycompanyemployeesorcontractpersonnelonbehalfofthecompany,isandshallbedeemedcompanyproperty.Allsuch softwaremust be used in compliancewith applicable licenses, notices, contracts, andagreements.

5.3 PurchasingAllpurchasingofcompanysoftwareshallbecentralisedwiththeITDepartmenttoensurethatall applications conform to corporate software standards and are purchased at the bestpossibleprice. All requestsforcorporatesoftwaremustbesubmittedtothe ITDepartmentfor approval. The IT Department will determine the standard software that bestaccommodatesthedesiredrequest.

5.4 LicensingEach employee is individually responsible for reading, understanding, and following allapplicable licenses, notices, contracts, and agreements for software that he or she uses orseeks to use on company computers. Unless otherwise provided in the applicable license,notice, contract, or agreement, any duplication of copyrighted software, except for backupandarchival purposes,maybea violationof local andornational legislation. In addition toviolating such laws, unauthorised duplication of software is a violation of the company’spolicy.

5.5 SoftwarestandardsThe following list shows the standard suite of software installed on company computers(excludingtestcomputers)thatisfullysupportedbytheITDepartment:

• MicrosoftWindowsProfessional8.1or10• MicrosoftOffice365Suite


14

• CorporateAnti-Virus• MicrosoftWindowsDefender• DropboxforBusiness• SagePastel• SageEvolution• BrollOnline• AdobeDC• LifeSizeCloudCommunicationSystem• SkypeforBusiness

EmployeesneedingsoftwareotherthanthoselistedabovemustrequestsuchsoftwarefromtheITDepartment.EachrequestwillbeconsideredinconjunctionwiththerequestingusersManagerandinaccordancewiththesoftware-purchasingsectionofthispolicy.

5.6 EmployeeResponsibilitiesEmployeesshallnot:

a) Notcopy,loadorrunanysoftwarethatisnotproperlylicensed.b) NotloadtheirownsoftwareontoaGRITcomputer,whethertheyownthelicenseor

not,withoutpriorpermissionfromIT.c) NotloadanysoftwareontoaGRITcomputer.Thismustalwaysbecarriedoutbythe

ITDepartment.This includesdownloadinganyprogramfiles fromthe Internet -andgames.

d) Not allow third parties to install software on GRIT computers without theauthorisationoftheITDepartment.


a) InstallandconfigureallGRITcomputerswiththestandardoperatingsystemandofficesuite.

b) StoreandprotectalltheGRITsoftware.c) EnsurethatalltheGRITsoftwareislicensed.d) PeriodicallycheckGRITcomputerstoensurethispolicyisenforced.

5.8 ComputerHardwarePolicyComputer hardware includes all physical IT equipment; this includes all front end (laptops,computers, photocopiers and printers,) and backend (servers, network switches, firewall,


15

routers) devices. All hardware purchased shall comply with the minimum specifications asrecommendedbytheITDepartmentinconsultationwithGRITManagement.

5.9 PurchasingAll purchasing of company computer hardware devices shall be centralised with the ITDepartment toensure thatallequipmentconforms tocorporatehardware standardsand ispurchasedatthebestpossibleprice.AllrequestsforcorporatecomputinghardwaredevicesmustbesubmittedtotheITDepartment,whichwilltheninconjunctionwiththedirectreportdeterminestandardhardwarethatbestaccommodatesthedesiredrequest.

5.10 HardwarestandardThe following list shows the standard minimum hardware configuration for new/to beprocured company computers (excluding test computers) that are fully supportedby the ITDepartment:

• Desktops• Laptops

5.11 ITresponsibilitiesTheITDepartmentshall:

a) Beresponsibleforgivingminimumspecificationsintheprocurementofallcomputerhardware.

b) Setupandinstallsuchhardware.c) Maintainallthecomputerhardware.


16

6. ACCESSCODESANDPASSWORDS

The confidentiality, integrity and availability of data stored on the organisation’s computersystemsmustbeprotectedbyaccesscontrolstoensurethatonlyauthorisedemployeeshaveaccess.

This access shall be restricted to only those capabilities that are appropriate to eachemployee’s jobduties.Allpasswordsused inorder togainaccess to theorganisation’sdatamustcomplywiththeGRITPasswordPolicy.


a) Be responsible for theadministrationof access controls toall in theorganisation’scomputersystems.TheITDepartmentwillprocessadditions,deletions,andchangesuponreceiptofawrittenrequestfromtheenduser’slinemanager.Deletionsmaybeprocessedbyoralrequestpriortoreceptionofthewrittenrequest.

b) The Senior IT Specialist will maintain a list of administrative access codes andpasswordsandkeepthislistinasecurearea.

c) TheITDepartmentshalltakethenecessarystepstoenforcepasswordexpiryandthechangingthereofevery90days.

d) EnsurethattheGRITPasswordPolicy(seebelow)isenforced.

6.2 EmployeeResponsibilitiesEachemployee:

a) Shallberesponsibleforallcomputertransactionsthataremadewithhis/herUserIDandpassword(passwordsshouldthereforeneverbeshared).

b) Shallnotdisclosepasswordstoothers.Passwordsmustbechangedimmediatelyifitissuspectedthattheymayhavebecomeknowntoothers.Passwordsshouldnotberecordedwheretheymaybeeasilyobtained.

c) Willchangepasswordsatmostevery90days.d) Shallusepasswordsthatwillnotbeeasilyguessedbyothers.e) Shalllogoutwhenleavingaworkstationforanextendedperiod.f) Shall not attempt to access the accounts of other users unless she/he has been

authorisedtodosobythelinemanager.

6.3 Management’sResponsibilityManagersshallnotifytheITManagerpromptlywheneveranemployeeleavesthecompanyortransferstoanotherdepartmentsothathis/heraccesscanberevoked/amended.Involuntary


17

terminationsmustbereportedconcurrentwiththetermination.Managersshallauthoriseinwriting,thegrantingofaccessofanotheremployee’snetworkaccount.

6.4 HumanResourcesResponsibilityThe Human Resources Department will notify the IT Department monthly of employeetransfers, terminations and new appointments. Involuntary terminations must be reportedconcurrentwiththetermination.


18

7. PASSWORDPOLICY

7.1 OverviewPasswordsareanimportantaspectofcomputersecurity.Theyarethefrontlineofprotectionforuseraccounts. Apoorlychosenpasswordmayresult inthecompromiseofGRIT’sentirecorporate network. As such, all GRIT employees (including contractors and vendors withaccesstoGRITsystems)areresponsiblefortakingtheappropriatesteps,asoutlinedbelow,toselectandsecuretheirpasswords.

7.2 GeneralPolicya) Allsystem-levelpasswords(e.g.,financialsystem,applicationadministrationaccounts,

etc.)mustbechangedonaquarterlybasis.b) Alluser-levelpasswords(domainlogonpasswords)mustbechangedevery90days.c) Passwordsarenotdisplayedorconcealedonyourworkspace.d) Passwordmustbeatleasttencharacterslong.e) Windows Password must be changed every 90 days and previous four passwords

cannotbere-used (enforcedby the ITDepartment). Inorder tocircumvent theriskthatusersmay request fourpassword resets inorder to re-use the samepassword,thepolicywillbesetnottoallowmorethanfourpasswordresetsovertheperiodof5workingdays. All requests forpassword resetswillbedealtwithona caseby casebasis.

f) Typing incorrect password three timeswill disable the account until IT enables theaccountonreceiptofaHelpDeskrequest.

g) All user-level and system-level passwordsmust conform to the guidelines describedbelow.

7.3 StrongPasswordsStrongpasswordshavethefollowingcharacteristics:

a. Theycontainbothupperandlowercasecharacters(e.g.,a-z,A-Z)b. They have digits and punctuation characters as well as letters e.g., 0-9,

!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)c. Theyareatleastsevenalphanumericcharacterslong.d. Theyarenotawordinanylanguage,slang,dialect,jargon,etc.e. Theyarenotbasedonpersonalinformation,namesoffamily,etc.f. NOTE:Donotuseeitheroftheseexamplesaspasswords!

7.4 PoorPasswordsPoor,weakpasswordshavethefollowingcharacteristics:


19

a. Thepasswordcontainslessthaneightcharacters.b. Thepasswordisawordfoundinadictionary(Englishorforeign).c. The password is a common usage word such as: Names of family, pets, friends, co-

workers, fantasy characters, etc. Computer terms and names, commands, sites,companies, hardware, software. Birthdays and other personal information such asaddressesandphonenumbers.Wordornumberpatternslikeaaabbb,qwerty,zyxwvuts,123321,etc.Anyoftheabovespelledbackwards.Anyoftheaboveprecededorfollowedbyadigit(e.g.,secret1,1secret).

7.5 PasswordProtectionStandardsa) Passwords shouldneverbewrittendownor storedon-line.Try tocreatepasswords

thatcanbeeasilyremembered.Onewaytodothis iscreateapasswordbasedonasongtitle,affirmation,orother,phrase.Forexample,thephrasemightbe:"ThisMayBeOneWaytoRemember"andthepasswordcouldbe:"TmB1w2R!"or"Tmb1W>r~"orsomeothervariation.

b) DonotusethesamepasswordforGRITaccountsas forothernon-GRITaccess (e.g.,personal ISP account, option trading, benefits, etc.).Where possible, don't use thesamepasswordforvariousGRITaccessneeds.Forexample,selectonepasswordforloggingon to thedomainandadifferentone for loggingon to theFinancialSystem(unlessaSingleSignOnsolutionisprovidedbytheITDepartment).

c) Do not share GRIT passwords with anyone, including administrative assistants orsecretaries. All passwords are to be treated as sensitive, confidential GRITinformation.

d) If someone demands a password, refer them to this document or have them callsomeoneintheITDepartment.

e) Donotusethe"RememberPassword"featureofapplications(e.g.Outlook).f) Ifanaccountorpasswordissuspectedtohavebeencompromised,reporttheincident

toITandchangeallpasswords.g) PasswordcrackingorguessingmaybeperformedonaperiodicorrandombasisbyIT.

If a password is guessed or cracked during one of these scans, the user will berequiredtochangeit.


20

8. PHYSICALSECURITY

Itiscompanypolicytoprotectcomputerhardware,software,data,anddocumentationfrommisuse, theft, unauthorised access, and environmental hazards. The entire organisation’simportanthardwaree.g. serverswill be lockedaway. The server roomshall at all timesbelocked. Only authorised personnel will be allowed into the server room. Third partymaintenancepersonnelshallatalltimebysupervisedbytheGRITITrepresentativewhilstintheserverroom.

8.1 EmployeeResponsibilitiesThedirectivesbelowapplytoallemployees:

a) Eachemployee isresponsible forthesecurityof thePC(includingscreen,keyboard,mouseandanyotherperipheralsuchasaprinter)providedbytheGRITtohimorher.

b) Any item missing or damaged must be reported by the employee to the ITDepartmentwithoutdelay,andfollowedupwithawrittencommunicationoutliningallthecircumstances.

c) Disksandportablestoragedevicesshouldbestoredoutofsightwhennot inuse. Iftheycontainhighlysensitiveorconfidentialdata,theymustbelockedaway.

d) Environmental hazards to hardware such as food, smoke, liquids, high or lowhumidity,andextremeheatorcoldshouldbeavoided.

e) SincetheITDepartmentisresponsibleforallequipmentinstallations,disconnections,modifications,andrelocations,employeesarenottoperformtheseactivitiesunlessauthorisationisgivenbytheITDepartment.ThisdoesnotapplytotemporarymovesofportablecomputersforwhichaninitialconnectionhasbeensetupbyIT.

f) Employeesshallnottakesharedportableequipmentsuchaslaptopcomputersoutofthe office without the informed consent of their department manager. Informedconsentmeansthatthemanagerknowswhatequipmentisleaving,whatdataisonit,andforwhatpurposeitwillbeused.

g) Employees should exercise care to safeguard the valuable electronic equipmentassignedtothem.Employeeswhoneglectthisdutymaybeheldaccountableforanylossordamagethatmayresult.

h) Laptopusersshall,atalltimes,usecablelockssuppliedbytheorganisationtosecuretheirlaptops.

i) Employees who share offices (and so cannot lock their office when leaving it) areexpectedtomakeuseofthelockcomputeroptionontheircomputerbypressingtheCTRL+ALT+DEL key combination on their keyboard and selecting the lock computeroption. Where possible, the ITDepartmentwill set a policy thatwill automaticallydisable(lock)computerswherenokeyboardactivityhasbeendetectedforaperiodoffive(5)minutes.

j) VisitorsshouldbereceivedatreceptionandalwaysbeescortedbyaGRITemployee.


21


a) Ensure that critical computer equipment are protected by uninterruptible powersupply.

b) Ensurethatalllaptopsaresuppliedwithcablelocks.c) Performallequipmentinstallations,disconnections,modifications,andrelocations.d) Ensurethatstrictaccesscontrolisimplementedatallserverroomsanddatacentres

andthataregisterismaintainedofwhohadaccess,whenandforwhatpurposes.


22

9. HELPDESKANDCHANGEMANAGEMENT

One of the primary roles of the IT Department is to provide user support for all IT relatedproblems.

9.1 EmployeeResponsibilitiesAllemployeeswillobserveandadheretothefollowing:

a) Employeeswillusethee-mailfacilitiesortheprovidedhelpdesksystem(phonecall)tologtheirproblemsandrequestservicefromtheITDepartment. Employeesmustrecordexactlywhathashappened,andwritedownanyerrormessage(s)appearingonthescreen.

b) NopersonmayrequesttheITDepartmenttofixaproblem(hardwareorsoftware)onanyequipmentnotownedbytheGRIT.

c) Request for the creation or deletion of new users must be submitted to the ITDepartmentwiththerelevantdocumentation2workingdayspriortotheemployeestartinginhis/herposition.


a) Acknowledgeallqueriesandproblemsandgiveanestimateofwhentheproblemwillbeaddressed.

b) Respondtimorouslytoalluserqueriesandproblems.


23

10. GENERALACCEPTABLEUSEREQUIREMENTS

10.1 SystemBackupandRecoveryInformation isavaluabletoolandmustbeprotectedatallcost. Intheeventof informationlosstheorganisationshouldbeabletorecovertheinformation.

10.2 ITResponsibilitiesITDepartmentshallbackupall the informationontheservers inaccordancetotheBusinessContinuityandDisasterRecoveryPlan.

10.3 EmployeeResponsibilitiesEachemployeeshallsavetheirwork-relatedinformationontheCorporateDropboxonadailybasis.TheywillensurethattheDropboxsynchronizationprocessisrunning,andadvisetheITDepartmentifitisnot.

10.4 ReportingofIncidentsUsers are to report any security (or suspected) breaches to the IT Department who willprovidefurtherguidanceontheapproachthatshouldbefollowed.

10.5 CopyrightsandLicenseAgreementsItistheGRITpolicytocomplywithalllawsregardingintellectualproperty.


24

ACRONYMS,ABBREVIATIONSANDDEFINITIONS

Term

Description

AccessControl AccessControlsprovidethemeansofestablishingandenforcingrightsandprivilegesallowedtoentities

AccountabilityorAuditability

Auditabilityensuresprotectedandreliablerecordsofsystemactivitywithsecuritysignificance(e.g.logins,logouts,fileaccesses,securityviolations)areavailable.Thisisakeyelementforafter-the-factdetectionofandrecoveryfromsecuritybreaches.I.e.beingabletodeterminewhoisresponsibleforwhataction(s),fromwhereandwhen.

Adware Adwareisanysoftwareprograminwhichadvertisingbannersaredisplayedwhiletheprogramisrunning.

Authentication Authenticationprovidesthemeansofverifyingtheidentityofanentity.

Authorisation Authorisationenablesspecificationandthesubsequentmanagementofallowedactionsforagivensystem.Authorisationreliesonidentificationandauthenticationandenablesaccesscontrol.

Availability Availabilityistheassurancethatinformationisavailableonatimelybasiswhereveritisneededtomeetbusinessrequirementsortoavoidsubstantiallosses.

Awareness Actionstakentoaddressknowledge,attitudeandbehaviourasthekeycomponentsofculture.ChangingtheSecurityculturetosuitthebusinessobjectives.

Confidentiality Confidentialityistheprotectionofinformationfromunauthoriseddisclosure.

InformationAssets

This takes many forms and includes data stored on computers, servers,transmittedacrossnetworks,Intranet,printedoutorwrittenonpaper,sentbyfax/e-mail, storedon tapes/diskettes,or spoken inconversationsandover thetelephone.


25

Term

Description

Integrity Integrityistheprotectionofinformationfromunauthorised,unanticipatedorunintentionalmodificationordeletion.

ISO1-7799or27002

InternationalOrganisationforStandardization’sStandardforInformationSecurityManagement.

Non-repudiation

Non-Repudiationprotectsagainstanyattemptbythesendertofalselydenysendinginformation,orsubsequentattemptsbytherecipienttofalselydenyreceivingthisinformation.

GRIT P-IT001 Information Security and Acceptable Use ......INFORMATION SECURITY AND ACCEPTABLE USE...

Documents

Transcript of GRIT P-IT001 Information Security and Acceptable Use ......INFORMATION SECURITY AND ACCEPTABLE USE...