Nct It Policy
Transcript of Nct It Policy
-
7/30/2019 Nct It Policy
1/90
IT Securi ty & Audit Polic y Page 1 of 91
-
7/30/2019 Nct It Policy
2/90
IT Securi ty & Audit Polic y Page 3 of 91
3UHSDUHGE\
Department Of IT, Govt. Of NCT Of DelhiPrakash Kumar - Special Secretary (IT)
6DMHHY0DKHVKZDUL6\VWHP$QDO\VW
CDAC, Noida$QXM.XPDU-DLQ&RQVXOWDQW%35
5DKXO6LQJK&RQVXOWDQW,7$UXQ3UXWKL&RQVXOWDQW,7$VKLVK*R\DO&RQVXOWDQW,75DKXO*R\DO&RQVXOWDQW,7
,76HFXULW\$XGLW3ROLF\GRFXPHQWLVDOVRDYDLODEOHRQWKHVLWH http://it.delhigovt.nic.in6XJJHVWLRQVDQGFRPPHQWVDUHZHOFRPHGDQGFDQEHSRVWHGDW [email protected]
-
7/30/2019 Nct It Policy
3/90
IT Securi ty & Audit Polic y Page 4 of 91
,1'(;
1 INTRODUCTION ............................................................................... 8
1.1 INFORMATION SECURITY .............................................................................................. 8
1.2 DATA LOSS PREVENTION.............................................................................................. 8
1.3 ABOUT VIRUSES ......................................................................................................... 10
A. POLICY FOR GENERAL USERS ..................................... 12
2 POLICIES FOR GENERAL USERS................................................. 14
2.1 USING FLOPPIES/ CD/ FLASH DRIVES........................................................................ 14
2.2 PASSWORD................................................................................................................. 14
2.3 BACKUP ..................................................................................................................... 142.4 PHYSICAL SAFETY OF SYSTEM................................................................................... 15
2.5 COMPUTERFILES ....................................................................................................... 15
2.6 GENERAL INSTRUCTIONS ........................................................................................... 16
B. POLICY FOR DEPARTMENT............................................. 18
3 DEPARTMENTAL POLICIES .......................................................... 20
C. POLICY FOR SYSTEM ADMINISTRATOR .................. 22
4 SECURITY POLICY FOR PURCHASING HARDWARE.................. 24
5 SECURITY POLICY FOR ACCESS CONTROL .............................. 25
5.1 MANAGING ACCESS CONTROL STANDARDS ............................................................... 25
5.2 MANAGING USERACCESS .......................................................................................... 255.3 SECURING UNATTENDED WORKSTATIONS.................................................................. 26
5.4 MANAGINGNETWORKACCESS CONTROLS ................................................................ 26
5.5 CONTROLLING ACCESS TO OPERATING SYSTEM SOFTWARE....................................... 275.6 MANAGING PASSWORDS............................................................................................. 27
5.7 SECURING AGAINST UNAUTHORIZED PHYSICAL ACCESS ........................................... 28
5.8 RESTRICTING ACCESS ................................................................................................. 285.9 MONITORING SYSTEM ACCESS AND USE .................................................................... 29
5.10 GIVING ACCESS TO FILES AND DOCUMENTS............................................................... 29
5.11 MANAGING HIGHERRISKS SYSTEM ACCESS .............................................................. 295.12 CONTROLLING REMOTE USERACCESS ....................................................................... 30
5.13 RECOMMENDATIONS ON ACCOUNTS AND PASSWORDS .............................................. 30
6 SECURITY POLICY FOR NETWORKS........................................... 32
6.1 CONFIGURINGNETWORKS .......................................................................................... 32
6.2 MANAGING THENETWORK......................................................................................... 32
6.3 ACCESSINGNETWORKREMOTELY ............................................................................. 326.4 DEFENDINGNETWORKINFORMATION FROM MALICIOUS ATTACK............................. 33
6.5 RECOMMENDATIONS ON NETWORK AND CONFIGURATION SECURITY........................ 33
6.6 RECOMMENDATION ON HOST BASED FIREWALL ......................................................... 34
7 SECURITY POLICY FOR OPERATING SYSTEM........................... 35
-
7/30/2019 Nct It Policy
4/90
IT Securi ty & Audit Polic y Page 5 of 91
8 SECURITY POLICY FOR SOFTWARE ........................................... 36
8.1 MANAGING OPERATIONAL PROGRAM LIBRARIES:...................................................... 368.2 MANAGING PROGRAM SOURCE LIBRARIES:................................................................ 36
8.3 CONTROLLING PROGRAM LISTING.............................................................................. 36
8.4 CONTROLLING PROGRAM SOURCE LIBRARIES ............................................................ 378.5 CONTROLLING OLD VERSIONS OF PROGRAMS ............................................................ 37
9 SECURITY POLICY FOR CYBER CRIME....................................... 37
9.1 RECOMMENDATIONS ON TO WEB SERVERS AND EMAIL ............................................. 38
10 BACKUP POLICIES......................................................................... 39
10.1 BACKUP PROCESS ....................................................................................................... 39
10.2 RESTORATION PROCESS.............................................................................................. 40
10.3 RECOMMENDATIONS ON BACKUP AND RECOVERY & DISASTERPLANNING .............. 41
11 LAN SECURITY............................................................................... 4211.1 NETWORKORGANIZATION ......................................................................................... 42
11.2 NETWORKSECURITY .................................................................................................. 43
11.3 NETWORKSOFTWARE................................................................................................. 4611.4 NETWORKHARDWARE ............................................................................................... 48
11.5 LAN BACKUP AND RECOVERY POLICIES.................................................................... 49
11.6 LAN PURCHASING POLICY......................................................................................... 49
12 ROLE OF SYSTEM ADMINISTRATOR IN VIRUS PROTECTION... 50
12.1 COMPUTERVIRUSES: DETECTION AND REMOVAL METHODS ..................................... 50
12.2 COMPUTERVIRUS CLASSIFICATION............................................................................ 60
12.3 RECOMMENDATION FORANTIVIRUS SOFTWARE USAGE ............................................. 62
13 STAFF AWARENESS AND TRAINING ........................................... 63
13.1 STAFF AWARENESS..................................................................................................... 63
13.2 TRAINING.................................................................................................................... 64
14 RECOMMENDATIONS FOR SYSTEM ADMINISTRATOR.............. 66
D. POLICY FOR DBA................................................................... 68
15 SECURITY POLICY FOR DBA........................................................ 70
15.1 POLICY ON TRANSFERRING AND EXCHANGING DATA................................................. 7015.2 POLICY ON MANAGING DATA STORAGE ..................................................................... 7115.3 POLICY ON MANAGING DATABASES ........................................................................... 71
15.4 POLICY ON PERMITTING EMERGENCY DATA AMENDMENT......................................... 72
15.5 POLICY ON SETTING UPNEW DATABASES .................................................................. 7215.6 SECURITY POLICY FORDATABASE.............................................................................. 72
15.7 GUIDELINES/RECOMMENDATION FORDBA................................................................ 74
15.8 DBA SKILLS............................................................................................................... 74
-
7/30/2019 Nct It Policy
5/90
IT Securi ty & Audit Polic y Page 6 of 91
E. AUDIT POLICY ......................................................................... 76
16 INFORMATION SYSTEMS AUDIT POLICY .................................... 78
16.1 INTRODUCTION ........................................................................................................... 78
16.2 AUDIT POLICY ............................................................................................................ 78
16.3 QUESTIONNAIRE FORAUDIT ....................................................................................... 80
F. ANNEXURE ................................................................................ 84
-
7/30/2019 Nct It Policy
6/90
IT Securi ty & Audit Polic y Page 7 of 91
-
7/30/2019 Nct It Policy
7/90
IT Securi ty & Audit Polic y Page 8 of 91
1 Introduction
1.1 Information Security
,QIRUPDWLRQ6HFXULW\3ROLFLHVDUHWKHFRUQHUVWRQHRILQIRUPDWLRQVHFXULW\HIIHFWLYHQHVV7KH6HFXULW\3ROLF\LV LQWHQGHGWRGHILQHZKDWLVH[SHFWHGIURPDQRUJDQL]DWLRQZLWKUHVSHFWWRVHFXULW\RI,QIRUPDWLRQ6\VWHPV7KHRYHUDOOREMHFWLYHLVWRFRQWURORUJXLGHKXPDQEHKDYLRULQDQDWWHPSWWRUHGXFHWKHULVNWRLQIRUPDWLRQDVVHWVE\DFFLGHQWDORUGHOLEHUDWHDFWLRQV,QIRUPDWLRQ VHFXULW\ SROLFLHV XQGHUSLQ WKH VHFXULW\ DQG ZHOO EHLQJ RI LQIRUPDWLRQUHVRXUFHV7KH\DUHWKHIRXQGDWLRQWKHERWWRPOLQHRILQIRUPDWLRQVHFXULW\ZLWKLQDQRUJDQL]DWLRQ:HDOOSUDFWLFHHOHPHQWVRIGDWDVHFXULW\$WKRPHIRUH[DPSOHZHPDNHVXUHWKDWGHHGVDQGLQVXUDQFHGRFXPHQWVDUHNHSWVDIHO\VRWKDWWKH\DUHDYDLODEOHZKHQZH
QHHGWKHP$OORIILFHLQIRUPDWLRQGHVHUYHVWREHWUHDWHGLQWKHVDPHZD\,QDQRIILFHKDYLQJWKHULJKWLQIRUPDWLRQDWWKHULJKWWLPHFDQPDNHWKHGLIIHUHQFHEHWZHHQVXFFHVVDQG IDLOXUH 'DWD 6HFXULW\ ZLOO KHOS WKH XVHU WR FRQWURO DQG VHFXUH LQIRUPDWLRQ IURPLQDGYHUWHQWRUPDOLFLRXVFKDQJHVDQGGHOHWLRQVRUXQDXWKRUL]HGGLVFORVXUH7KHUHDUHWKUHHDVSHFWVRIGDWDVHFXULW\Confidentiality3URWHFWLQJLQIRUPDWLRQIURPXQDXWKRUL]HGGLVFORVXUHOLNHWRWKHSUHVVRU WKURXJK LPSURSHU GLVSRVDO WHFKQLTXHVRU WKRVH ZKR DUHQRWHQWLWOHGWR KDYH WKHVDPHIntegrity 3URWHFWLQJ LQIRUPDWLRQ IURP XQDXWKRUL]HG PRGLILFDWLRQ DQG HQVXULQJ WKDWLQIRUPDWLRQ VXFK DV D EHQHILFLDU\ OLVW FDQ EH UHOLHG XSRQ DQG LV DFFXUDWH DQG
FRPSOHWHAvailabi li ty(QVXULQJLQIRUPDWLRQLVDYDLODEOHZKHQLWLVUHTXLUHG'DWDFDQEHKHOGLQPDQ\GLIIHUHQWDUHDVVRPHRIWKHVHDUH 1HWZRUN6HUYHUV 3HUVRQDO&RPSXWHUVDQG:RUNVWDWLRQV /DSWRSDQG+DQGKHOG3&V 5HPRYDEOH 6WRUDJH 0HGLD )ORSS\ 'LVNV &'5206 =LS 'LVNV )ODVK 'ULYH
HWF 'DWD%DFNXS0HGLD7DSHVDQG2SWLFDO'LVNV
1.2 Data Loss Prevention
/HDGLQJ&DXVHVRI'DWD/RVV 1DWXUDO'LVDVWHUV 9LUXVHV +XPDQ(UURUV 6RIWZDUH0DOIXQFWLRQ +DUGZDUH6\VWHP0DOIXQFWLRQ&RPSXWHUVDUHPRUHUHOLHGXSRQQRZWKDQHYHURUPRUHWRWKHSRLQWWKHGDWDWKDWLVFRQWDLQHGRQWKHP,QQHDUO\HYHU\LQVWDQWWKHV\VWHPLWVHOIFDQEHHDVLO\UHSDLUHGRU
-
7/30/2019 Nct It Policy
8/90
IT Securi ty & Audit Polic y Page 9 of 91
UHSODFHGEXWWKHGDWDRQFHORVWPD\QRWEHUHWUDFHDEOH7KDWVZK\RIUHJXODUV\VWHPEDFNXSVDQGWKHLPSOHPHQWDWLRQRIVRPHSUHYHQWDWLYHPHDVXUHVDUHDOZD\V VWUHVVHGXSRQNatural Disasters:KLOH WKHOHDVW OLNHO\ FDXVH RI GDWD ORVV D QDWXUDOGLVDVWHU FDQKDYH D GHYDVWDWLQJ
HIIHFWRQWKHSK\VLFDOGULYH,Q LQVWDQFHVRIVHYHUHKRXVLQJGDPDJHVXFKDVVFRUHGSODWWHUVIURPILUHZDWHUHPXOVLRQGXHWRIORRGRUEURNHQRUFUXVKHGSODWWHUVWKHGULYHPD\EHFRPHXQUHFRYHUDEOH7KH EHVW ZD\ WR SUHYHQW GDWD ORVV IURP D QDWXUDO GLVDVWHU LV DQoff site back up6LQFHLWLVQHDUO\LPSRVVLEOHWRSUHGLFWWKHDUULYDORIVXFKDQHYHQWWKHUHVKRXOGEHPRUHWKDQRQHFRS\RI WKHV\VWHPEDFNXSNHSWRQHRQVLWHDQGRQHRII7KHW\SHRIPHGLDEDFNXSZLOOGHSHQGRQV\VWHPVRIWZDUHDQGWKHUHTXLUHGIUHTXHQF\QHHGHGWREDFNXS$OVREHVXUHWRFKHFNEDFNXSVWREHFHUWDLQWKDWWKH\KDYHSURSHUO\EDFNHGXSViruses
9LUDO LQIHFWLRQ LQFUHDVHVDWUDWH RIQHDUO\ QHZ 7URMDQV H[SORLWV DQGYLUXVHVHYHU\ PRQWK 7KHUH DUH DSSUR[LPDWHO\ wild RU ULVN SRVLQJ YLUXVHV VRXUFH6$5&GDWHG6HS:LWKWKRVHQXPEHUVJURZLQJHYHU\GD\V\VWHPVDUHDWDQHYHULQFUHDVLQJULVNWREHFRPHLQIHFWHGZLWKDYLUXV7KHUHDUHVHYHUDOZD\VWRSURWHFWDJDLQVWDYLUDOWKUHDW ,QVWDOOD)LUHZDOORQV\VWHPWRSUHYHQWKDFNHUVDFFHVVWRXVHUVGDWD ,QVWDOO DQ DQWLYLUXV SURJUDP RQ WKH V\VWHP DQG XVH LWUHJXODUO\ IRU VFDQQLQJ
DQG UHPRYH WKH YLUXV LI WKH V\VWHP KDV EHHQ LQIHFWHG 0DQ\ YLUXVHV ZLOO OLHGRUPDQW RU SHUIRUP PDQ\ PLQRU DOWHUDWLRQV WKDW FDQ FXPXODWLYHO\ GLVUXSWV\VWHPZRUNV%HVXUHWRFKHFNIRUXSGDWHVIRUDQWLYLUXVSURJUDPRQDUHJXODUEDVLV
%DFNXSDQGEHVXUHWRWHVWEDFNXSVIURPLQIHFWLRQDVZHOO7KHUHLVQRXVHWRUHVWRUHYLUXVLQIHFWHGEDFNXS
%HZDUH RI DQ\ HPDLO FRQWDLQLQJ DQ DWWDFKPHQW ,I LW FRPHV IURP DQRQ\PRXVVHQGHURUGRQWNQRZIURPZKHUHLWKDVFRPHRUZKDWLWLVWKHQGRQWRSHQLW
MXVWGHOHWHLWEORFNWKHVHQGHUIRUIXWXUHPDLOHuman Errors(YHQLQWRGD\VHUDRIKLJKO\WUDLQHGFHUWLILHGDQGFRPSXWHU OLWHUDWH VWDIILQJWKHUHLVDOZD\V URRP IRU WKH WLPHOHVVQHVV RI DFFLGHQWV 7KHUH DUH IHZ WKLQJV WKDW PLJKW EHIROORZHG %HDZDUH,WVRXQGVVLPSOHHQRXJKWRVD\EXWQRWVRHDV\WRSHUIRUP:KHQ
WUDQVIHUULQJGDWDEHVXUHLWLVJRLQJWRWKHGHVWLQDWLRQ,IDVNHGWould you liketo replace the existing filePDNHVXUHEHIRUHFOLFNLQJ\HV
,QFDVHRIXQFHUWDLQW\DERXWDWDVNPDNHVXUHWKHUHLVDFRS\RIWKHGDWDWRUHVWRUHIURP
7DNH H[WUD FDUH ZKHQ XVLQJ DQ\ VRIWZDUH WKDW PD\ PDQLSXODWH GULYHV GDWDVWRUDJHVXFKDVSDUWLWLRQPHUJHUVIRUPDWFKDQJHVRUHYHQGLVNFKHFNHUV
%HIRUHXSJUDGLQJWRDQHZ2SHUDWLQJ6\VWHPWDNHEDFNXSRIPRVWLPSRUWDQWILOHVRU GLUHFWRULHV LQFDVHWKHUH LVD SUREOHP GXULQJ WKH LQVWDOODWLRQ.HHSLQPLQGVODYHGGDWDGULYHFDQDOVREHIRUPDWWHGDVZHOO
1HYHUVKXWWKHV\VWHPGRZQZKLOHSURJUDPVDUHUXQQLQJ7KHRSHQILOHVZLOOPRUHOLNHO\EHFRPHWUXQFDWHGDQGQRQIXQFWLRQDO
-
7/30/2019 Nct It Policy
9/90
IT Securi ty & Audit Polic y Page 10 of 91
Software Malfunction6RIWZDUHPDOIXQFWLRQLVDQHFHVVDU\HYLOZKHQXVLQJDFRPSXWHU(YHQWKHZRUOGVWRSSURJUDPVFDQQRWDQWLFLSDWHHYHU\HUURUWKDWPD\RFFXURQDQ\JLYHQSURJUDP7KHUHDUHVWLOOIHZWKLQJVWKDWFDQOHVVHQWKHULVNV %HVXUHWKHVRIWZDUHXVHGZLOOPHDQW21/
-
7/30/2019 Nct It Policy
10/90
-
7/30/2019 Nct It Policy
11/90
IT Securi ty & Audit Polic y Page 12 of 91
A. Policy For General Users
-
7/30/2019 Nct It Policy
12/90
IT Securi ty & Audit Polic y Page 13 of 91
-
7/30/2019 Nct It Policy
13/90
IT Securi ty & Audit Polic y Page 14 of 91
2 Polic ies for General Users
2.1 Using Floppies/ CD/ Flash Drives
)ORSS\ VKRXOG EH XVHG LQ FRQVXOWDWLRQ ZLWK V\VWHP DGPLQLVWUDWRULQFKDUJHFRPSXWHUFHQWHUDQGVKRXOGEHVFDQQHGEHIRUHXVH
8QRIILFLDO)ORSSLHV&'VRU)ODVK'ULYHVVKRXOGQRWEHXVHGRQRIILFHV\VWHPV
)ORSS\ VKRXOG EH ZULWHSURWHFWHG LI GDWD LV WR EH WUDQVIHUUHG IURP IORSS\ WR
V\VWHP
2.2 Password
.HHSWKHV\VWHPVFUHHQVDYHUHQDEOHGZLWKSDVVZRUGSURWHFWLRQ
'RQWVKDUHRUGLVFORVH\RXUSDVVZRUG8VHUVKRXOGQRWKDYHHDVLO\GHWHFWDEOHSDVVZRUGVIRU1HWZRUNDFFHVVVFUHHQ
VDYHUHWF$ VWURQJ SDVVZRUG PXVW EH DV ORQJ DV SRVVLEOH LQFOXGH PL[HGFDVH OHWWHUV
LQFOXGH GLJLWV DQG SXQFWXDWLRQ PDUNV QRW EH EDVHG RQ DQ\ SHUVRQDOLQIRUPDWLRQQRWEHEDVHGRQDQ\GLFWLRQDU\ZRUGLQDQ\ODQJXDJH
1HYHUXVHWKHVDPHSDVVZRUGWZLFH
&KDQJHSDVVZRUGDWUHJXODULQWHUYDOV
2.3 Backup
%DFNXSVKRXOGEHPDLQWDLQHGUHJXODUO\RQWKHVSDFHSURYLGHGRQFHQWUDOVHUYHURIWKHGHSDUWPHQWRURQWKHVWRUDJHPHGLDDVSHUGHSDUWPHQWSROLF\
.HHSSDSHUFRS\RIVHUYHUFRQILJXUDWLRQILOH
.HHSWKH'$7VRURWKHUUHPRYDEOHPHGLDLQDVHFXUHORFDWLRQDZD\IURPWKHFRPSXWHU
$OZD\VEDFNXSWKHGDWDEHIRUHOHDYLQJWKHZRUNVWDWLRQ
)RUVHQVLWLYHDQGLPSRUWDQWGDWDRIIVLWHEDFNXSVKRXOGEHXVHG
-
7/30/2019 Nct It Policy
14/90
IT Securi ty & Audit Polic y Page 15 of 91
2.4 Physical Safety of System
3URWHFW WKH V\VWHP IURP XQDXWKRUL]HG XVH ORVV RU GDPDJH HJ WKH GRRUVKRXOGEHORFNHGZKHQQRWLQWKHRIILFH
.HHSSRUWDEOHHTXLSPHQWVHFXUH
3RVLWLRQPRQLWRUDQGSULQWHUVVRWKDWRWKHUVFDQQRWVHHVHQVLWLYHGDWD
.HHSIORSS\GLVNVDQGRWKHUPHGLDLQDVHFXUHSODFH
6HHNDGYLFHRQGLVSRVDORIHTXLSPHQW
5HSRUW DQ\ ORVV RI GDWD RU DFFHVVRULHVWR WKH6\VWHP $GPLQLVWUDWRULQFKDUJH
FRPSXWHUFHQWHU
.HHSWKHV\VWHPDQGVHQVLWLYHGDWDVHFXUHIURPRXWVLGHUV
*HWDXWKRUL]DWLRQEHIRUHWDNLQJHTXLSPHQWRIIVLWH
7DNHFDUHZKHQPRYLQJHTXLSPHQW5HDGLQVWUXFWLRQRQPRYLQJHTXLSPHQW
,QVWDOO 836 V\VWHP ZLWKDGHTXDWH EDWWHU\ EDFNXSVWRDYRLG DQ\ GDWD ORVV RU
FRUUXSWLRQGXHWRSRZHUIDLOXUH6\VWHPVKRXOGEHSURSHUO\VKXWGRZQEHIRUHOHDYLQJWKHRIILFH
/RJRIIWKHV\VWHPLI\RXDUHOHDYLQJ\RXUVHDW
1HYHUUHPRYHWKHFDEOHVZKHQ\RXU3&LVSRZHUHG21VLQFHWKLVFDQFDXVH
DQHOHFWULFDOVKRUWFLUFXLW'RQRWVWRSVFDQGLVNLIV\VWHPSURPSWVWRUXQLWDWWKHWLPHRIV\VWHPVWDUWXS
$OZD\VXVHPRXVHRQPRXVHSDG
%HJHQWOHZKLOHKDQGOLQJNH\ERDUGDQGPRXVH
'RQRWRSHQFDVHRIWKHKDUGZDUH
0DNHVXUHWKDWWKHUHLVVRPHVODFNLQWKHFDEOHVDWWDFKHGWR\RXUV\VWHP
2.5 Computer Files
$OO ILOH OHYHOVHFXULW\GHSHQGVXSRQWKHILOH V\VWHP2QO\WKH PRVW VHFXUHILOHV\VWHP VKRXOG EH FKRVHQIRU WKH VHUYHU 7KHQ XVHU SHUPLVVLRQ IRU LQGLYLGXDOILOHVIROGHUVGULYHVVKRXOGEHVHW
-
7/30/2019 Nct It Policy
15/90
IT Securi ty & Audit Polic y Page 16 of 91
$Q\GHIDXOWVKDUHVVKRXOGEHUHPRYHG2QO\UHTXLUHGILOHDQGREMHFWVKDUHVVKRXOGEHHQDEOHGRQWKHVHUYHU1HYHUGRZQORDGRUUXQDWWDFKHGILOHVIURPXQNQRZQHPDLO,'
$OZD\VNHHSILOHVLQWKHFRPSXWHULQRUJDQL]HGPDQQHUIRUHDV\DFFHVVLELOLW\,I
UHTXLUHGFUHDWHQHZIROGHUVDQGVXEIROGHUV$YRLGFUHDWLQJMXQNILOHVDQGIROGHUV
6\VWHP ILOHV DQG OLEUDULHV VKRXOG QRW EH DFFHVVHG DV LW FDQ FDXVH
PDOIXQFWLRQLQJRIV\VWHP:KHQWUDQVIHUULQJGDWDEHVXUHLWLVJRLQJWRWKHGHVWLQDWLRQ,IDVNHGWould
you like to replace the existing filePDNHVXUHEHIRUHFOLFNLQJ\HV
2.6 General Instruct ions
,QFDVHRIXQFHUWDLQW\DERXWDWDVNPDNHVXUHWKHUHLVDFRS\RIWKHGDWDWRUHVWRUHIURP
)ROORZ LQVWUXFWLRQV RU SURFHGXUHV WKDW FRPHV IURP 6\VWHP
DGPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUHWLPHWRWLPH8VHUVDUHQRWVXSSRVHGWRGRKLVRUKHUSHUVRQDOZRUNRQFRPSXWHUV
3OHDVH LQWLPDWH 6\VWHP DGPLQLVWUDWRU,QFKDUJH FRPSXWHU FHQWUH LQ FDVH RI
V\VWHPPDOIXQFWLRQ8VHU VKRXOG DOZD\V ZRUN RQ KLVKHU DOORWWHG PDFKLQHV ,Q FDVH RI DQ\
XUJHQF\HPHUJHQF\XVHUPD\XVHRWKHUVPDFKLQHZLWKFRQVXOWDWLRQRI6\VWHPDGPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUH
$QWLYLUXV VRIWZDUH VKRXOG EH XSGDWHG WLPHO\ LQ FRQVXOWDWLRQ ZLWK 6\VWHP
$GPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUH
'RQWJLYHRWKHUVWKHRSSRUWXQLW\WRORRNRYHU\RXUVKRXOGHULI\RXDUHZRUNLQJRQVHQVLWLYHGDWDFRQWHQWV
'RQRWXVHXQQHFHVVDU\VKDUHZDUH'R QRW LQVWDOO RU FRS\ VRIWZDUH RQ V\VWHP ZLWKRXW SHUPLVVLRQ RI 6\VWHP
DGPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUH$YRLGXQQHFHVVDU\FRQQHFWLYLW\RI,QWHUQHW
-
7/30/2019 Nct It Policy
16/90
IT Securi ty & Audit Polic y Page 17 of 91
'RQW SDQLF LQ FDVH V\VWHP KDQJV 5HSRUW LW \RXU ,7 1RGDO 2IILFHU6\VWHP
$GPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUH,IORFNDQGNH\V\VWHPLVDYDLODEOHWKHQXVHUVKRXOGHQVXUHWKHVHFXULW\RIDOO
WKHSDUWVRIWKHFRPSXWHU
3OHDVHHQVXUHWKDWSUHLQVWDOOHG$QWLYLUXVLVUXQQLQJRQWKHV\VWHP
)RRG DQG GULQNV VKRXOG QRW EH SODFHG QHDU V\VWHPV &XS RI 7HD &RIIHH RU
ZDWHUJODVVVKRXOGQRWEHRQ&38RU0RQLWRURU.H\%RDUG$OZD\VSRZHURIIWKHV\VWHPZKHQFOHDQLQJLW1HYHUXVHZHWFORWKIRUZLSLQJWKHVFUHHQ
1HYHUVKXWWKHV\VWHPGRZQZKLOHSURJUDPVDUHUXQQLQJ7KHRSHQILOHVZLOO
PRUHOLNHO\EHFRPHWUXQFDWHGDQGQRQIXQFWLRQDO1HYHUVWDFNERRNVILOHVRURWKHUPDWHULDOVRQWKH&38
3ODFHWKHFRYHURQWKHFRPSXWHUVZKHQ\RXFORVHWKHFRPSXWHUVDWWKHHQGRI
WKHGD\
-
7/30/2019 Nct It Policy
17/90
IT Securi ty & Audit Polic y Page 18 of 91
B. Policy For Department
-
7/30/2019 Nct It Policy
18/90
IT Securi ty & Audit Polic y Page 19 of 91
-
7/30/2019 Nct It Policy
19/90
IT Securi ty & Audit Polic y Page 20 of 91
3 Departmental Polic ies
'HSDUWPHQW VKRXOG KDYH D V\VWHP DGPLQLVWUDWRU RU LQFKDUJH RI FRPSXWHUFHQWUH
'HSDUWPHQWDOVWDIIVKRXOGEHDZDUHRI'HOKL*RYW6HFXULW\SROLFLHV 'HSDUWPHQW VKRXOG KDYH LWV RZQ ZULWWHQ VHFXULW\ SROLFLHV VWDQGDUGV DQG
SURFHVVHVLIQHHGHG 7KHUH VKRXOG EH FOHDUO\ GHILQHG V\VWHP VHFXULW\ SURFHGXUHV IRU WKH
$GPLQLVWUDWRU 3HUVRQQHOLQ WKHGHSDUWPHQWVKRXOGKDYHVXIILFLHQWDXWKRULW\WR DFFRPSOLVK,7
VHFXULW\UHODWHGGXWLHVDQGSROLFLHV
&RPSHWHQWSHUVRQQHOVKRXOGEHDYDLODEOHWREDFNXS,7VHFXULW\UHODWHGGXWLHVLQWKHHYHQWWKHUHJXODU6\VWHP$GPLQLVWUDWRULVXQDYDLODEOH
'HSDUWPHQWVKRXOGKDYHDSURFHVVWRDGGUHVVLQFLGHQWVRUFRPSURPLVHV &RPSXWHUHTXLSPHQWVKRXOGEHVLWXDWHGVDIHO\DQGIUHHIURPSRWHQWLDOGDQJHU
LHOHDN\URRIVHWF 8QLQWHUUXSWLEOH3RZHU6XSSOLHV836VKRXOGSURWHFWVHUYHUVDQGZRUNVWDWLRQV +HDWLQJ FRROLQJ DQGYHQWLODWLRQ VKRXOGNHHS \RXU V\VWHPVDW WKHDSSURSULDWH
WHPSHUDWXUHDQGKXPLGLW\ 'HSDUWPHQWVKRXOGKDYHSODQVWRXVHVRIWZDUHWKDWHQIRUFHVVWURQJSDVVZRUGV 7KHUHVKRXOGEHZULWWHQSURFHGXUHVIRUIRUJRWWHQSDVVZRUGV 3K\VLFDOVHFXULW\DXGLWVKRXOGEHFRQGXFWHG 'HSDUWPHQWVKRXOGKDYHSK\VLFDOVHFXULW\VWDQGDUGVDQGSURFHGXUHV 7KHUH VKRXOG EH SURFHGXUHV IRU ORFNLQJ ,7 RIILFHV WHOHSKRQH FORVHWV DQG
FRPSXWHUURRPV 'HSDUWPHQWVKRXOGKDYHDQDODUPV\VWHP $FFHVVHVVKRXOGEHVHFXUHZKHQRIILFHVGHSDUWPHQWVDUHYDFDQW :RUNVWDWLRQVDQGODSWRSVVKRXOGEHORFNHGGRZQWRGHWHUWKHIW
'HSDUWPHQW VKRXOG KDYH D QHWZRUN PDSGLDJUDP RI WKH /$1 /RFDO $UHD
1HWZRUN
-
7/30/2019 Nct It Policy
20/90
IT Securi ty & Audit Polic y Page 21 of 91
7KHUHVKRXOGEHDSDUWQHUVKLSZLWKYHQGRUVZKRFDQKHOSLQDQHPHUJHQF\LI
\RXUHTXLSPHQWLVGDPDJHGGXHWRGLVDVWHU %DFNXSILOHVVKRXOGEHVHQWRIIVLWHWRDSK\VLFDOO\VHFXUHORFDWLRQ
'HSDUWPHQWVKRXOGVWRUHPHGLDRIIVLWH (QYLURQPHQW RI D VHOHFWHG RIIVLWH VWRUDJH DUHD WHPSHUDWXUH KXPLGLW\ HWF
VKRXOGEHZLWKLQWKHPDQXIDFWXUHUVUHFRPPHQGHGUDQJHIRUWKHEDFNXSPHGLD 'HSDUWPHQWVKRXOGKDYHDFRQILJXUDWLRQDVVHWFRQWUROSODQIRUDOOKDUGZDUHDQG
VRIWZDUHSURGXFWV 7UDLQHG DXWKRUL]HG LQGLYLGXDOV VKRXOG RQO\ EH DOORZHG WR LQVWDOO FRPSXWHU
HTXLSPHQWDQGVRIWZDUH
-
7/30/2019 Nct It Policy
21/90
IT Securi ty & Audit Polic y Page 22 of 91
C. Policy For System Administrator
-
7/30/2019 Nct It Policy
22/90
IT Securi ty & Audit Polic y Page 23 of 91
-
7/30/2019 Nct It Policy
23/90
IT Securi ty & Audit Polic y Page 24 of 91
4 Security Policy for Purchasing Hardware
All purchases of new systems and hardware or new components for existing systemsmust be made in accordance with Information Security and other Organizationpolicies, as well as technical standards fixed by the govt. Such requests to purchasemust be based upon a User Requirements Specification document and take account
of longer term organizational operations needs.7KH SXUFKDVH RI QHZ FRPSXWHUV DQG SHULSKHUDOV UHTXLUHV FDUHIXO FRQVLGHUDWLRQ RIRSHUDWLRQVQHHGVEHFDXVHLWLVXVXDOO\H[SHQVLYHWRPDNHVXEVHTXHQWFKDQJHV,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ $SSURYDORISXUFKDVHRI1HZ6\VWHP+DUGZDUH 7KHV\VWHPPXVWKDYHDGHTXDWHFDSDFLW\RUHOVHLWPD\QRWEHDEOHWRSURFHVV
WKHGDWD
:KHUHKDUGZDUHPDLQWHQDQFHLVSRRURUXQUHOLDEOHLWJUHDWO\LQFUHDVHVWKHULVNWR WKHRUJDQL]DWLRQ EHFDXVH LQ WKHHYHQW RI IDLOXUHSURFHVVLQJFRXOG VLPSO\6723
8VHU UHTXLUHPHQW VSHFLILFDWLRQ LQFOXGLQJ GHSOR\PHQW DQG XVH RI DYDLODEOHUHVRXUFHVDQGSURSRVHGXVHRIQHZHTXLSPHQWV
-
7/30/2019 Nct It Policy
24/90
IT Securi ty & Audit Polic y Page 25 of 91
5 Securi ty Policy for Access Control
3ROLF\IRUDFFHVVFRQWUROGHILQHVDFFHVVWRFRPSXWHUV\VWHPVWRYDULRXVFDWHJRULHVRIXVHUV$FFHVV&RQWUROVWDQGDUGVDUHWKHUXOHVZKLFKDQRUJDQL]DWLRQDSSOLHVLQRUGHU
WR FRQWURO DFFHVV WR LWV LQIRUPDWLRQ DVVHWV 6XFK VWDQGDUGV VKRXOG DOZD\V EHDSSURSULDWHWRWKHRUJDQL]DWLRQVRSHUDWLRQDQGVHFXULW\QHHGV7KHGDQJHUVRIXVLQJLQDGHTXDWHDFFHVVFRQWUROVWDQGDUGVUDQJHIURPLQFRQYHQLHQFHWRFULWLFDOORVVRUGDWDFRUUXSWLRQ
6HFXULW\IRU$FFHVV&RQWUROGHSHQGVXSRQIROORZLQJSRLQWV
5.1 Managing Access Control Standards
Access Control standards for information systems must be established bymanagement and should incorporate the need to balance restrictions to prevent
unauthorized access against the need to provide unhindered access to meetoperational needs.
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ
7KH ODFN RI XQLIRUP VWDQGDUGV FRQWUROOLQJ WKH DFFHVV WR LQIRUPDWLRQ DQGV\VWHPVFDQOHDGWRGLVSDULWLHVDQGZHDNQHVVHV
:KHUH DFFHVV FRQWURO LV QRW PRGLILHG LQ UHVSRQVH WR HQKDQFHG VHQVLWLYLW\ RISURFHVVHG LQIRUPDWLRQ WKH ULVN RI D EUHDFK WR LWV FRQILGHQWLDOLW\ ZLOO LQFUHDVHSHUKDSVVXEVWDQWLDOO\
$FFHVV FRQWURO VWDQGDUGV WKDW DUH WRR WLJKW RU LQIOH[LEOH FDQ LPSHGH WKHGHSDUWPHQWVGD\WRGD\DFWLYLWLHVDQGIUXVWUDWHVWDII
5.2 Managing User Access
Access to all systems must be authorized by the owner of the system and suchaccess, including the appropriate access rights (or privileges) must be recorded in an
Access Control List. Such records are to be regarded as Highly Confidentialdocuments and safeguarded accordingly.
*RRG PDQDJHPHQW RIXVHU DFFHVVWR LQIRUPDWLRQV\VWHPVDOORZV WR LPSOHPHQW WLJKW
VHFXULW\FRQWUROVDQGWRLGHQWLI\EUHDFKHVRI$FFHVV&RQWUROVWDQGDUGV
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ
/DFNRIDPDQDJHGDFFHVVFRQWUROSURFHGXUHFDQUHVXOWLQXQDXWKRUL]HGDFFHVVWRLQIRUPDWLRQV\VWHPVWKHUHE\FRPSURPLVLQJFRQILGHQWLDOLW\DQGSRWHQWLDOO\WKHLQWHJULW\RIWKHGDWD
-
7/30/2019 Nct It Policy
25/90
IT Securi ty & Audit Polic y Page 26 of 91
/RJRQVFUHHQVRUEDQQHUVZKLFKVXSSO\LQIRUPDWLRQDERXWWKHV\VWHPSULRUWRVXFFHVVIXOORJRQVKRXOGEHUHPRYHGDVWKH\FDQDVVLVWXQDXWKRUL]HGXVHUVWRJDLQDFFHVV
:KHUHUHJXODWLRQDQGGRFXPHQWDWLRQRI$FFHVV&RQWUROKDVEHHQLQIRUPDOWKLVFDQIUXVWUDWHWKHUHDOORFDWLRQRIGXWLHVEHFDXVHWKHUHDUHQRUHFRUGVRIFXUUHQWDFFHVVULJKWVDQGSULYLOHJHV
$OORFDWLQJLQDSSURSULDWHSULYLOHJHVWRLQH[SHULHQFHGVWDIIFDQUHVXOWLQDFFLGHQWDOHUURUVDQGSURFHVVLQJSUREOHPV
5.3 Securing Unattended Workstations
Equipment is always to be safeguarded appropriately especially when leftunattended.
&RPSXWHU HTXLSPHQW ZKLFK LV ORJJHG RQ DQG XQDWWHQGHG FDQ SUHVHQW D WHPSWLQJWDUJHWIRUXQVFUXSXORXVVWDIIRUWKLUGSDUWLHVRQWKHSUHPLVHV+RZHYHUDOOPHDVXUHVWRPDNHLWVHFXUHVKRXOGREVHUYHWKH$FFHVV&RQWUROSROLF\
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ
8QDXWKRUL]HG DFFHVV RI DQ XQDWWHQGHG ZRUNVWDWLRQ FDQ UHVXOW LQ KDUPIXO RUIUDXGXOHQWHQWULHVHJPRGLILFDWLRQRIGDWDIUDXGXOHQWHPDLOXVHHWF
$FFHVVWRDQXQDWWHQGHGZRUNVWDWLRQFRXOGUHVXOWLQGDPDJHWRWKHHTXLSPHQWGHOHWLRQRIGDWDDQGRUWKHPRGLILFDWLRQRIV\VWHPFRQILJXUDWLRQILOHV
5.4 Managing Network Access Controls
Access to the resources on the network must be strictly controlled to preventunauthorized access, Access to all computing and information systems andperipherals shall be restricted unless explicitly authorized.
&RQQHFWLRQVWRWKHQHWZRUNLQFOXGLQJXVHUVORJRQKDYHWR EHSURSHUO\PDQDJHGWRHQVXUHWKDWRQO\DXWKRUL]HGGHYLFHVSHUVRQVDUHFRQQHFWHG
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ
8QDXWKRUL]HG DFFHVV WR SURJUDPV RU DSSOLFDWLRQV FRXOG OHDG WR IUDXGXOHQW
WUDQVDFWLRQVRUIDOVHHQWULHV :KHUHSK\VLFDORUORJLFDODFFHVVKDVQRWEHHQFRQWUROOHGXVHUVPD\ILQGDQG
H[SORLW XQLQWHQWLRQDO DFFHVV URXWHV WR V\VWHPV DQG QHWZRUN UHVRXUFHV )RUH[DPSOHWKH\FRQQHFWD ODSWRSWRDZDOOVRFNHWE\SDVVWKHORJLQVHUYHUDQGFRQQHFWGLUHFWO\WRWKHPDLQVHUYHU
8QDXWKRUL]HG H[WHUQDO DFFHVV WR WKH QHWZRUN ZLOO XVXDOO\ UHVXOW LQ GDPDJHFRUUXSWLRQDQGDOPRVWFHUWDLQORVVRIFRQILGHQWLDOLW\RILQIRUPDWLRQ6XFKKDFNVDUHXVXDOO\PRWLYDWHGE\PDOLFLRXVRUIUDXGXOHQWLQWHQW
-
7/30/2019 Nct It Policy
26/90
IT Securi ty & Audit Polic y Page 27 of 91
,QFRPSOHWHRULQFRUUHFWGDWDLQDXVHUVQHWZRUNDFFHVVSURILOHFRXOGUHVXOWLQWKHLU EHLQJ SHUPLWWHG WR PRGLI\ GHOHWH RU KDYH DFFHVV WR FRQILGHQWLDOLQIRUPDWLRQRQLQDSSURSULDWHQHWZRUNUHVRXUFHV
0RGLILFDWLRQPDGHWRDQHWZRUNDFFHVVSURILOHZLWKRXWDGHTXDWHFKDQJHFRQWUROSURFHGXUHV LQ SODFH FRXOG UHVXOW LQ XQH[SHFWHG DQG SUREDEO\ DFFLGHQWDODFFHVVWRXQDXWKRUL]HGQHWZRUNUHVRXUFHV
8VHU ,' WKDW VXJJHVWV WKHLU SULYLOHJHV HJ D XVHU ,' RI DOOSULYV PD\ LQYLWHKDFNHUVWRWU\KDUGWRFUDFNWKHLUSDVVZRUG
&RQQHFWLRQV WR D WKLUG SDUW\ QHWZRUN HJ LQ HFRPPHUFH VLWXDWLRQV FDQQRWRQO\SRVVLEO\LQWURGXFHYLUXVHVEXWFDQDOVRGLVUXSWEXVLQHVVRSHUDWLRQVZKHUHGDWDLVLQDGYHUWHQWO\WUDQVPLWWHGLQWRWKHQHWZRUN
5.5 Controll ing Access to Operating System Software
Access to operating system commands is to be restricted to those persons who areauthorized to perform systems administration / management functions. Even, thensuch access must be operated under dual control requiring the specific approval of
senior management.
7KH RSHUDWLQJ V\VWHP FRQWUROV D FRPSXWHUV RSHUDWLRQ SUHORDGHG ZLWK LW DUHFRPPDQGV DQG XWLOLWLHV ZKLFK VHWXS DQG PDLQWDLQ WKH FRPSXWHUV HQYLURQPHQW $OOV\VWHPVIURP3&VWR ODUJHVHUYHUV VKRXOGEH KDUGHQHGWRUHPRYH DOOXQQHFHVVDU\GHYHORSPHQWWRROVDQGXWLOLWLHVSULRUWRGHOLYHU\WRHQGXVHUV
,QIRUPDWLRQ 6HFXULW\ LVVXHV WREH FRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ
6WDII ZLWK DFFHVV WR WKH FRPPDQG OLQH FRXOG VXFFHHG LQ H[HFXWLQJ V\VWHP
FRPPDQGVZKLFKFRXOGGDPDJHDQGFRUUXSWWKHV\VWHPDQGGDWDILOHV 2SHUDWLQJ V\VWHP FRPPDQGV FRXOG EH XVHG WR GLVDEOHRU FLUFXPYHQW DFFHVV
FRQWURODQGDXGLWORJIDFLOLWLHVHWF
5.6 Managing Passwords
The selection of passwords, their use and management as a primary means tocontrol access to systems is to strictly adhere to best practice guideline. In particular,passwords shall not be shared with any other person for any reason.
0RVW FRPSXWHU V\VWHPV DUH DFFHVVHG E\ D FRPELQDWLRQ RI 8VHU ,' DQG SDVVZRUG
7KLV SROLF\ GLVFXVVHV WKH PDQDJHPHQW RI SDVVZRUGV IURP DQ DGPLQLVWUDWRUVSHUVSHFWLYH
,QIRUPDWLRQ 6HFXULW\ LVVXHV WREH FRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ
3DVVZRUG DOORFDWLRQYLD WKH6\VWHP$GPLQLVWUDWRURURWKHU WHFKQLFDOVWDII FDQFRPSURPLVH DFFHVVFRQWURO GXULQJZKLFKWLPHXQDXWKRUL]HG DFFHVV PD\WDNHSODFH7KLVZLOOEHDQXQDFFHSWDEOHULVNIRUKLJKO\VHQVLWLYHV\VWHPV
-
7/30/2019 Nct It Policy
27/90
IT Securi ty & Audit Polic y Page 28 of 91
3DVVZRUGVWKDW DUHVKDUHGPD\ DOORZXQDXWKRUL]HGDFFHVVWR WKH LQIRUPDWLRQV\VWHPV
8VHUVZKRQHHGWRDFFHVVPXOWLSOHV\VWHPVPD\NHHSDKDQGZULWWHQQRWHRIWKH GLIIHUHQW SDVVZRUGV HJ LQ D GLDU\ HVSHFLDOO\ ZKHUH WKH\ DUH FKDQJHGIUHTXHQWO\ +RZHYHU VXFK LQVHFXUH UHFRUGV PDNH DQ HDV\ WDUJHW IRU LOOLQWHQWLRQHGSHUVRQVZLVKLQJWREUHDNLQWRWKHV\VWHP
5.7 Securing Against Unauthor ized Physical Access
Physical access to high security areas is to be controlled with strong identificationand authentication techniques. Staff with authorization to enter such areas is to beprovided with information on the potential security risks involved.
3HUVRQDO ZKR ZRUN LQ RU KDYH DFFHVV WR KLJK VHFXULW\ DUHDV PD\ EH SXW XQGHUSUHVVXUH WR UHYHDO DFFHVV FRGHV RU NH\V RU WR EUHDFK VHFXULW\ E\ SHUIRUPLQJXQDXWKRUL]HGLOOHJDOWDVNVVXFKDVFRS\LQJFRQILGHQWLDOLQIRUPDWLRQ7KHRUJDQL]DWLRQVKRXOG SURYLGH DGHTXDWH LQIRUPDWLRQ UHJDUGLQJ DQG VDIHJXDUGV WR SUHYHQW VXFK
HYHQWXDOLWLHV
,QIRUPDWLRQ 6HFXULW\ LVVXHV WREH FRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ
$ PHPEHU RI VWDII PD\ EH WKUHDWHQHG RU FRHUFHG WR GLVFORVH FRQILGHQWLDODFFHVVFRGHVSURFHGXUHVRULQIRUPDWLRQDERXWWKHRUJDQL]DWLRQVV\VWHPV
$ PHPEHU RI VWDII PD\ EH WKUHDWHQHG RU FRHUFHG RXWVLGH WKH ZRUN SODFH WRGLVFORVH FRQILGHQWLDO DFFHVV FRGHV SURFHGXUHV RU LQIRUPDWLRQ DERXW WKHRUJDQL]DWLRQVV\VWHPV
6HFXULW\DVSHFWVVKRXOGEHGHVLJQHGLQVXFKDPDQQHUWKDWWKHUHVSRQVLELOLW\RIKLJKVHFXULW\ GDWD FDQ EH DFFHVVLEOH DPRQJ YDULRXV RIILFHUV ,Q FDVH VHFXULW\ EUHDFKRFFXUVDWRQHOHYHOLWFDQEHSUHYHQWHGRQRWKHUOHYHOV7KHDSSOLFDWLRQVKRXOGKDYHPXOWLOHYHOSDVVZRUGDXWKHQWLFDWLRQLHWKHGDWDFRXOGEHDFFHVVLEOHRQO\DIWHUDXWKHQWLFDWLRQE\JURXSRIDXWKRUL]HGSHUVRQQHO
5.8 Restricting Access
Access controls are to be set at an appropriate level which minimizes informationsecurity risks yet also allows the organizations business activities to be carriedwithout undue hindrance.
$FFHVV WR V\VWHPV DQG WKHLU GDWD PXVW EH UHVWULFWHG WR HQVXUH WKDW LQIRUPDWLRQ LVGHQLHGWRXQDXWKRUL]HGXVHUV
+RZHYHULQDSSURSULDWHUHVWULFWLRQVFRXOGUHVXOWLQLQGLYLGXDOXVHUVEHLQJXQDEOHWRGRWKHLU MRE DQG FDXVH GHOD\V DQG HUURUV LQ OHJLWLPDWH GDWD SURFHVVLQJ 6LPLODUO\H[FHVVLYH SULYLOHJH FRXOG DOORZ DQ DXWKRUL]HG XVHU WR GDPDJH LQIRUPDWLRQ V\VWHPVDQGILOHVFDXVLQJGHOD\VDQGHUURUV
-
7/30/2019 Nct It Policy
28/90
IT Securi ty & Audit Polic y Page 29 of 91
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ
([FHVVLYHV\VWHPVSULYLOHJHVFRXOGDOORZDXWKRUL]HGXVHUVWRPRGLI\RUPRUHOLNHO\ FRUUXSWGHVWUR\ WKH RSHUDWLQJ V\VWHP FRQILJXUDWLRQ DQG DSSOLFDWLRQVRIWZDUHVHWWLQJZLWKJUDYHUHVXOWV
/DFNRIDFFHVVUHVWULFWLRQVFRXOGo $OORZVWDIIDQGWKLUGSDUWLHVWRPRGLI\GRFXPHQWVDQGRWKHUGDWDILOHo 5LVN ORVV RI FRQILGHQWLDOLW\ DQG LQWHJULW\ DQG DOVR SRVVLEOH OHJDO IRU
SRWHQWLDOLQIULQJHPHQWVRIWKH'DWD3URWHFWLRQ$FWRUORFDOHTXLYDOHQW
5.9 Monitoring System Access and Use
Access is to be logged and monitored to identify potential misuse of systems orinformation.
6\VWHP DFFHVV PXVW EH PRQLWRUHG UHJXODUO\ WR SUHYHQW DWWHPSWV DW XQDXWKRUL]HG
DFFHVVDQGWRFRQILUPWKDWDFFHVVFRQWUROVWDQGDUGVDUHHIIHFWLYH
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ :LWKRXWIUHTXHQWPRQLWRULQJLWLVGLIILFXOWWRDVVHVVWKHHIIHFWLYHQHVVRIDFFHVV
FRQWUROV8QDXWKRUL]HGDFFHVVFDQUHPDLQXQGHWHFWHGHQDEOLQJNQRZOHGJHRIWKLVVHFXULW\KROHWREHSDVVHGWRSHUVRQVZLWKSRVVLEOHPDOLFLRXVRUIUDXGXOHQWLQWHQW7KHFRQVHTXHQFHVFDQEHVHULRXV
:LWKRXW KDUG HYLGHQFH RI D VHFXULW\ EUHDFK LW LV GLIILFXOW WR WDNH GLVFLSOLQDU\DFWLRQDQGLWPD\EHLPSRVVLEOHWRWDNHOHJDODFWLRQ
5.10 Giving Access to Files and Documents
Access to information and documents is to be carefully controlled, ensuring that onlyauthorized personal may have access to sensitive information.
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ
:LWKSRRURULQDGHTXDWHDFFHVVFRQWURORYHUGRFXPHQWVDQGILOHVLQIRUPDWLRQPD\ EH FRSLHG RU PRGLILHG E\ XQDXWKRUL]HG SHUVRQV RU EHFRPH FRUUXSWHG
XQLQWHQWLRQDOO\RUPDOLFLRXVO\ :KHUHWKH$FFHVV&RQWUROLVVHHQDVRYHUO\UHVWULFWLYHXVHUVFRXOGEHWHPSWHG
WRVKDUHSULYLOHJHGDFFRXQWVORJLQSDVVZRUGLQRUGHUWRDFFHVVLQIRUPDWLRQ
5.11 Managing Higher Risks System Access
Access Controls for highly sensitive information or high risk systems are to be set inaccordance with the value and classification of the information assets beingprotected.
-
7/30/2019 Nct It Policy
29/90
IT Securi ty & Audit Polic y Page 30 of 91
+LJK ULVN V\VWHPV UHTXLUH PRUH VWULQJHQW DFFHVV FRQWURO VDIHJXDUGV GXH WR WKHFRQILGHQWLDOLW\RIWKHLQIRUPDWLRQWKH\SURFHVVDQGRUWKHSXUSRVHRIWKHV\VWHPHJWKH IXQGV WUDQVIHU V\VWHPV XVHG E\ EDQNV ,GHDOO\ WKH RSHUDWLQJ V\VWHPV IRU VXFKV\VWHPVVKRXOGEHKDUGHQHGWRIXUWKHUHQKDQFHVHFXULW\,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGH
WKHIROORZLQJ $FFHVV WR D FULWLFDO V\VWHP IURP D ZRUNVWDWLRQ H[WHUQDO WR LWV GHVLJQDWHG
RSHUDWLRQDUHDFDQWKUHDWHQLWVLQWHJULW\DQGVDIHW\ $FFHVVFRQWURO ERWKSK\VLFDO DQGORJLFDOVKRXOGEH PHDVXUDEO\ KLJKHUWKDQ
IRURWKHUV\VWHPV 'XDOFRQWURODQGVHJUHJDWLRQRIGXWLHVVKRXOGEHFRQVLGHUHGIRUDOOIXQFWLRQV 3ULYLOHJHVVKRXOGEHUHGXFHGWRWKHORZHVWOHYHOWRUHDVRQDEO\SHUIRUPWKHMRE
FRQFHUQHG 3HUVRQDOVKRXOGEHFDUHIXOO\VHOHFWHGZLWKWKHLUUHFRUGVYHWWHGIRUVXLWDELOLW\IRU
VXFKMREV
5.12 Controll ing Remote User Access
Remote access control procedures must provide adequate safeguards through robustidentification, authentication and encryption techniques.
5HPRWH XVHUV HLWKHU WHOHZRUNHUV RU SHUVRQDO RQ RIILFLDO WULSV HWF PD\ QHHG WRFRPPXQLFDWH GLUHFWO\ ZLWK WKHLU RUJDQL]DWLRQV V\VWHPV WR UHFHLYHVHQG GDWD DQGXSGDWHV
6XFK XVHUV DUH SK\VLFDOO\ UHPRWHDQGWKH\ ZLOORIWHQ EH FRQQHFWLQJ WKURXJK SXEOLF
LQVHFXUHQHWZRUNV7KLVLQFUHDVHVWKHWKUHDWRIXQDXWKRUL]HGDFFHVV
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ
7KHXVHRID8VHU,'DQGSDVVZRUGDVWKHVROHPHDQVRIDFFHVVFRQWUROPD\SURYLGH LQDGHTXDWH VHFXULW\ WR HQDEOH DFFHVV WR WKH RUJDQL]DWLRQV V\VWHPHVSHFLDOO\ZKHUHWHOHSKRQHGLDOXSDFFHVVLVSHUPLWWHG
5.13 Recommendations On Accounts and Passwords
3DVVZRUGVVKRXOGEHFKDQJHGIUHTXHQWO\ 'HSDUWPHQW VKRXOG KDYH DQ DFFRXQW UHPRYDO SURFHVV IRU SHUVRQV ZKR KDYH
JRQHRXWRIGHSDUWPHQW 'HSDUWPHQWVKRXOGKDYHDPHWKRGIRULGHQWLI\LQJXQDXWKRUL]HGXVHUV5HJXODU
FURVVFKHFNLQJVKRXOGEHGRQHWRPDNHVXUHWKHSUHVHQFHRIDXWKRUL]HXVHU7KLVFDQEHGRQHWKURXJKYHULI\LQJZLWKRWKHUPDLQWDLQHGGDWDOLNHDWWHQGDQFHUHFRUGHWF
6WDIIVVKRXOGUHFHLYHFRPSXWHUVHFXULW\DZDUHQHVVWUDLQLQJ 'HSDUWPHQW VKRXOG PDLQWDLQ D 'RFXPHQW RI LGHQWLWLHV KDYLQJ URRW DFFHVV WR
GHSDUWPHQWDOLQIRUPDWLRQ
-
7/30/2019 Nct It Policy
30/90
IT Securi ty & Audit Polic y Page 31 of 91
'HSDUWPHQW VKRXOG PDLQWDLQ WKH LGHQWLW\ RI WKRVH KDYLQJ UHPRWH DFFHVV WRGHSDUWPHQWDOLQIRUPDWLRQ
7KHUH VKRXOG EH ZULWWHQ SURFHGXUHV IRU FORVLQJ DFFRXQWV ZKHQ DQ HPSOR\HHWHUPLQDWHVHPSOR\PHQWRUPRYHVRXWRIWKHGHSDUWPHQW
-
7/30/2019 Nct It Policy
31/90
IT Securi ty & Audit Polic y Page 32 of 91
6 Securi ty Policy For Networks
6.1 Configuring Networks
The network must be designed and configured to deliver high performance andreliability to meet the needs of the operations whilst providing a high degree of accesscontrols and range of privilege restrictions.7KH FRQILJXUDWLRQ RI QHWZRUN LPSDFWV GLUHFWO\ RQ LWV SHUIRUPDQFH DQG DIIHFWV LWVVWDELOLW\DQGLQIRUPDWLRQVHFXULW\,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ
3RRUQHWZRUNVWDELOLW\FDQWKUHDWHQRSHUDWLRQV ,QDGHTXDWH FRQWURO RYHU DFFHVV WR QHWZRUN FDQ MHRSDUGL]H WKH FRQILGHQWLDOLW\
DQGLQWHJULW\RIGDWD 6ORZRULQDGHTXDWHV\VWHPUHVSRQVHWLPHVLPSHGHWKHSURFHVVLQJ
6.2 Managing the Network
Suitably qualified staff are to manage the organizations network, and preserve itsintegrity in collaboration with the nominated individual system owners.
$OOEXWWKHVPDOOHVWQHWZRUNVZKHUHFKDQJHVDUHUHODWLYHO\LQIUHTXHQWUHTXLUHRQJRLQJPDQDJHPHQW
,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ ,QDSSURSULDWHFRQWURORYHUDFFHVVWRWKHQHWZRUNZLOOWKUHDWHQWKHFRQILGHQWLDOLW\
DQGLQWHJULW\RIGDWD ,QDGHTXDWHFDSDFLW\FDQPDNHHIILFLHQWRSHUDWLRQGLIILFXOWRULPSRVVLEOH 6ORZRULQDGHTXDWHV\VWHPUHVSRQVHWLPHVLPSHGHWKHSURFHVVLQJ
6.3 Accessing Network Remotely
Remote access to the organizations network and resources will only be permitted
providing that authorized users are authenticated, data is encrypted across thenetwork, and privileges are restricted.
5HPRWH DFFHVV LV WUDGLWLRQDOO\ SURYLGHG E\PHDQV RI GLDOXSRU OHDVHGSKRQH OLQHV+RZHYHUWKH9LUWXDO3ULYDWH1HWZRUNSURYLGHVDFFHVVDFURVVSXEOLFQHWZRUNVHJWKH,QWHUQHW
,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ
-
7/30/2019 Nct It Policy
32/90
IT Securi ty & Audit Polic y Page 33 of 91
,QDGHTXDWH,QWHUQHW6HFXULW\VDIHJXDUGVFDQDOORZXQDXWKRUL]HGDFFHVVWRWKHQHWZRUNZLWKSRWHQWLDOO\GLVDVWURXVFRQVHTXHQFHV
:HDNGLDOLQVHFXULW\VWDQGDUGVFDQJLYHXQDXWKRUL]HGDFFHVVWRWKHQHWZRUNWKHFRQVHTXHQFHVRIZKLFKFRXOGEHYHU\VHULRXV
6.4 Defending Network Information from Malicious Attack
System hardware, operating and application software, the networks andcommunication systems must all be adequately configured and safeguarded againstboth physical attack and unauthorized network intrusion.
7KH PHDVXUHV VKRXOG EH WDNHQ WR GHIHQG FRPSXWHU KDUGZDUH DJDLQVW SK\VLFDOGDPDJHDQGVRIWZDUHIURPXQDXWKRUL]HGXVDJH,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ
+DUGZDUH FDQ EH SK\VLFDOO\ GDPDJHG WKURXJK D PDOLFLRXV DFW SHUKDSVQHFHVVLWDWLQJDV\VWHPFORVHGRZQRUGHOD\HGRSHUDWLRQV
8QDXWKRUL]HG DQGLQDSSURSULDWH XVHRI VRIWZDUH FDQOHDG WR PDOLFLRXV DQGRUIUDXGXOHQWDPHQGPHQWRIGDWD
6.5 Recommendations On Network and Configuration Securi ty
'HSDUWPHQWVKRXOGKDYHDQLQYHQWRU\RIGHYLFHVDWWDFKHGWRWKHQHWZRUN 7KHURRPMDFNVVKRXOGEHPDSSHGWRDVZLWFKSRUW 7KHUHVKRXOGEHDSROLF\DVWRKRZQHWZRUNVHUYLFHVDUHDFFHVVHGE\XVHUV
'HSDUWPHQWVKRXOGKDYHQHWZRUNGRFXPHQWDWLRQWRDVVLVWSUREOHPUHVROXWLRQRIDFRPSXWHURUQHWZRUNGHYLFH
'HSDUWPHQWVKRXOGKDYHWKHDELOLW\WRFRQWLQXHWRIXQFWLRQLQWKHHYHQWRIDZLGHDUHDQHWZRUNIDLOXUH
'HSDUWPHQWVKRXOGKDYHDQHWZRUNGLDJUDPWKDWLQFOXGHV,3DGGUHVVHVURRPQXPEHUVDQGUHVSRQVLEOHSDUWLHV
(QGXVHUVVKRXOGEHSUHYHQWHGIURPGRZQORDGLQJDQGRULQVWDOOLQJVRIWZDUH &RQWHQWV RI V\VWHP ORJV VKRXOG EH SURWHFWHG IURP XQDXWKRUL]HG DFFHVV
PRGLILFDWLRQDQGRUGHOHWLRQ &'520$XWRUXQIHDWXUHVKRXOGEHGLVDEOHGRQDOOZRUNVWDWLRQV 7UXVWHGZRUNVWDWLRQVVKRXOGEHVHFXUHGLIXVHGIRURWKHUSXUSRVHV
7UXVWHGZRUNVWDWLRQVVKRXOGEH66/RU931HQDEOHG 7UXVWHGZRUNVWDWLRQVVKRXOGEHUHTXLUHGWRKDYHFRPSOH[SDVVZRUGV 6HFXULW\SUHFDXWLRQVVKRXOGEHWDNHQIRUGLDOLQPRGHPV $GPLQLVWUDWRUDFFRXQWDQGDQ\HTXLYDOHQWDFFRXQWVRQDOOZRUNVWDWLRQVVKRXOG
EHOLPLWHGWRWKHRIILFHWHFKQLFDOVXSSRUWSHUVRQ )LOH VKDULQJ VKRXOG EHSURSHUO\ SHUPLWWHG DQGVHFXUHG RQ DQ\ ZRUNVWDWLRQ LQ
WKHGHSDUWPHQW )LOH VKDULQJ VKRXOG EH XQERXQG IURP 7&3,3 WUDQVSRUW WR SUHYHQW DFFHVV
IURPWKH,QWHUQHWZKLOHOHDYLQJLWERXQGWR1HW%(8,IRUORFDOWUDQVSRUW
-
7/30/2019 Nct It Policy
33/90
IT Securi ty & Audit Polic y Page 34 of 91
6.6 Recommendation on Host based firewall
6RPHRQHVKRXOGPRQLWRULIDQ\RQHLVDFFHVVLQJFULWLFDOGDWD 7KHUHVKRXOGEHSURFHVVIRUPDQDJLQJLQGLYLGXDOILUHZDOOVRQDOOGHVNWRSV 6HWWLQJVVKRXOGEHSDVVZRUGSURWHFWHG /RJVVKRXOGEHRIWHQUHYLHZHG
7KHUHVKRXOGEHFHQWUDOPRQLWRULQJRIVHWWLQJVDQGORJV
-
7/30/2019 Nct It Policy
34/90
IT Securi ty & Audit Polic y Page 35 of 91
7 Securi ty Policy For Operating System
&RPSXWHU SURJUDPV WKDW DUH SULPDULO\ RU HQWLUHO\ FRQFHUQHG ZLWK FRQWUROOLQJ WKHFRPSXWHUDQGLWVDVVRFLDWHGKDUGZDUHUDWKHUWKDQZLWKSURFHVVLQJZRUNIRUXVHUVDUHNQRZQDV2SHUDWLQJ6\VWHP&RPSXWHUVFDQRSHUDWHZLWKRXWDSSOLFDWLRQVRIWZDUHEXW
FDQQRWUXQZLWKRXWDQ2SHUDWLQJ6\VWHP
Operating Systems must be regularly monitored and all required housekeepingroutines adhered to.
7KH RSHUDWLQJ V\VWHP RI GHVNWRS V\VWHPV ZLWKLQ GHSDUWPHQWV ZLOO JHQHUDOO\ UXQZLWKRXW VXEVWDQWLDO LQWHUIHUHQFH +RZHYHU IRU VHUYHUV PLQLFRPSXWHUV DQGPDLQIUDPHV HVSHFLDOO\ WKRVH UXQQLQJ PDWXUH 2SHUDWLQJ 6\VWHPV 26 GD\ WR GD\KRXVHNHHSLQJLVXVXDOO\UHTXLUHG
,QIRUPDWLRQ VHFXULW\ LVVXHV WR EH FRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKH SROLF\ LQFOXGH
WKHIROORZLQJ
:KHUH DQ XSJUDGHG RSHUDWLQJ V\VWHP IDLO WR SHUIRUP DV H[SHFWHG WKLV FDQUHVXOWLQDORVVRIVWDELOLW\RUHYHQWKHWRWDOIDLOXUHRIVRPHV\VWHPV
:KHUH KRXVHNHHSLQJ DQG URXWLQH VXSSRUW DUH LQIRUPDO RU LQFLGHQW OHGZHDNQHVVHV LQ WKH VHFXULW\ VDIHJXDUGV FDQ JR XQGHWHFWHG DQG RIIHU WKHSRWHQWLDOIRUIUDXGRUPDOLFLRXVGDPDJH
-
7/30/2019 Nct It Policy
35/90
IT Securi ty & Audit Polic y Page 36 of 91
8 Securi ty Policy For Software
8.1 Managing Operational Program Libraries:
Only designated staff may access operational program libraries. Amendments mayonly be made using a combination of technical access control and robust proceduresoperated under dual control.
0DQDJLQJ WKH GLUHFWRULHV ZLWKLQ FRPSXWHUV LQ ZKLFK RSHUDWLRQDO OLYH VRIWZDUH LVVWRUHG
,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ
,IRSHUDWLRQDOSURJUDPOLEUDULHVDUHSRRUO\SURWHFWHGVRIWZDUHDQGFRQILJXUDWLRQILOHV FRXOGEHPRGLILHG ZLWKRXW DXWKRUL]DWLRQUHVXOWLQJ LQGLVUXSWLRQWRV\VWHPDQGRURWKHULQFLGHQWV
8QDXWKRUL]HG XVHRI SURGXFWLRQ VRIWZDUH FDQ FDXVH GLVUXSWLRQ WR V\VWHPVRUIUDXGDJDLQVWWKHGHSDUWPHQW
8.2 Managing Program Source Libraries:
Only designated staff may access program source libraries. Amendments may onlybe made using a combination of technical access control and robust procedures
operated under dual control. Managing the directory areas within the system wherethe source code, object code of live and development systems are held. Live anddevelopment libraries must always be kept separate.,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ /DFN RI WKH VRXUFH FRGH FDQ PDNH LW GLIILFXOW RU LPSRVVLEOH WR PDLQWDLQ WKH
V\VWHPV 8QDXWKRUL]HGDPHQGPHQWRIVRXUFHFRGHFDQUHVXOW LQV\VWHPIDLOXUHVDQGRU
PDOLFLRXVGDPDJH
8.3 Controlling Program List ing
Program listing must be controlled and kept fully up to date at all time.&RQWUROOLQJLQFOXGHVWDNLQJSULQWRXWVUHSRUWVHOHFWURQLFRUKDUGFRS\RIWKHDSSOLFDWLRQVRXUFHFRGHWKDWPDNHVXSWKHSURJUDPVUXQRQWKHV\VWHPV,QIRUPDWLRQ VHFXULW\ LVVXHV WREH FRQVLGHUHG ZKHQ LPSOHPHQWLQJWKH SROLF\ LQFOXGHWKHIROORZLQJ
-
7/30/2019 Nct It Policy
36/90
IT Securi ty & Audit Polic y Page 37 of 91
/RVVRUXQDYDLODELOLW\RIDOLVWLQJFDQUHVXOWLQGHOD\VLQLGHQWLI\LQJWKHVRXUFHRIDV\VWHPSUREOHPWKHUHVXOWRIZKLFKFRXOGEHVHYHUH
+DYLQJ D SURJUDP OLVWLQJ DYDLODEOH FDQ EH XVHG E\ DQ\RQH ZLWK LOO LQWHQW RUVHHNLQJ WR GHIUDXG DV LW JLYHV WKHP WKH SUHFLVH ORJLF DQG URXWLQHV IRU WKHV\VWHPLQTXHVWLRQ
8.4 Controll ing Program Source Libraries
Formal change control procedures with comprehensive audit trails are to be used tocontrol program source libraries.0RQLWRULQJDQGLQYHVWLJDWLQJFKDQJHVPDGHWRSURJUDPVRXUFHOLEUDULHV,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ $Q\XQDXWKRUL]HGFKDQJHVPDGHWRWKHSURJUDPVRXUFHOLEUDULHVFDQRSHQWKH
GRRUWRSRWHQWLDOHUURURUIUDXG ,I DXGLW WUDLO UHSRUWV DQG HYHQW ORJV DUH QRW UHJXODUO\ UHYLHZHG LQFLGHQWV FDQ
UHPDLQXQGHWHFWHG
8.5 Controll ing Old Versions of Programs
Formal change control procedures with comprehensive audit trails are to be used tocontrol versions of old programs.&RQWUROOLQJWKHZD\LQZKLFKXVHUKDQGOHWKHDSSOLFDWLRQFRGHRISURJUDPVZLWKLQWKHV\VWHPZKLFKKDVEHHQVXSHUVHGHGRUGLVFRQWLQXHG
,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ ,IWKHSURJUDPOLEUDU\KDVEHHQUHPRYHGRUXSGDWHGXVHUPD\QRWEHDEOHWR
DFFHVVRUUHYHUWWRWKHROGHUYHUVLRQRIWKHDSSOLFDWLRQLIQHHGEH7KLVFRXOGFDXVHVHYHUHSUREOHPVZKHUHWKHUHDUHIRXQGWREHPDMRUEXJVLQWKHQHZHUYHUVLRQ
%HZDUH RI ROG YHUVLRQV RI SURJUDPV EHLQJ FRQIXVHG ZLWK WKH ODWHVW YHUVLRQUHVXOWLQJHLWKHULQWKHORVVRIUHFHQWHQKDQFHPHQWRUDIDLOXUHRIRWKHUV\VWHPVZKLFKGHSHQGRQUHFHQWIHDWXUHV
9 Securi ty Policy for cyber crime
Security on the network is to be maintained at the highest level. Those responsiblefor the network and external communications have to receive proper training in riskassessment and how to build secure systems which minimize the threats from cybercrime.
7KHUH LV D YHU\ KLJK ULVN RI H[WHUQDO VHFXULW\ EUHDFKHV ZKHUH QHWZRUN VHFXULW\ LVLQDGHTXDWH
-
7/30/2019 Nct It Policy
37/90
IT Securi ty & Audit Polic y Page 38 of 91
,QIRUPDWLRQVHFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLFLHVLQFOXGHWKHIROORZLQJ
&ULPLQDOV PD\ WDUJHW GHSDUWPHQWV LQIRUPDWLRQ V\VWHP UHVXOWLQJ LQ VHULRXVILQDQFLDOORVVDQGGDPDJHWRGHSDUWPHQWVRSHUDWLRQVDQGUHSXWDWLRQ
&\EHUFULPHLVDQHYHULQFUHDVLQJDUHDRIFRQFHUQDQGVXLWDEOHWUDLQLQJLVWREH
JLYHQWRWKRVHSHUVRQVUHVSRQVLEOHIRUQHWZRUNVHFXULW\WRPLQLPL]HVXFKULVNV
9.1 Recommendations On to Web Servers and Email
:HEVHUYHUVKRXOGEHVHWWRRQO\DFFHSWWUDIILFRQSRUW :HEVHUYHUVKRXOGEHVHWWRUHMHFWDWWHPSWVWRUHPRWHO\DGPLQLVWHULW :HEVHUYHUVKRXOGEHVHWWRDXWKHQWLFDWHFHUWDLQXVHUWUDIILF )73VHUYHUVVKRXOGEHVHWWRDXWKHQWLFDWHXVHUV 7UDIILFVKRXOGEHHQFU\SWHGVHFXUHG (PDLOVHUYHUVKRXOGEHVHWWRVFDQPDLODQGDWWDFKPHQWVIRUYLUXVHV
(PDLOVHUYHUVKRXOGEHVHWWRUHMHFWDWWDFKPHQWV (PDLOVHUYHUVKRXOGEHVHW127WRDFWDVDUHOD\ :HEDFFHVVWRHPDLOVKRXOGEHVHFXUHG &OLHQWFRQQHFWLRQVIURPRXWVLGHWKHVXEQHWVKRXOGEHVHFXUHGHQFU\SWHG
-
7/30/2019 Nct It Policy
38/90
IT Securi ty & Audit Polic y Page 39 of 91
10 Backup Policies
6\VWHPDGPLQLVWUDWRURUWKHQRGDORIILFHUZLOOEHUHVSRQVLEOHIRUGHYHORSLQJDUHJLPHQIRU EDFNLQJ XS WKH V\VWHPV GHSHQGLQJ XSRQ FRQILJXUDWLRQ VRIWZDUH DSSOLFDWLRQVQDWXUH RI GDWD DQG RWKHU IDFWRUV 7KHVH UHJLPHQV PXVW EH GRFXPHQWHG DQG PDGH
DYDLODEOHWRXVHUVIRUUHIHUHQFHV$GPLQLVWUDWRUZLOODOVRHQVXUHWKHVHSURFHGXUHVDUHIROORZHGVWULFWO\DQGLPSOHPHQWHGDVSHUUXOHV'HSDUWPHQWVZLOOHQVXUHWKHLU%DFNXSPHGLDGHYLFHVVXFKDVWDSH'ULYHV&'520DQG )ODVK 'ULYHV HWF IRU QHFHVVDU\ EDFNXS 'HSDUWPHQWV VKRXOG DOVR WU\ WR VHWLQIUDVWUXFWXUH IRU WDNLQJ EDFNXS RYHU WKH QHWZRUN IRU WKHLU 6XE2IILFHV 5HPRWH%DFNXS6HUYLFHVFRXOGDOVREHWDNHQIRUEDFNXSDQGUHFRYHU LPSRUWDQWGDWDXVLQJDVHFXUHDQGWUXVWHGVHUYHURQWKH,QWUDQHW'HSDUWPHQWVVKRXOGPDLQWDLQEDFNXSLQIUDVWUXFWXUHLQFOXGLQJXSJUDGLQJWKHKDUGZDUHDQGVRIWZDUHDVQHHGHG
10.1 Backup Process
The purpose of backup is to protect the files on the disks from catastrophic loss. Thebackup of disk files is performed on a daily basis to protect data from being lost due toa hardware or software malfunction.
3ROLFLHV5HFRPPHQGDWLRQVRQ%DFNXSRI$SSOLFDWLRQVDQG'RFXPHQWV
7KHLQGLYLGXDOXVHULVUHVSRQVLEOHIRUHQVXULQJWKHQHFHVVDU\DQGUHJXODUEDFNXSRI
GRFXPHQWILOHVRIKLVKHURZQFRPSXWHU+HUHDUHVRPHSROLFLHVDQGJXLGHOLQHVWRNHHSLQPLQG
)RU,QGLYLGXDO'HVNWRS
7KH XVHU VKRXOG NHHS RULJLQDO DSSOLFDWLRQ GLVNHWWHV RU &'V IRU VSHFLDOL]HGVRIWZDUHDORQJZLWKOLFHQVLQJLQIRUPDWLRQLQFDVHDQ\RIWKDWVRIWZDUHQHHGVWREHUHLQVWDOOHG
%DFNXSVKRXOGEHWDNHQRQUHPRYDEOHVWRUDJHPHGLDRUGHYLFHVVXFKDV=LSGULYHVIORSS\ 'LVNV&'520)ODVK'ULYHVHWFUHIHUDQQH[XUHIRUGHWDLOVRIWKHVHGHYLFHV$SSURSULDWHEDFNXSVRIWZDUHFDQDOVREHXVHGIRUWDNLQJUHJXODU
EDFNXSV 8VHUV DQGRU WKHLU GHSDUWPHQWV DUH UHVSRQVLEOH IRU SXUFKDVLQJ UHPRYDEOH
PHGLDHJ=LSGLVNVHWF ,Q FDVH RI ORVW RU GDPDJHG V\VWHP ILOHV DQG VWDQGDUG DSSOLFDWLRQV XVHU LV
UHTXLUHGWRFDOO6\VWHPDGPLQLVWUDWRU,71RGDO2IILFHUIRUVROXWLRQ
7RHQVXUHWKHVDIHW\RIWKHLUEDFNXSILOHVXVHUVVKRXOG
.HHS YHU\ LPSRUWDQW EDFNXSXQGHU ORFN DQG NH\ +RZHYHU RQHFRS\ PD\EHNHSWLQDQRWKHUEXLOGLQJLISRVVLEOHIRUUHVWRUDWLRQSXUSRVH
-
7/30/2019 Nct It Policy
39/90
IT Securi ty & Audit Polic y Page 40 of 91
.HHS GRFXPHQWV LQ DQ DSSURSULDWH IROGHU DQG DVVLJQ VLPLODU QDPHV IRU HDV\EDFNXS
%DFNXSHQWLUH'RFXPHQWVIROGHUWRWKHUHPRYDEOHPHGLDDWOHDVWRQFHDZHHNRUGDLO\LIGRFXPHQWVDUHIUHTXHQWO\FUHDWHGFKDQJHG
0DLQWDLQ DW OHDVW EDFNXS VHWV DOWHUQDWLQJ WKHLU XVH 7KXV LI ODWHVW EDFNXSJRHVEDGWKHUHZLOOVWLOOEHWKHRWKHUEDFNXSRIROGHUYHUVLRQ
7DSHV FDQ EH UHXVHG EXW ZLWK WLPH DV TXDOLW\ RI D WDSH GHJUDGHV SURSHUSUHFDXWLRQVPXVWEHWDNHQ,IDWDSHJRHVEDGPDUNLWDVEDGDQGGLVFDUGLW%HIRUHWKURZLQJWDSHGHVWUR\WKHGLVNVRWKDWVRPHRQHGRHVQWWU\WRXVHLW
)RU1HWZRUN8VHUV8VHUV FRQQHFWHG WR /$1 ZLOO EH DOORFDWHG VWRUDJH DUHD RQ D QHWZRUN VHUYHU 7KLVVWRUDJHDUHDZLOOEHXVXDOO\DVHSDUDWHGULYHDQGPDLQWDLQHGE\V\VWHPDGPLQLVWUDWRURUDSHUVRQQRPLQDWHGDVDQRGDORIILFHUIRUWKDWGHSDUWPHQW7KLVGULYHZLOOFRQWDLQIROGHUVRUGLUHFWRULHVE\ WKHVDPH QDPH RI V\VWHPZKLFK FDQ WKHQ EHDFFHVVHG LQH[SORUHUE\JLYLQJFRUUHFWSDVVZRUG)LOHVFDQEHFRSLHGIURPWKHXVHUVZRUNVWDWLRQWRWKLVIROGHU7KHVHGULYHIROGHUV VKRXOGEHEDFNHGXSWRPDJQHWLFWDSH'$7DQG
WKHWDSHVVKRXOGWKHQIXUWKHUEDFNXSWRDQRIIVLWHVWRUDJHIDFLOLW\SURYLGHGIRUVHFXULW\DQGGLVDVWHUUHFRYHU\ ,W LVVWURQJO\UHFRPPHQGHG WKDW WKHEDFNXS WDSHVVKRXOGEHNHSWLQDIDURIIEXLOGLQJ)LOH%DFNXS7KH 6KDUH GULYH IROGHUV VKRXOG EH EDFNHG XS WR PDJQHWLF WDSH FDUWULGJHV HDFKZHHNGD\QLJKW2IIVLWH6WRUDJH,QRUGHUWRSURYLGHGLVDVWHUUHFRYHU\FDSDELOLW\EDFNXSWDSHVVKRXOGEHEDFNHGXSWRDVHFXUHRIIVLWHVWRUDJHIDFLOLW\
7KHEDFNXSWDSHVVKRXOGEHPDLQWDLQHGLQRIIVLWHVWRUDJHDFFRUGLQJWRWKHIROORZLQJVFKHGXOH :HHNGD\WDSHVVKRXOGEHVWRUHGRIIVLWHIRUWZRZHHNV 0RQWKO\WDSHVVKRXOGEHUHWDLQHGRIIVLWHIRURQH\HDU )LVFDO
-
7/30/2019 Nct It Policy
40/90
IT Securi ty & Audit Polic y Page 41 of 91
7KHFXUUHQWVWDWXVRIWKHDIIHFWHGGLVNDUHDSDUWLWLRQRUYROXPH ,QGLFDWHWKHGDWHRIWKHODVWNQRZQJRRGYHUVLRQRIWKHILOHWKLVZRXOGKHOSWR
LGHQWLI\WKHVHWRIEDFNXSWDSHVWRXVHLQDWWHPSWLQJWRUHVWRUHWKHILOH ,IHPDLOQHHGVWREHUHVWRUHGLQGLFDWHWKHQDPHRIWKHXVHUVPDLOVHUYHUWKH
8VHUQDPHXVHGWRORJRQWRWKHPDLOVHUYHUDQGWKHGDWHVXEMHFWHWFRIWKHHPDLO
,QWKHFDVHRIPLQRUILOHORVVOLNHDFFLGHQWDOUHPRYDODGGLWLRQDOLQIRUPDWLRQLVQHHGHG
7KHFRPSOHWHILOHQDPHVRIWKHORVWILOHV 7KHWLPHILOHVZHUHODVWPRGLILHGRUFUHDWHG 7KHWLPHILOHVZHUHORVWRUGHVWUR\HG
,I WKH XVHU QHHGV DQ DUFKLYHG WDSH NHSW RIIVLWH LW LV YHU\ LPSRUWDQW WKDW WKH XVHUVKRXOG KDYH WKH IROORZLQJ LQIRUPDWLRQ EHFDXVH RI WKH VLJQLILFDQW FRVW LQYROYHG LQUHWULHYLQJDQGUHVWRULQJWKHP
7KHQDPHRIWKHFRPSXWHUDWWKHWLPHRIWKHEDFNXS 7KHPRQWKVDQG\HDURIWKHEDFNXS
10.3 Recommendations On Backup and Recovery & Disaster Planning
)LOHVVKRXOGEHNHSWRQVLWHLQDVHFXUHORFDWLRQ &ULWLFDOILOHVVKRXOGEHUHJXODUO\EDFNHGXS %DFNXSILOHVVKRXOGEHSHULRGLFDOO\UHVWRUHGDVDWHVWWRYHULI\WKH\DUHXVDEOH 7KHUHPXVWEHD ZULWWHQFRQWLQJHQF\SODQWRSHUIRUPFULWLFDOSURFHVVLQJLQWKH
HYHQWWKDWRQVLWHZRUNVWDWLRQVDUHXQDYDLODEOH 7KHUHVKRXOGEHDSODQWRFRQWLQXHGHSDUWPHQWDOZRUNLQJLQWKHHYHQWZKHQWKH
FHQWUDOV\VWHPVDUHGRZQIRUDQH[WHQGHGSHULRG &RQWLQJHQF\SODQVKRXOGEHSHULRGLFDOO\WHVWHGWRYHULI\WKDWLWFRXOGEHIROORZHG
WRUHVXPHFULWLFDOSURFHVVLQJ &ULWLFDO GDWD VKRXOG EH VWRUHG RQ D GHSDUWPHQW VHUYHU WR SURWHFW IURP
FRPSURPLVH
-
7/30/2019 Nct It Policy
41/90
IT Securi ty & Audit Polic y Page 42 of 91
11 LAN Security
$V LQGLFDWHG HDUOLHUWKH RIILFHKDV WR KDYHD VHSDUDWH SROLF\IRU VWDQGDORQH3&V LQDGGLWLRQ WR WKH /$1 VHFXULW\ SROLF\ ,Q WKH HYHQW RI D FRQIOLFW WKH QHWZRUN SROLF\
VXSHUVHGHVWKH VWDQGDORQH SROLF\ $OOHPSOR\HHVRIWKHGHSDUWPHQWDUH UHTXLUHG WRUHDGWKLVSROLF\DQGIROORZWKHSURFHGXUHVWKHUHLQ7KLVQHWZRUNSROLF\DGGUHVVHVWKHIROORZLQJVSHFLILFLVVXHV 'RFXPHQWDWLRQRI1HWZRUN$SSOLFDWLRQVDQG6\VWHP6RIWZDUH 'DWDFRQILGHQWLDOLW\LQWHJULW\DQGDYDLODELOLW\RYHUWKHQHWZRUN )UHTXHQF\DQGUHWHQWLRQSHULRGVIRUQHWZRUNEDFNXS $XWKRUL]HGXVHRIQHWZRUNUHVRXUFHV $GKHUHQFHWRVRIWZDUHOLFHQVLQJDJUHHPHQWV 1HWZRUN+DUGZDUHPDLQWHQDQFH
3UREOHPORJJLQJUHSRUWLQJDQGPRQLWRULQJ 8VHUUHVSRQVLELOLWLHVIRUVHFXULW\ZRUNVWDWLRQPDLQWHQDQFHDQGEDFNXSRIGDWD
ILOHV 3UHYHQWLRQDQGGHWHFWLRQRIQHWZRUNYLUXVHV
11.1 Network Organization
7KLV VHFWLRQ FRYHUV NH\ GHILQLWLRQV WKDW DUH XVHG LQ WKLV SROLF\ DQG GHVFULEHV WKHGHSDUWPHQWDOVWUXFWXUHUHODWLQJWR3&VDQG/$1V
(A) Definitions3HUVRQDO &RPSXWHU 3& DOVR FDOOHG 1RGH $ VPDOO FRPSXWHU FRQWDLQLQJ DPRWKHUERDUG ZLWK D &HQWUDO 3URFHVVLQJ 8QLW &38 PHPRU\ FKLSV DVVRFLDWHGVXSSRUWLQJSURFHVVRUVDQGVORWVVRFNHWVRUSOXJVIRUDWWDFKLQJSHULSKHUDOHTXLSPHQWVXFKDVDNH\ERDUGYLGHRPRQLWRUIORSS\GLVNDQGKDUGGLVN3&VPD\EHXVHGDVVWDQGDORQHZRUNVWDWLRQVDVDFOLHQWLQDQHWZRUNRUDVDWHUPLQDOIRUDPLQLFRPSXWHURUPDLQIUDPH1HWZRUN$VHULHVRI3&VFRQQHFWHGLQVRPHW\SHRIWRSRORJ\JHQHUDOO\DVWDUULQJRUEXVXVLQJDVSHFLDOQHWZRUNRSHUDWLQJV\VWHP126WKDWDOORZVWKH3&VWRVKDUH
GDWDDQGUHVRXUFHV/RFDO $UHD 1HWZRUN /$1 $ QHWZRUN WKDW LV VHW XS IRU D GHSDUWPHQW RU OLPLWHGJHRJUDSKLFDUHD $SHHUWRSHHUQHWZRUNVKDUHV UHVRXUFHVZLWK RWKHU 3&V $FOLHQWVHUYHU/$1FDQLQFOXGHPLGUDQJHDQGOHJDF\ILOHVHUYHUVDQGGDWDEDVHVHUYHUV:LGH $UHD 1HWZRUN :$1: $ QHWZRUN WKDW FRQQHFWV VHYHUDO QHWZRUNV LQ GLVWDQWORFDWLRQV 7KH WHUPV QHWZRUN /$1 DQG :$1 DUH V\QRQ\PRXV ZLWK UHJDUG WRDSSOLFDELOLW\RIWKHSROLFLHVGHVFULEHGKHUHLQ
-
7/30/2019 Nct It Policy
42/90
IT Securi ty & Audit Polic y Page 43 of 91
(B) Job Descriptions1HWZRUNDGPLQLVWUDWRU
7KH GXWLHV RI WKH QHWZRUN DGPLQLVWUDWRU VKDOO LQFOXGH PRQLWRULQJ QHWZRUN HIILFLHQF\UHVSRQVH WLPH XWLOL]DWLRQ RI GLVN VSDFH HWF WURXEOHVKRRWLQJ QHWZRUN SUREOHPV
PRQLWRULQJ HQYLURQPHQWDO FRQGLWLRQV EDFNLQJ XS WKH V\VWHP VKDUHG GDWD ILOHV DQGDSSOLFDWLRQ SURJUDPV RQ WKH ILOH VHUYHU DQG SUHYHQWLQJ DQG GHWHFWLQJ FRPSXWHUYLUXVHV2WKHU GXWLHV LQFOXGH HQVXULQJ WKDW QHWZRUN VHFXULW\ IHDWXUHV LQ WKH 126 DUHLPSOHPHQWHGUHFRPPHQGLQJVRIWZDUHDQGKDUGZDUHDFTXLVLWLRQVQHHGHGWRPDLQWDLQRSHUDWLQJHIILFLHQF\FRQWDFWLQJQHWZRUNPDLQWHQDQFHFRQWUDFWRUVUHJDUGLQJWHFKQLFDOSUREOHPV GHOHWLQJ DQG DGGLQJ XVHUV FRRUGLQDWLQJ WKH LQVWDOODWLRQ RI QHZ QHWZRUNKDUGZDUH DQG VRIWZDUH DQG PDLQWDLQLQJ DQ LQYHQWRU\ RI QHWZRUN KDUGZDUH DQGVRIWZDUH 7KH QHWZRUN DGPLQLVWUDWRU ZLOO UHSRUW VXVSHFWHG VHFXULW\ SUREOHPV WR WKH1RGDO 2IILFHU6\VWHP $GPLQLVWUDWRU,QFKDUJH &RPSXWHU &HQWUH DQG ZLOO FRRUGLQDWHZLWKWKHVHFXULW\RIILFHURQSURGXFLQJVHFXULW\UHSRUWV7KHQHWZRUNVHFXULW\RIILFHUZLOO
DGGUHVVDQ\VHFXULW\FRQFHUQVLGHQWLILHGE\WKHUHSRUW1HWZRUN6HFXULW\2IILFHU
'XWLHV RI WKH QHWZRUN VHFXULW\ RIILFHU LQFOXGH PRQLWRULQJ VHFXULW\ YLRODWLRQV RQ WKHQHWZRUN XQDXWKRUL]HGDQGXQVXFFHVVIXODFFHVVDWWHPSWV SDVVZRUG DGPLQLVWUDWLRQDQGDQ\RWKHUGXW\GHHPHGQHFHVVDU\E\WKH%RDUGRULWVFRPPLWWHHVWRHQKDQFHWKHVHFXULW\RIWKHQHWZRUN'HSDUWPHQWVKRXOGKDYHLWVRZQ1HWZRUN6HFXULW\2IILFHUWRSHUIRUP DERYH GXWLHV KRZHYHU 1HWZRUN 6HFXULW\ 2IILFHU FRXOG EH DUUDQJH IRUPDLQWHQDQFHRI:$1
(C) Compliance with Policy7KH +HDGV RI WKH GHSDUWPHQW DUH UHVSRQVLEOH IRU HQVXULQJ WKDW WKHLU HPSOR\HHVFRPSO\ ZLWK WKH SROLF\ 7KH ,7 0DQDJHU LV UHVSRQVLEOH IRU UHSRUWLQJ WR WKH QHWZRUNDGPLQLVWUDWRUDQ\VXSSRUWQHHGVRUFRQFHUQVH[FHSWVHFXULW\6HFXULW\FRQFHUQVZLOOEHFRPPXQLFDWHGWRWKHQHWZRUNVHFXULW\RIILFHU
11.2 Network Secur ity
7KLV VHFWLRQ GLVFXVVHV WKH W\SHV RI VHFXULW\ DQG VHFXULW\ SROLF\ UHJDUGLQJ DFFHVVFRQWUROSDVVZRUGVDQGGDWDVHFXULW\LQDQHWZRUNHGHQYLURQPHQW
(A) Types of Securi ty7KH2IILFHVQHWZRUNKDVIRXUW\SHVRIVHFXULW\ /RJLQ3DVVZRUGLQLWLDODFFHVV 7UXVWHHGLUHFWRU\OHYHODFFHVV 'LUHFWRU\GLUHFWRU\OHYHODFFHVV )LOHDWWULEXWHVILOHOHYHO
-
7/30/2019 Nct It Policy
43/90
IT Securi ty & Audit Polic y Page 44 of 91
/RJLQ3DVVZRUG6HFXULW\LVDFWLYDWHGZKHQDXVHUORJVLQWRWKHQHWZRUN7KHVHUYHUUHTXLUHVERWKDUHFRJQL]DEOH XVHU QDPH DQG D SDVVZRUG (DFK XVHU FKRRVHV KLV RU KHU RZQSDVVZRUG ZKLFK LV HQFU\SWHG E\ WKH V\VWHP ,I WKH XVHU IRUJHWV WKH SDVVZRUG WKHQHWZRUNDGPLQLVWUDWRUPXVWDVVLJQDQHZRQH
7UXVWHH$WUXVWHHLV DXVHUZKR KDVEHHQ JLYHQULJKWVWRDGLUHFWRU\DQGWKH ILOHVLW FRQWDLQV7UXVWHH ULJKWV FDQ EH DVVLJQHG WR ERWK LQGLYLGXDOV DQG JURXSV $ WUXVWHH ZLOO QRWDVVLJQGLUHFWRU\RUILOHULJKWVWRDXVHUZKRGRHVQRWKDYHDOHJLWLPDWHQHHGWRXVHWKDWILOHRUGLUHFWRU\7UXVWHHVZLOOHQVXUHWKDWFRQILGHQWLDORIILFHLQIRUPDWLRQWRZKLFKWKH\KDYH DFFHVV LV QRW ZULWWHQWR UHPRYDEOH PHGLD DQG WUDQVSRUWHG RII2IILFH SUHPLVHVXQOHVV DXWKRUL]HG E\ WKH GHSDUWPHQWDO VXSHUYLVRU RU SHUIRUPHG E\ DXWKRUL]HGLQGLYLGXDOVDVSDUWRIEDFNXSDQGHPHUJHQF\UHFRYHU\SURFHGXUHV,QDGGLWLRQUHSRUWVSULQWHGXVLQJWKHGDWDVKRXOGEHGLVWULEXWHGRQO\WRDXWKRUL]HGXVHUV'LUHFWRU\
7KHGLUHFWRU\VHFXULW\GHILQHVDXVHUVULJKWVLQDJLYHQGLUHFWRU\7KHVHULJKWVDUH 6XSHUYLVRUDVVLJQVWKHULJKWVIRUWKHGLUHFWRU\ $FFHVVFRQWUROWUXVWHHDVVLJQPHQWV )LOHVFDQVHDUFK 0RGLI\ILOHQDPHVDQGDWWULEXWHV &UHDWHQHZILOHVRUVXEGLUHFWRULHV (UDVHH[LVWLQJILOHVRUVXEGLUHFWRULHV 5HDGILOHV :ULWHILOHV7KH RZQHU ZLOO QRW DVVLJQ ULJKWV WR XVHUV ZKR GR QRW KDYH D OHJLWLPDWH QHHG RU
DXWKRULW\WRYLHZRUXVHWKHLQIRUPDWLRQ)LOH$WWULEXWHV7KHRZQHURIDILOHKDVWKHULJKWWRVHWWKHIROORZLQJDWWULEXWHV 6KDUHDEOHUHDGRQO\ 6KDUHDEOHUHDGZULWH 1RQVKDUHDEOHUHDGRQO\ 1RQVKDUHDEOHUHDGZULWH +LGGHQILOH 'HOHWHLQKLELW
5HQDPHLQKLELW
$VVLJQPHQWRIWKHVHULJKWVLV GHVLJQHGWRSUHYHQWDFFLGHQWDOFKDQJHVRUGHOHWLRQVWRWKHILOHV7KHRZQHURIDILOHFRQWDLQLQJFRQILGHQWLDOLQIRUPDWLRQZLOOQRWDVVLJQDFFHVVWRDXVHUWKDWGRHVQRWKDYHDOHJLWLPDWHQHHGRUDXWKRULW\WRXVHWKHILOH(B) Network Security Policy7KHREMHFWLYHRIWKH2IILFHVQHWZRUNVHFXULW\SROLF\LVWRSURYLGHDGHTXDWH,7FRQWUROVRYHUWKHQHWZRUN6HFXULW\IHDWXUHVDYDLODEOHRQ WKHQHWZRUNZLOOEHLPSOHPHQWHGDVQHHGHG WR UHVWULFW XVHUV WR WKH UHVRXUFHV DQG ULJKWV QHFHVVDU\ WR SHUIRUP DOO WKH
-
7/30/2019 Nct It Policy
44/90
IT Securi ty & Audit Polic y Page 45 of 91
GXWLHV RI WKHLU MRE GHVFULSWLRQV DGHTXDWHO\ 7KH QHWZRUN DGPLQLVWUDWRU EDVHG RQ DZULWWHQXVHU VHWXS IRUP IURPWKH GHSDUWPHQWDO VXSHUYLVRU VKRZLQJSDVVZRUGULJKWVDQGQRUPDO ZRUNVFKHGXOHLQLWLDOO\DVVLJQV ULJKWV7KHULJKWVPD\EHH[SDQGHGRQO\ZLWKWKHZULWWHQDSSURYDORIWKHGHSDUWPHQWDOVXSHUYLVRU
$FFHVV&RQWURO
7KHQHWZRUNDGPLQLVWUDWRUZLOOLPSOHPHQWDYDLODEOHVHFXULW\DFFHVVFRQWUROIHDWXUHVRIWKHQHWZRUN7KHVHIHDWXUHVLQFOXGHWKHDELOLW\WRUHVWULFW )LOHVWKDWDXVHUFDQDFFHVV 7LPHSHULRGVWKDWDXVHUFDQORJRQWRWKHQHWZRUN 'D\VRIWKHZHHNWKDWDXVHUFDQORJRQWRWKHQHWZRUN :RUNVWDWLRQVWKDWDXVHUFDQDFFHVV
2QFH LPSOHPHQWHG QHWZRUN DFFHVV VKRXOG EH UHVWULFWHG WR QRUPDO ZRUNLQJ KRXUVZKHQHYHUSRVVLEOH'HSDUWPHQWDOVXSHUYLVRUVFDQJUDQWH[FHSWLRQVEDVHGRQQHHGRUVKLIWFRQVLGHUDWLRQV$GHTXDWHVXSHUYLVLRQDQGUHYLHZRIZRUNDUHUHTXLUHGIRUXVHUV
ZKR KDYH DFFHVVEH\RQGQRUPDO ZRUNLQJ KRXUV*HQHUDOO\XVHUVVKRXOGEH DOORZHGDFFHVVRQO\IURPSUHVSHFLILHGZRUNVWDWLRQVQRGHV3DVVZRUGV7KH QHWZRUN DGPLQLVWUDWRU VHWV XS WKH XVHU DQG WKH XVHU LV UHTXLUHG WR HQWHU DSDVVZRUGRQWKHILUVWORJRQ3DVVZRUGVZLOOEHVHWWRH[SLUHHYHU\QLQHW\GD\V7KHV\VWHPZLOOEHVHWWRSURPSWWKHXVHUIRUDSDVVZRUGFKDQJHDXWRPDWLFDOO\)DLOXUHWRPDNHWKHFKDQJHZLOOFDXVHWKHV\VWHPWRORFNRXWWKHXVHU$OVRUHSHDWHGDWWHPSWVWR ORJ RQ ZLWK DQ LQFRUUHFW SDVVZRUG ZLOO FDXVH WKH LQWUXGHU GHWHFWLRQ ORFNRXW WRDFWLYDWH7KHQHWZRUNVRIWZDUHVKRXOGQRWGLVSOD\WKHSDVVZRUGRQWKHVFUHHQ8VHUVVKRXOGQRWOHWDQ\RQHVHHWKHLUSDVVZRUGDVWKH\DUHNH\LQJLWLQ
8VHUSDVVZRUGV VKRXOG KDYH D PLQLPXP RIVL[ GLJLWV ZLWK D PL[ RI DOSKDEHWLF DQGQXPHULFFKDUDFWHUV8VHUVZLOOQRWXVHSDVVZRUGVWKDWFDQEHHDVLO\JXHVVHGVXFKDVIDPLO\ QDPHV ELUWKGD\V DQG FRPPRQO\ XVHG GHIDXOW SDVVZRUGV VXFK DV WHVWSDVVZRUG RUGHPR 8VHUVDUHQRW UHVWULFWHGE\WHUPLQDO EXW DUH SURKLELWHGIURPORJJLQJRQWRPRUHWKDQRQHWHUPLQDODWDWLPH8VHUVDUHPDLQO\VXEMHFWWRDQLQDFWLYHORJ RII DQG DXWRPDWLF ORJ RII LV QRW DOZD\V DYDLODEOH XVHUV VKRXOG PDQXDOO\ ORJ RIIZKHQQRWXVLQJWKHWHUPLQDOIRUWKDWSHULRGRIWLPHRUORQJHU:KHQDXVHUOHDYHVWKH2IILFHWKHSHUVRQQHOGHSDUWPHQWZLOOQRWLI\WKHQHWZRUNDGPLQLVWUDWRUZKRZLOOGHOHWHWKH XVHUV SDVVZRUG $OVR LID SDVVZRUG LV FRPSURPLVHG WKH XVHU ZLOO FKDQJH WKHSDVVZRUG
'DWD6HFXULW\'DWDVKRXOGEHVDYHGWRWKHDSSURSULDWHGLUHFWRU\QRUPDOO\HLWKHUWKHJURXSGLUHFWRU\RUWKHGHSDUWPHQWDOGLUHFWRU\,QVRPHFDVHVWKHVXSHUYLVRUDXWKRUL]HVWKHXVHRIWKHXVHUV ORFDO GLUHFWRU\ IRUVWRULQJFHUWDLQ W\SHV RI GDWD 2WKHU PHPEHUVRI WKH JURXSDFFHVV LQIRUPDWLRQRQ WKH JURXS GLUHFWRU\ 0HPEHUV RI WKHGHSDUWPHQW FDQDFFHVVGHSDUWPHQWDOGLUHFWRULHV7KHXVHUVORFDOGLUHFWRU\LVRQWKH3&DQGFDQEHDFFHVVHGRQO\E\WKHXVHU
-
7/30/2019 Nct It Policy
45/90
IT Securi ty & Audit Polic y Page 46 of 91
8VHU5HVSRQVLELOLWLHVIRU'DWD6HFXULW\8VHUV DUH UHVSRQVLEOH IRU EDFNLQJ XS ILOHV RQ WKHLU LQGLYLGXDO 3& KDUG GULYHV DQGGHSDUWPHQWDO VXSHUYLVRUV VKRXOG YHULI\ WKDW XVHUV DUH GRLQJ VR RQ D UHJXODU EDVLV8VHUV DUHDOVR UHVSRQVLEOH IRU WKH VHFXULW\ RI WKHLU LQGLYLGXDOZRUNVWDWLRQV LQFOXGLQJVHFXULW\RI3&EDFNXSGLVNV
8VHUVDUHUHVSRQVLEOHIRUDFFHVVVHFXULW\3DVVZRUGVVKRXOGQRWEH ZULWWHQGRZQRUVHHQE\RWKHUVZKHQWKH\DUHNH\HGLQ2WKHUUHODWHGUHVSRQVLELOLWLHVLQFOXGHQRWLQJDQGUHSRUWLQJPDLQWHQDQFHSUREOHPV VXFKDV GLVNHUURUPHVVDJHVEHIRUHWKH\FDQFDXVH ORVV RI GDWD HQVXULQJ WKDW WKH3&GDWD GLVNV DUHQRWVXEMHFWHGWR H[FHVVLYHKHDWHOHFWULFDOILHOGVGLUWVPRNHIRRG SDUWLFOHVRU VSLOOHGOLTXLGVDQGHQVXULQJWKDWWKH3&KDVDVXUJHSURWHFWRU(C) Monitoring the Network'DWD6FRSH
$ GDWDVFRSHLV D GHYLFHXVHGWR PRQLWRUQHWZRUN WUDIILF ,WVXVHKRZHYHU UHTXLUHV
DGGLWLRQDO VHFXULW\ FRQWUROV WR SUHYHQW DEXVH 1HWZRUN 6HFXULW\ 2IILFHU PD\ KDYHDFFHVVRIGDWDVFRSHWRUHGXFHDQ\PLVKDSSHQLQJ3HUIRUPDQFH0RQLWRULQJ'DWDLQWHJULW\DQGVHFXULW\DUHHQKDQFHGZKHQWKHV\VWHPLVUXQQLQJVPRRWKO\DQGLVDW SHDN SHUIRUPDQFH7KH QHWZRUNDGPLQLVWUDWRU VKRXOGPRQLWRUSHUIRUPDQFHRI WKHV\VWHPXVLQJDYDLODEOHGLDJQRVWLFWRROV2QHRIWKHGXWLHVRIWKHQHWZRUNDGPLQLVWUDWRULVWRWURXEOHVKRRWDQ\SUREOHPVRQWKHQHWZRUNDQGPDLQWDLQLQJSHUIRUPDQFHORJV
(D) Prevention and Detection of Viruses
7KHVFKHGXOHUIRUWKHQHWZRUNVDQWLYLUXVVRIWZDUHZLOOEHVHWWRVFDQPHPRU\DQGDOOILOHVRQWKHQHWZRUNRQDGDLO\EDVLV:DUQLQJPHVVDJHVZLOOEHFDUHIXOO\HYDOXDWHGDQG FRUUHFWLYH DFWLRQ WDNHQ ,I D YLUXV LV GLVFRYHUHG WKH /$1 VHFXULW\ RIILFHU ZLOOLQYHVWLJDWHWKHRULJLQRIWKHYLUXV7KHSROLF\IRUSUHYHQWLQJYLUXVHVZLOOEHHYDOXDWHGWRGHWHUPLQHWKHFDXVHIRUWKHVHFXULW\IDLOXUH7KHVHFXULW\RIILFHUZLOOUHFRPPHQGDFWLRQWRSUHYHQWIXWXUHRFFXUUHQFHV7KH RULJLQ RI PRVW YLUXVHV LV SLUDWHG VRIWZDUH RU VKDUHZDUH RU SXEOLF GRPDLQVRIWZDUH GRZQORDGHG IURP D EXOOHWLQ ERDUG RQOLQH VHUYLFH RU WKH ,QWHUQHW $OOVRIWZDUHZLOOEHVFDQQHGIRUYLUXVHVEHIRUHEHLQJORDGHGRQD3&
7KHQHWZRUNDGPLQLVWUDWRUZLOOSXUFKDVHDQGLQVWDOODQWLYLUXVVRIWZDUHXSGDWHVDVWKH\EHFRPHDYDLODEOH,I WKH RULJLQ RI WKH YLUXV LV GXH WR QHJOLJHQFH RU SROLF\ YLRODWLRQ RQ WKH SDUW RI DQHPSOR\HHWKDWHPSOR\HHZLOOEHVXEMHFWWRDSSURSULDWHGLVFLSOLQDU\DFWLRQZKLFKPD\LQFOXGHWHUPLQDWLRQ
11.3 Network Software
7KLVVHFWLRQGHILQHVSROLFLHVUHJDUGLQJ
-
7/30/2019 Nct It Policy
46/90
IT Securi ty & Audit Polic y Page 47 of 91
(A)6RIWZDUHOLFHQVLQJYLRODWLRQV(B)$XWKRUL]HGVRIWZDUH(C)3HUVRQDOXVHRI2IILFHVRIWZDUH(D)2ZQHUVKLSRIVRIWZDUH(E)&XVWRPGHYHORSPHQWRIVRIWZDUH(F)6XSSRUWRISXUFKDVHGVRIWZDUH
(A) Software Licensing Violations
$OOVRIWZDUHLQVWDOOHGRQ2IILFH3&VDQGRQWKHQHWZRUNZLOOFRPSO\ZLWKWKHVRIWZDUHVOLFHQVLQJDJUHHPHQW6RIWZDUHOLFHQVHGIRUDVHUYHULVOLPLWHGWRWKHQXPEHURIXVHUVFRYHUHG E\ WKH OLFHQVH $Q RULJLQDO GLVN PXVW H[LVW IRU HDFK VRIWZDUH DSSOLFDWLRQLQVWDOOHGRQDXVHUV3&7KHRQO\H[FHSWLRQLVVRIWZDUHZLWKDVLWHOLFHQVHRUSXEOLFGRPDLQVRIWZDUHRQDQDXWKRUL]HGOLVW,QWKHFDVHRIDXWKRUL]HGVKDUHZDUHSURGXFWVLIWKH 2IILFH XVHV WKH VRIWZDUH EH\RQG WKH WULDO SHULRG WKH DXWKRU ZLOO EH SDLG WKHVXJJHVWHG FRQWULEXWLRQ 6RFDOOHG SLUDWHG VRIWZDUH ZLOO QRW EH LQVWDOOHG RQ 2IILFH3&V
(B) Authorized Software2QO\ VRIWZDUH DXWKRUL]HG E\ WKH 2IILFH PD\ EH LQVWDOOHG RQ D QHWZRUN RU RQ DQLQGLYLGXDO3&8VHUVZLOOQRWLQVWDOOSHUVRQDOVRIWZDUHRQD3&ZLWKRXWWKHDSSURYDORIWKHLU VXSHUYLVRU 1R JDPHV RU HQWHUWDLQPHQW SDFNDJHV ZLOO EH LQVWDOOHG 7KH RZQHUPXVWVKRZSURRIRIRZQHUVKLS$QDQWLYLUXVSURJUDPZLOOEHUXQEHIRUHLQVWDOOLQJDQ\SURJUDPRQD3&7KH2IILFHZLOOGLVFRXUDJHWKHXVHRIRWKHUWKDQVWDQGDUGDXWKRUL]HGVRIWZDUH
(C) Personal Use of Office Software
8VHUVPD\127FRS\2IILFHRZQHGVRIWZDUHIRUWKHLUSHUVRQDOXVHIRUGLVWULEXWLRQWRRWKHUV RU IRU XVH RQ DQRWKHU 2IILFH 3& 2IILFH VRIWZDUH PD\ EH FRSLHG RQO\ IRUOHJLWLPDWHEDFNXSSXUSRVHV
(D) Ownership of Software3& VRIWZDUH GHYHORSHG E\ 2IILFH HPSOR\HHV RQ 2IILFHRZQHG HTXLSPHQW DQG RUGXULQJQRUPDOZRUNLQJKRXUVLVRZQHGE\WKH2IILFH
(E) Support of Purchased Software
7KH RIILFHU LQ FKDUJH XVXDOO\ WKH QHWZRUN DGPLQLVWUDWRU RI WKH GHSDUWPHQW WKDWUHFRPPHQG /$1EDVHG FRPPHUFLDO VRIWZDUH LV UHVSRQVLEOH IRU FRPSOHWLQJ DQGUHWXUQLQJ WKH SURGXFW UHJLVWUDWLRQ IRUPV $ FRS\ RI WKH UHFHLSW DQG SURGXFWLGHQWLILFDWLRQ QXPEHU XVXDOO\ WKH VHULDO QXPEHU VKRXOG EH UHFRUGHG IRU UHIHUHQFHZKHQPDNLQJVXSSRUWFDOOV2IILFHU LQFKDUJH RU ,7PDWWHUVRU 1RGDO 2IILFHU ,7 RIXVHU GHSDUWPHQWV DVPD\EHDXWKRUL]HGE\WKH+2'VKRXOGQRWHIURPWKHER[RUVRIWZDUHOLFHQVHLQIRUPDWLRQWKHVXSSRUW SHULRG H[SLUDWLRQ DQG FRRUGLQDWH ZLWK XVHUV WR HQVXUH WKDW FDOOV DUH PDGHEHIRUHH[SLUDWLRQRIWKHVHUYLFHSHULRG
-
7/30/2019 Nct It Policy
47/90
IT Securi ty & Audit Polic y Page 48 of 91
)RURWKHUWKDQRIIWKHVKHOI/$1VRIWZDUHWKH2IILFHZLOOREWDLQDZULWWHQDJUHHPHQWGHWDLOLQJ WHUPV RI PDLQWHQDQFH VXSSRUW 7KH FRQWUDFW ZLOO FOHDUO\ GHILQH KDUGZDUHPDLQWHQDQFHVHUYLFHVDQGFRVWV
11.4 Network Hardware
7KLVVHFWLRQZLOOGLVFXVVWKH2IILFHVSROLF\UHJDUGLQJWKHIROORZLQJ(A)8VHUUHVSRQVLELOLWLHVIRUKDUGZDUH(B)+DUGZDUHPDLQWHQDQFH(C),QWHJUDWLRQZLWKRWKHUV\VWHPV(D)0RGHPV
(A) User Responsibili ties for Hardware+DUGZDUH UHIHUV WR WKH SK\VLFDO FRPSRQHQWV RI WKH /$1WKH 3& ZRUNVWDWLRQV
PRQLWRUV SHULSKHUDO HTXLSPHQW URXWHUV PRGHPV HWF 8VHUV DUH UHVSRQVLEOH IRUWDNLQJUHDVRQDEOHFDUHRIWKHV\VWHPDQGUHSRUWLQJWRDVXSHUYLVRUDQ\PDLQWHQDQFHSUREOHPV SDUWLFXODUO\ GLVN HUURUV RU RWKHU SUREOHPV WKDW PLJKW FDXVH ORVV RI GDWD8VHUV PD\ QRW UHPRYH KDUGZDUH IURP WKH 2IILFH RU WUDQVIHU HTXLSPHQW WR RWKHUORFDWLRQVLQWKH2IILFHZLWKRXWVXSHUYLVRU\DSSURYDO 8VHUVVKRXOGDYRLGVXEMHFWLQJ3&VWRH[FHVVLYHYLEUDWLRQRUEXPSV+DUGMROWV
ZKLOHD3&LVUXQQLQJFDQGDPDJHWKHKDUGGLVNGULYH6PRNHKHDWPDJQHWLFILHOGV DQGH[FHVVLYH GXVW FDQDOVR GDPDJH/$1 HTXLSPHQW $OO3&VVKRXOGKDYHDVXUJHSURWHFWRU
8VHUVVKRXOGXVHJRRGMXGJPHQWZKHQHDWLQJRUGULQNLQJLQWKHYLFLQLW\RI3&V
DQG/$1HTXLSPHQW 7KHQHWZRUNDGPLQLVWUDWRUVKRXOGORFDWHWKHVHUYHULQDVHFXUHDUHD
(B) Hardware Maintenance7KH QHWZRUN DGPLQLVWUDWRU PD\ IURP WLPH WR WLPH JHW LQWR DQQXDO PDLQWHQDQFHDJUHHPHQWVIRUVHOHFWHGHTXLSPHQWDVGHHPHGQHFHVVDU\7KHQHWZRUNDGPLQLVWUDWRUZLOOKDYHHPHUJHQF\SKRQHQXPEHUVDQGFRQWUDFWVRXUFHVDYDLODEOHLWLVQHFHVVDU\WRUHSODFHRUUHSDLUFULWLFDOQHWZRUNFRPSRQHQWVTXLFNO\
(C) System Integration
8VHUVFDQXWLOL]H3&VDVWHUPLQDOVFRQQHFWHGWRDPDLQIUDPHDVZHOODVZRUNVWDWLRQVFRQQHFWHGWRDQHWZRUN'DWDPRYHVEDFNDQGIRUWKEHWZHHQWKHQHWZRUNDQGRWKHUV\VWHPVXVLQJWKHRSHQVWDQGDUGSURWRFRO(D) Modems7KH2IILFH XVHVPRGHPVIRU FRPPXQLFDWLRQZLWKVHOHFWHG GHSDUWPHQWV FOLHQWV DQGHPSOR\HHV0RGHPVZLOOEHWXUQHGRIIZKHQQRWLQXVH7KHQHWZRUNDGPLQLVWUDWRUZLOODFWLYDWH DSSOLFDEOHVHFXULW\ IHDWXUHVWKDW DUH DYDLODEOH7KHVHQLRUPDQDJHPHQW ZLOO
-
7/30/2019 Nct It Policy
48/90
IT Securi ty & Audit Polic y Page 49 of 91
DSSURYH PRGHP FRQWUROV 7KH IROORZLQJ PRGHP FRQWUROV VKRXOG EH LPSOHPHQWHG LISHUPLWWHGE\KDUGZDUHDQGVRIWZDUH /LPLWDWLRQRIWKHDFWLYLWLHVWKDWFDQEHSHUIRUPHG $XWRFDOOEDFNWRLGHQWLI\GLDOLQXVHUV 3DVVZRUGV
8QLTXHRSHUDWRULGHQWLILFDWLRQ $XWRPDWLFORJRIIDIWHUDSUHGHWHUPLQHGQXPEHURIIDLOHGDFFHVVDWWHPSWV
11.5 LAN Backup and Recovery Polic ies
7KHQHWZRUNDGPLQLVWUDWRUZLOOLGHQWLI\FULWLFDODQGRUVHQVLWLYHQHWZRUNGDWDILOHVDQGDSSOLFDWLRQV DQG HQVXUH WKDW WKHVH DUH DGHTXDWHO\ SURWHFWHG DQG EDFNHG XS 7KHQHWZRUN DGPLQLVWUDWRU LV UHVSRQVLEOH IRU EDFNXS DW WKH 2IILFHV GDWD FHQWHU 7KHUHVSRQVLELOLW\IRUEDFNLQJXSDWEUDQFKHVOLHVZLWKWKHDVVLVWDQWQHWZRUNDGPLQLVWUDWRUV
11.6 LAN Purchasing Policy
IT Steering Committee(YHU\GHSDUWPHQWVKRXOGKDYHDQ,7VWHHULQJFRPPLWWHHKHDGHGE\WKH+2',WLVWKHUHVSRQVLELOLW\RIWKH,7VWHHULQJFRPPLWWHHWRGHYHORSORQJWHUPDQGVKRUWWHUPSODQVIRUSXUFKDVLQJ /$1 KDUGZDUHDQGVRIWZDUH7KH FRPPLWWHHKDVWKH UHVSRQVLELOLW\ WRLQLWLDWH UHTXHVWV IRU PDMRU SXUFKDVHV 7KH QHWZRUN DGPLQLVWUDWRU LV UHVSRQVLEOH IRUSXUFKDVLQJWKHDSSURYHGHTXLSPHQWDQGVRIWZDUHDIWHUREVHUYLQJUHTXLUHGIRUPDOLWLHV
-
7/30/2019 Nct It Policy
49/90
IT Securi ty & Audit Polic y Page 50 of 91
12 Role of System Administrator in Virus Protection
12.1 Computer Viruses: Detection and Removal Methods
(A) $QWL9LUXV3URJUDPV(B) 'HWHFWLRQRIDQ8QNQRZQ9LUXV(C) 3URSK\OD[LVRI&RPSXWHU,QIHFWLRQ(D) 5HFRYHU\RI$IIHFWHG2EMHFWV(A)Anti virus Programs
$QWLYLUXVSURJUDPVDUHWKHPRVWHIIHFWLYHPHDQVRIILJKWLQJYLUXVHV%XWWKHUHDUHQRDQWLYLUXVJXDUDQWHHLQJSHUFHQWSURWHFWLRQVIURPYLUXVHV&RPSUHKHQVLYHVRIWZDUHOLNH1RUWRQ,QWHUQHW6HFXULW\DQG0F$IHH$FWLYH9LUXV'HIHQVH$9'DUHWKHHDVLHVW
ZD\ WR FRPEDW PRVW FRPSXWHU VHFXULW\ WURXEOHV 6XFK VRIWZDUH SURYLGHV HVVHQWLDOSURWHFWLRQ IURP YLUXVHV KDFNHUV DQG RWKHU SULYDF\ WKUHDWV ,W LV QHFHVVDU\ WR SD\DWWHQWLRQWRVRPHWHUPVDVIROORZLQJXVHGLQDQWLYLUXVSURJUDPGLVFXVVLRQ )DOVH 3RVLWLYH ZKHQ DQ XQLQIHFWHG REMHFW ILOH VHFWRU RU V\VWHP PHPRU\
WULJJHUV WKH DQWLYLUXV SURJUDP 7KH RSSRVLWH WHUP )DOVH 1HJDWLYH PHDQVWKDWDQLQIHFWHGREMHFWDUULYHGXQGHWHFWHG
2QGHPDQG6FDQQLQJDYLUXVVFDQVWDUWVXSRQXVHUUHTXHVW,QWKLVPRGHWKHDQWLYLUXVSURJUDPUHPDLQVLQDFWLYHXQWLODXVHULQYRNHVLWIURPDFRPPDQGOLQHEDWFKILOHRUV\VWHPVFKHGXOHU
2QWKHIO\6FDQQLQJ DOOWKHREMHFWV WKDW DUH SURFHVVHGLQ DQ\ ZD\ RSHQHGFORVHGFUHDWHGUHDGIURPRUZULWWHQWRHWFDUHEHLQJFRQVWDQWO\FKHFNHGIRU
YLUXVHV ,Q WKLV PRGH WKHDQWLYLUXVSURJUDPLVDOZD\V DFWLYH ,W LVD PHPRU\UHVLGHQW DQG FKHFNV REMHFWV ZLWKRXW XVHU UHTXHVW
:KLFK$QWL9LUXV3URJUDPLV%HWWHU":KLFKDQWLYLUXVSURJUDPLVWKHEHVW"7KHDQVZHULVDQ\SURJUDPLIQRYLUXVHVOLYHLQWKHFRPSXWHUDQGXVHUXVHVRQO\DUHOLDEOHYLUXVIUHHVRIWZDUHVRXUFHDQGQRRWKHU+RZHYHU LI XVHU OLNHV XVLQJ QHZ VRIWZDUHRUJDPHVDFWLYH HPDLOXVHU OLNHV XVLQJ:RUGRUH[FKDQJLQJ([FHOVSUHDGVKHHWVWKHQRQHVKRXOGXVHVRPHNLQGRIDQWLYLUXVSURWHFWLRQ :KLFK RQH H[DFWO\ VKRXOG EH GHFLGHG RQ KLVKHU RZQ EXW WKHUH DUHVHYHUDO SRLQWV RI FRPSDULVRQ RI GLIIHUHQW DQWLYLUXV SURJUDPV 7KH IROORZLQJ SRLQWV
IURPWKHPRVWWROHDVWLPSRUWDQFHGHWHUPLQHWKHTXDOLW\RIDQWLYLUXVSURJUDPV 5HOLDELOLW\DQGFRQYHQLHQFHRIZRUN 'HWHFWLRQ RI DOO PDMRU NLQGV RI YLUXVHV VFDQQLQJ LQVLGH GRFXPHQW ILOHV
VSUHDGVKHHWV0LFURVRIW:RUG([FHOSDFNHGDQGDUFKLYHGILOHV $ELOLW\WRFXUHLQIHFWHGREMHFWV $YDLODELOLW\ RI WLPHO\XSGDWHVZKLFK LV WKH VSHHGRI WXQLQJD VFDQQHUWR QHZ
YLUXVHV $YDLODELOLW\ RI DQWLYLUXV YHUVLRQV IRU DOO WKH SRSXODU SODWIRUPV :LQGRZV
:LQGRZV171RYHOO1HW:DUH26$OSKD/LQX[HWF
-
7/30/2019 Nct It Policy
50/90
IT Securi ty & Audit Polic y Page 51 of 91
$YDLODELOLW\ QRW RQO\ RQGHPDQG VFDQQLQJ EXW DOVR VFDQQLQJ RQWKHIO\FDSDELOLWLHV DYDLODELOLW\ RI VHUYHU YHUVLRQV ZLWK SRVVLELOLW\ IRU QHWZRUNDGPLQLVWUDWLRQ
6SHHGRIZRUNDQGRWKHUXVHIXOIHDWXUHVIXQFWLRQVEHOOVDQGZKLVWOHV5HOLDELOLW\ RI DQWLYLUXV SURJUDPV LV WKH PRVW LPSRUWDQW FULWHULRQ EHFDXVH HYHQ WKH
DEVROXWH DQWLYLUXV PD\ EHFRPH XVHOHVV LI LW LV QRW DEOH WR ILQLVK WKH VFDQQLQJSURFHVVDQG KDQJV,W ZLOO OHDYH D SRUWLRQRI WKH GLVNV DQG ILOHV XQFKHFNHGWKHUHE\OHDYLQJ WKH YLUXV LQWKH V\VWHP XQGHWHFWHG 7KH DQWLYLUXV PD\ DOVR EH XVHOHVV LI LWGHPDQGVVRPHVSHFLDONQRZOHGJHIURPDXVHUPRVWXVHUVDUHOLNHO\WRVLPSO\LJQRUHWKHDQWLYLUXVPHVVDJHVDQGSUHVV>2.@RU>&DQFHO@DWUDQGRPGHSHQGLQJRQZKLFKEXWWRQLVFORVHUWRWKHPRXVHFXUVRUDWWKLVWLPH$QGLIWKHDQWLYLUXVDVNVDQRUGLQDU\XVHUFRPSOLFDWHGTXHVWLRQVWRRRIWHQWKHXVHUZLOOPRVWOLNHO\VWRSUXQQLQJVXFKDQDQWLYLUXVDQGHYHQGHOHWHLWIURPWKHGLVN7LSVRQ8VDJHRI$QWL9LUXV3URJUDPV
$OZD\V VHH WKDW WKH ODWHVW DQWLYLUDO VRIWZDUH YHUVLRQ DYDLODEOH ,I VRIWZDUHXSGDWHVDUHDYDLODEOHFKHFNWKHPIRUIUHVKQHVV
,I D YLUXV KDV EHHQ IRXQG RQ WKH FRPSXWHU LW LV LPSHUDWLYH QRW WR SDQLF IRU
WKRVHZKRPHHWYLUXVHVGDLO\DUHPDUNOLNHWKLVPD\VHHPIXQQ\3DQLFNLQJQHYHUGRHVDQ\JRRGWKRXJKWOHVVDFWLRQVPD\UHVXOWLQELWWHUFRQVHTXHQFHV
,IDYLUXVLVIRXQGLQVRPHQHZO\DUULYHGILOHVDQGKDVQRWLQILOWUDWHGWKHV\VWHP
\HW WKHUH LV QR UHDVRQ WR ZRUU\ MXVW NLOO WKH ILOH RU UHPRYH WKH YLUXV ZLWKDQWLYLUXVSURJUDPDQGNHHSRQZRUNLQJ,IYLUXVLVIRXQGLQVHYHUDOILOHVDWRQFHRU LQ WKH ERRW VHFWRU WKH SUREOHP EHFRPHV PRUH VHULRXV EXW VWLOO LW FDQ EH
UHVROYHG ,Q WKHFDVH RIILOHYLUXV GHWHFWLRQ LI WKHFRPSXWHU LV FRQQHFWHG WR D QHWZRUN
GLVFRQQHFWLWIURPWKHQHWZRUNDQGLQIRUPWKHV\VWHPDGPLQLVWUDWRU,IWKHYLUXVKDV QRW \HW LQILOWUDWHG WKH QHWZRUN WKLV ZLOO SURWHFW WKH VHUYHU DQG RWKHUZRUNVWDWLRQVIURPYLUXVDWWDFN
,IWKHYLUXVKDVDOUHDG\LQIHFWHGWKHVHUYHUGLVFRQQHFWLRQIURPWKHQHWZRUNZLOO
QRWVWRS WKH YLUXV IURP LQILOWUDWLQJ LQWR WKHFRPSXWHU DJDLQ DIWHU LWV WUHDWPHQW5HFRQQHFWLRQ WR WKH QHWZRUN PXVW EH GRQH RQO\ DIWHU DOO WKH VHUYHUV DQGZRUNVWDWLRQVKDYHEHHQFXUHG
,IDERRWYLUXVKDVEHHQIRXQGGRQWGLVFRQQHFWWKHFRPSXWHUIURPWKHQHWZRUN
YLUXVHVRIWKLVNLQGGRQRWVSUHDGRYHULWH[FHSWILOHERRWYLUXVHV ,I WKH FRPSXWHU LV LQIHFWHG ZLWK D PDFURYLUXV WKHQ LQVWHDG RI GLVFRQQHFWLQJ
IURP QHWZRUN LW LV HQRXJK WR PDNH VXUH WKDW WKH FRUUHVSRQGLQJ HGLWRU:RUG([FHOLVLQDFWLYHRQDQ\FRPSXWHU
,IDILOHRUERRWYLUXVKDVEHHQGHWHFWHGPDNHVXUHWKDWHLWKHUWKHYLUXVLVQRQUHVLGHQWRUWKHUHVLGHQWSDUWRILWKDVEHHQGLVDUPHGZKHQVWDUWHGVRPHEXWQRWDOODQWLYLUXVHVDXWRPDWLFDOO\GLVDEOHUHVLGHQWYLUXVHVLQPHPRU\5HPRYDO
-
7/30/2019 Nct It Policy
51/90
IT Securi ty & Audit Polic y Page 52 of 91
RIDYLUXVIURPWKHPHPRU\LVQHFHVVDU\WRVWRSLWVVSUHDGLQJ:KHQVFDQQLQJILOHV DQWLYLUXVHV RSHQ WKHP PDQ\ UHVLGHQW YLUXVHV LQWHUFHSW WKLV HYHQW DQGLQIHFWWKHILOHVEHLQJRSHQHG$VDUHVXOWWKHPDMRULW\LVLQIHFWHGEHFDXVHWKHYLUXVKDVQRWEHHQUHPRYHGIURPPHPRU\\HW7KHVDPHWKLQJPD\KDSSHQLQWKHFDVHRIERRWYLUXVHVDOOWKHGLVNHWWHVEHLQJFKHFNHGPD\EHFRPHLQIHFWHG,I WKH DQWLYLUXV XVHG GRHV QRW UHPRYH YLUXVHV IURP PHPRU\ UHERRW WKH
FRPSXWHUIURPDNQRZQXQLQIHFWHGDQGZHOOZULWWHQSURWHFWHGV\VWHPGLVNHWWH8VHUVKRXOGGRDFROGERRWE\SUHVVLQJ5HVHWRUSRZHURIIRQEHFDXVHVHYHUDOYLUXVHVVXUYLYHDIWHUDZDUPERRW6RPHYLUXVHVDSSO\DWHFKQLTXHDOORZLQJIRUWKHLUVXUYLYDOHYHQDIWHUWKHFROGERRW
:LWK WKH KHOS RI WKH DQWLYLUXV SURJUDP UHVWRUH WKH LQIHFWHG ILOHV DQG FKHFN
WKHP IRU IXQFWLRQDOLW\ $W WKH VDPH WLPH RU EHIRUH WUHDWPHQW EDFNXS WKHLQIHFWHGILOHVDQGSULQWVDYHWKHDQWLYLUXVORJVRPHZKHUH7KLVLVQHFHVVDU\IRUUHVWRULQJILOHVLQFDVHWKHWUHDWPHQWSURYHVWREHXQVXFFHVVIXOGXHWRDQHUURULQ DQWLYLUXVWUHDWPHQW PRGXOH RU EHFDXVH RI DQ LQDELOLW\ RI WKLV DQWLYLUXV WRFXUHWKLVNLQGRIYLUXV,QWKLVFDVHUHVRUWWRWKHVHUYLFHVRIVRPHRWKHUDQWL
YLUXV ,W LV PXFK PRUH UHOLDEOH RI FRXUVH WR VLPSO\ UHVWRUH WKH EDFNHG XS ILOHV LI
DYDLODEOHEXW VWLOO UHVRUW WRDQDQWLYLUXV ZKDW LI DOOWKHFRSLHV RI WKHYLUXVKDYHQWEHHQGHVWUR\HGRUVRPHEDFNHGXSILOHVDUHLQIHFWHGWRR"
,W LV ZRUWK PHQWLRQLQJ WKDW WKH TXDOLW\ RI ILOH UHVWRUDWLRQ E\ PDQ\ DQWLYLUXV
SURJUDPV OHDYHV PXFK WR EH GHVLUHG 0DQ\ SRSXODU DQWL YLUXVHV RIWHQLUUHYHUVLEO\ GDPDJH ILOHV LQVWHDG RI FXULQJ WKHP 7KHUHIRUH LI ILOH ORVVXQGHVLUDEOHH[HFXWHDOOWKHSUHYLRXVUHFRPPHQGDWLRQVFRPSOHWHO\
,Q WKH FDVH RI D ERRW YLUXV LW LV QHFHVVDU\ WR FKHFN DOO WKH GLVNHWWHV WR VHHZKHWKHU WKH\ DUHERRWDEOHLH FRQWDLQ '26 ILOHV RUQRW (YHQ D FRPSOHWHO\EODQNGLVNHWWHPD\EHFRPHDVRXUFHRIYLUDOLQIHFWLRQ LWLVHQRXJKWRIRUJHWLWLQWKHGULYHDQGUHERRWRIFRXUVHLIDGLVNHWWHERRWLVHQDEOHGLQ%,26
&RORQLHV RI YLUXVHV PD\ LQILOWUDWH EDFNXS FRSLHV RI VRIWZDUH WRR 0RUHRYHU
DUFKLYHV DQG EDFNXS FRSLHV DUH WKH PDLQ VRXUFH RI ORQJ NQRZQ YLUXVHV $YLUXV PD\ VLW LQ D GLVWULEXWLRQ FRS\ RI VRPH VRIWZDUH IRU DJHV DQG WKHQVXGGHQO\ DSSHDU DIWHU VRIWZDUH LQVWDOODWLRQ RQ D QHZ FRPSXWHU 1RERG\ FDQJXDUDQWHHUHPRYDORIDOOFRSLHVRIDFRPSXWHUYLUXVEHFDXVHDILOHYLUXVPD\DWWDFNQRWRQO\H[HFXWDEOHVEXWDOVRRYHUOD\PRGXOHVQRWKDYLQJ&20RU(;(
H[WHQVLRQV$ ERRWYLUXVPD\UHPDLQRQ VRPH GLVNHWWHVDQGDSSHDUVXGGHQO\DIWHUDQDWWHPSWWRERRWIURPLW7KHUHIRUHLWLVVHQVLEOHWRXVHVRPHUHVLGHQWDQWLYLUXV VFDQQHU FRQWLQXRXVO\ IRU VRPH WLPH DIWHU YLUXV UHPRYDO QRW WRPHQWLRQWKDWLWVEHWWHUWRDXVHVFDQQHUDWDOOWLPHV
(B) Detection of an Unknown Virus'HWHFWLRQRID7659LUXV '269LUXVHV,IWUDFHVRIYLUXVDFWLYLW\KDYHEHHQIRXQGLQDFRPSXWHUEXWQR
YLVLEOHFKDQJHVLQWKHILOHRU V\VWHP VHFWRUVRI GLVFVFDQEH IRXQG WKHQLW LV
-
7/30/2019 Nct It Policy
52/90
IT Securi ty & Audit Polic y Page 53 of 91
TXLWHSRVVLEOHWKDWWKHFRPSXWHULVLQIHFWHGE\RQHRIWKH6WHDOWKYLUXVHV,QWKLVFDVHLWLVQHFHVVDU\WRERRWIURP'26XVLQJDYHULILHGYLUXVIUHHGLVNHWWHZLWKDEDFNXSFRS\RIWKH'26DQGGRWKHVDPHDVLQWKHFDVHRIQRQUHVLGHQWYLUDOLQIHFWLRQ +RZHYHU VRPHWLPHV WKLV LV XQGHVLUDEOH DQG LQ D IHZ FDVHV HYHQLPSRVVLEOH IRU H[DPSOH WKHUH LV NQRZQ FDVHV RI WKH SXUFKDVH RI QHZFRPSXWHUV ZKLFK KDYH DOUHDG\ EHHQ LQIHFWHG E\ D YLUXV 7KHQ GHWHFW DQG
QHXWUDOL]H WKH UHVLGHQW SDUW RI WKH YLUXV ZLWK WKH XVH RI 6WHDOWK WHFKQRORJ\7KHUHDUHVHYHUDOZD\VWRORRNLQWRWKHPHPRU\IRUWKHYLUXVRUIRULWVUHVLGHQWSDUWRILQIHFWLQJPHPRU\
:LQGRZV 9LUXVHV 'HWHFWLRQ RI D UHVLGHQW :LQGRZV YLUXV LV DQ H[WUHPHO\
GLIILFXOWWDVN$YLUXVLQWKH:LQGRZVHQYLURQPHQWDVDQDSSOLFDWLRQRUDVD9['GULYHU LV YLUWXDOO\ LQYLVLEOH EHFDXVH RI VHYHUDO PRUH GR]HQV RI DFWLYHDSSOLFDWLRQVDQG9['VQRWXQOLNHWKHYLUXVLQWKHLUH[WHUQDOGLVSOD\7RGHWHFWWKH YLUXV SURJUDPLQDQDFWLYH DSSOLFDWLRQV OLVW RU 9[' OLVW LW LV LPSHUDWLYH WRKDYH H[WHQVLYH NQRZOHGJH RI WKH LQWHUQDOV RI :LQGRZV DQG KDYH FRPSOHWHLQIRUPDWLRQDERXWDSSOLFDWLRQVDQGGULYHUVLQVWDOOHGLQWKLVSDUWLFXODUFRPSXWHU
7KHUHIRUHWKHRQO\VXLWDEOHZD\RIFDWFKLQJDUHVLGHQW:LQGRZVYLUXVLVWRERRWXS'26DQGFKHFNWKH:LQGRZVH[HFXWDEOHILOHVZLWKWKHKHOSRIWKHPHWKRGVGHVFULEHGDERYH
'HWHFWLRQRID%RRW9LUXV
$VDUXOHERRWVHFWRUVRIGLVNVFDUU\VPDOOSURJUDPVZKRVHSXUSRVHLVWRGHWHUPLQHERUGHUVDQGVL]HVRIORJLFDOGLVNVIRU0%50DVWHU%RRW5HFRUGRIKDUGGULYHVRURSHUDWLQJV\VWHPERRWXSIRUERRWVHFWRU,Q WKH EHJLQQLQJ XVHU VKRXOG UHDG WKH FRQWHQWV RI WKH VHFWRU VXVSHFWHG RI YLUXV
SUHVHQFH',6.(',7IURP1RUWRQ8WLOLWLHVRU$9387,/IURP$933URDUHEHVWVXLWHGIRUWKDW6RPHERRWYLUXVHVPD\EHGHWHFWHGDOPRVWLPPHGLDWHO\E\WKHSUHVHQFHRIYDULRXVWH[W VWULQJV IRU H[DPSOH WKH 6WRQHG YLUXV FRQWDLQV WKH VWULQJV
-
7/30/2019 Nct It Policy
53/90
IT Securi ty & Audit Polic y Page 54 of 91
ILOHV DQG DIWHUZDUGV FRPSDUH LWV FXUUHQW ERRW VHFWRU ZLWK WKH RULJLQDO RQH RQ DQXQLQIHFWHGFRPSXWHU,IWKHERRWFRGHXQGHUZHQWVRPHFKDQJHVWKHQWKHYLUXVKDVEHHQFDXJKW'HWHFWLRQRID)LOH9LUXV
$V DOUHDG\ PHQWLRQHG YLUXVHV DUH GLYLGHG LQWR UHVLGHQW DQG QRQUHVLGHQW5HVLGHQW YLUXVHV IRXQG VRIDU VWRRGRXW IRUWKHLUPXFK JUHDWHU FUDIWLQHVVDQGVRSKLVWLFDWLRQLQFRPSDULVRQZLWKQRQUHVLGHQW7KHUHIRUHZHVKDOOGLVFXVVWKHVLPSOHVWFDVH IRU VWDUWHUV DWWDFN RI DQ XQNQRZQ QRQUHVLGHQW YLUXV 6XFKDYLUXVDFWLYDWHVLWVHOIXSRQVWDUWLQJRI DQ\ LQIHFWHGSURJUDPVGRHVDOOLWKDVWRSDVVHV FRQWURO WR WKH KRVW SURJUDP DQG DIWHUZDUGV XQOLNH UHVLGHQW YLUXVHVGRHV QRW LQWHUIHUH ZLWK LWV ZRUN 7R GHWHFW VXFK D YLUXV LW LV QHFHVVDU\ WRFRPSDUHILOHVL]HRQGLVNVDQGLQEDFNXSFRSLHV,IWKLVGRHVQWKHOSGRDE\WHFRPSDULVRQRIGLVWULEXWLRQFRSLHVZLWKWKHZRUNLQJFRSLHV$WWKHSUHVHQWWKHUHDUHPDQ\VXFKSURJUDPVWKHVLPSOHVWRIWKHP&203XWLOLW\FDQEHIRXQGLQ'26
2QH PD\ DOVR H[DPLQH D KH[ GXPS RI H[HFXWDEOHV ,Q VRPH FDVHV LW LV
SRVVLEOHWRLPPHGLDWHO\GHWHFWYLUDOSUHVHQFHE\VRPHWH[WVWULQJVUHVLGLQJLQLWVFRGH )RU H[DPSOH PDQ\ YLUXVHV FRQWDLQ VWULQJV &20 &20 (;((;(0=&200$1'HWF7KHVHVWULQJVPD\RIWHQEHIRXQGDWWKHWRSRUHQGRIWKHLQIHFWHGILOHV
7KHUHLV\HWRQHPRUHPHWKRGIRUWKHYLVXDOGHWHFWLRQRIDYLUXVLQD'26ILOH,W
LVEDVHGRQWKHIDFWWKDWH[HFXWDEOHVWKHVRXUFHFRGHRIZKLFKZDVLQD KLJKOHYHOSURJUDPPLQJODQJXDJHKDYHDTXLWHGHILQLWHLQVLGHVWUXFWXUH,QWKHFDVHRI %RUODQG RU 0LFURVRIW && SURJUDP WKH FRGH VHJPHQW LV DW WKH YHU\
EHJLQQLQJ RI D ILOH LPPHGLDWHO\ IROORZHG E\ WKH GDWD VHJPHQW FRQWDLQLQJ DFRS\ULJKWQRWLFHZLWKWKHQDPHRIDFRPSLOHUYHQGRUFRPSDQ\DWWKHEHJLQQLQJ,IWKHGDWDVHJPHQWLQWKHGXPSLVIROORZHGE\RQHPRUHFRGHVHJPHQWWKHQLWPLJKWYHU\ZHOOEHWKDWWKHILOHLVLQIHFWHGZLWKDYLUXV7KHVDPHLVWUXHIRUWKHPRVWSDUWRIWKHYLUXVHVZKRVHWDUJHWLV:LQGRZVDQG26ILOHV,QWKHVH26H[HFXWDEOHVKDYHWKHIROORZLQJ VWDQGDUGRUGHURI VHJPHQWV FRGH VHJPHQWVIROORZHG E\ GDWDVHJPHQWV ,ID GDWD VHJPHQW LVIROORZHG E\ RQH PRUH FRGHVHJPHQWLWPD\EHWKHVLJQRIWKHSUHVHQFHRIDYLUXV
7KHDERYHPHWKRGVRIGHWHFWLRQRIILOHDQGERRWYLUXVHVDUHVXLWDEOHIRUPRVWUHVLGHQW
DQGQRQUHVLGHQWYLUXVHV'HWHFWLRQRID0DFUR9LUXV
&KDUDFWHULVWLFIHDWXUHVRIPDFURYLUXVHVDUH :RUGLQDELOLW\WRFRQYHUWDQLQIHFWHG:RUGGRFXPHQWWRDQRWKHUIRUPDW :RUG LQIHFWHGILOHVKDYHWKH7HPSODWH IRUPDWEHFDXVHZKHQLQIHFWLQJ:RUG
YLUXVHVFRQYHUWILOHVIURPWKH:RUG'RFXPHQWIRUPDWWR7HPSODWHIRUPDW :RUGRQO\LQDELOLW\WRVDYHDGRFXPHQWWRDQRWKHUGLUHFWRU\RUGLVNZLWKWKH
6DYH$VFRPPDQG
-
7/30/2019 Nct It Policy
54/90
IT Securi ty & Audit Polic y Page 55 of 91
([FHO:RUGDOLHQILOHVDUHSUHVHQWLQWKH67$5783GLUHFWRU\ ([FHOYHUVLRQVDQG&RRNERRNVFRQWDLQUHGXQGDQWDQGKLGGHQ6KHHWV7RFKHFNWKHV\VWHPIRUYLUDOSUHVHQFHWKH7RROV0DFURPHQXLWHPFDQEHXVHG,IDOLHQPDFURVKDYHEHHQIRXQGWKH\PD\EHORQJWRDYLUXVEXWWKLVPHWKRGIDLOV LQWKHFDVHRI6WHDOWKYLUXVHVZKLFKGLVDEOHWKLVPHQXLWHPZKLFKLQLWVHOILVVXIILFLHQWWR
FRQVLGHUWKHV\VWHPLQIHFWHG&KDQJHV LQ:RUG ([FHO DQG :LQGRZVV\VWHPFRQILJXUDWLRQILOHV DUHDOVR D VLJQ RISRVVLEOH LQIHFWLRQ 0DQ\ YLUXVHV FKDQJH PHQX LWHPV XQGHU 7RROV2SWLRQV LQ RQHZD\ RU DQRWKHU HQDEOLQJ RU GLVDEOLQJ WKH IROORZLQJ IXQFWLRQV 3URPSW 7R 6DYH1RUPDO 7HPSODWH $OORZ )DVW 6DYH 9LUXV 3URWHFWLRQ 6RPH YLUXVHV VHW ILOHSDVVZRUGV DIWHU LQIHFWLQJ WKHP DQG D ORW RI YLUXVHV FUHDWH QHZ VHFWLRQV DQGRURSWLRQVLQWKH:LQGRZVFRQILJXUDWLRQILOH:,1,1,2IFRXUVHVXFKREYLRXVIDFWVVXFKDVDSSHDULQJPHVVDJHVRUGLDORJXHVZLWKVWUDQJHFRQWHQWVRULQDODQJXDJHRWKHUWKDQWKHGHIDXOWIRU WKLVLQVWDOODWLRQDUHDOVRVLJQVRI
YLUXV(C) Prophylaxis of Computer Infection :KHUHGR9LUXVHVFRPHIURP 7KHPDLQUXOHVRISURWHFWLRQ 7KHSUREOHPRI0DFUR9LUXV3URWHFWLRQ 0DFUR9LUXV3URWHFWLRQ)RU2IILFH;32QH RI WKH PDMRU PHWKRGV RI ILJKWLQJ FRPSXWHU YLUXVHV OLNH LQ PHGLFDO VFLHQFH LVWLPHO\ SURSK\OD[LV RU SUHYHQWLYH PHDVXUHV &RPSXWHU SUHYHQWLYH PHDVXUHV VXJJHVW
IROORZLQJ D VPDOO VHWRI UXOHV DOORZLQJ ORZHULQJ FRQVLGHUDEO\ WKH SRVVLELOLW\ RI YLUXVLQIHFWLRQDQGGDWDORVV7R GHILQH WKH PDLQ UXOHV RI FRPSXWHU K\JLHQH LW LVQHFHVVDU\ WR ILQG RXW WKH PDLQZD\VRIYLUXVLQWUXVLRQLQWRFRPSXWHUDQGFRPSXWHUQHWZRUN:KHUHGR9LUXVHV&RPH)URP
*OREDO$FFHVV1HWZRUNVDQG(PDLO (PDLO&RQIHUHQFHV)LOH6HUYHUV)73DQG%%6 /RFDO$FFHVV1HWZRUNV
3LUDWHG6RIWZDUH *HQHUDO$FFHVV3HUVRQDO&RPSXWHUV 5HSDLU6HUYLFHV
7KH0DLQ5XOHVRI3URWHFWLRQ
5XOH%H YHU\ FDUHIXO ZLWK SURJUDPV DQG GRFXPHQWV RI :RUG([FHO UHFHLYHG IURPJOREDO DFFHVV QHWZRUNV %HIRUH H[HFXWLQJ D ILOH RU RSHQLQJ DGRFXPHQWVSUHDGVKHHWGDWDEDVH EH VXUH WR FKHFN WKHP IRU YLUXVHV 8VH
-
7/30/2019 Nct It Policy
55/90
IT Securi ty & Audit Polic y Page 56 of 91
FXVWRPL]HGDQWLYLUXVHVWRFKHFNWKHHQWLUHILOHFRPLQJYLDHPDLODQG,QWHUQHWRQWKHIO\
5XOH7RORZHUWKHULVNRILQIHFWLQJILOHVRQWKHVHUYHUQHWZRUNDGPLQLVWUDWRUVKDYHWRPDNH H[WHQVLYH XVH RI VWDQGDUG QHWZRUN VHFXULW\ IHDWXUHV XVHU DFFHVV
UHVWULFWLRQV VHWWLQJ UHDGRQO\ RU HYHQ H[HFXWH RQO\ DWWULEXWHV IRU DOO WKDWH[HFXWDEOHVXQIRUWXQDWHO\WKLVPD\QRWDOZD\VEHSRVVLEOHHWF8VH FXVWRPL]HGDQWLYLUXVHV FKHFNLQJ WKH ILOHV LQXVH RQWKH IO\ ,I IRU VRPHUHDVRQWKLVLVLPSRVVLEOHUXQFRQYHQWLRQDODQWLYLUXVSURJUDPVRQVHUYHUGLVNVUHJXODUO\7KHULVNRIFRPSXWHU QHWZRUN LQIHFWLRQEHFRPHV FRQVLGHUDEO\ ORZHULQFDVHRIXVHRIGLVNOHVVZRUNVWDWLRQV,W LVD JRRGLGHDEHIRUHUXQQLQJVRPHQHZ VRIWZDUH RQ WKH QHWZRUN WR WHVW LW RQ D VWDQGDORQH WULDO FRPSXWHU QRWFRQQHFWHGWRQHWZRUN
5XOH
,W LVEHWWHU WREX\VRIWZDUHGLVWULEXWLRQSDFNDJHVIURPRIILFLDO YHQGRUVLQVWHDG
RIKDYLQJIUHHFRS\IURPRWKHUVRXUFHVRUEX\LQJSLUDWHGFRSLHV7KLVZD\WKHULVN RI LQIHFWLRQ LV FRQVLGHUDEO\ ORZHU DOWKRXJK WKHUH DUH NQRZQ FDVHV RISXUFKDVH RI LQIHFWHG GLVWULEXWLRQ SDFNDJHV $V D FRQVHTXHQFH IURP WKLV UXOHJRHVWKHQHFHVVLW\RINHHSLQJGLVWULEXWLRQFRSLHVRIVRIWZDUHLQFOXGLQJFRSLHVRIRSHUDWLQJV\VWHPDQGSUHIHUDEO\RQZULWHSURWHFWHGGLVNHWWHV$OVRXVHRQO\ZHOOHVWDEOLVKHGVRXUFHRIVRIWZDUHDQGRWKHUILOHVDOWKRXJKWKLVLVQRWDOZD\VKHOSIXOIRUH[DPSOH IRU D ORQJ WLPHRQ WKH 0LFURVRIW :::VHUYHU WKHUH KDVEHHQ D GRFXPHQW LQIHFWHG ZLWK :D]]X PDFUR YLUXV $SSDUHQWO\ WKH RQO\UHOLDEOHVLWHVIURPWKHSRLQWRIYLHZRIYLUXVSURWHFWLRQDUH%%6IWS:::VLWHVRIDQWLYLUXVGHYHORSPHQWFRPSDQLHV
5XOH7U\QRWWR UXQXQFKHFNHGILOHVLQFOXGLQJWKRVHUHFHLYHGYLDFRPSXWHUQHWZRUN8VH RQO\ WKRVH SURJUDPV UHFHLYHG IURP UHOLDEOH VRXUFH %HIRUH UXQQLQJ WKHSURJUDPVEHVXUHWRFKHFNWKHPE\RQHRUVHYHUDODQWLYLUXVSURJUDPV(YHQLIQRQHRIWKHDQWLYLUXVSURJUDPVWULJJHUHGE\WKHILOHGRZQORDGHGIURPD%%6RUQHZVJURXSGRQWKXUU\WRUXQLW:DLWIRUDZHHNLWLVSRVVLEOHWKDWWKLVILOHLVLQIHFWHGZLWKVRPHQHZXQNQRZQYLUXVLQWKDWFDVHVRPHERG\HOVHPLJKWVWHSLQWRLWEHIRUHLQIRUPLQJDERXWLW,W LV DOVR GHVLUDEOH WR KDYH VRPH NLQG RI D UHVLGHQW DQWLYLUXV PRQLWRU ZKHQ
ZRUNLQJ ZLWK VRPH QHZ VRIWZDUH ,I YLUXV LQIHFWV H[HFXWHG SURJUDP VXFK DPRQLWRUZLOOKDYHWRGHWHFWYLUXVDQGSUHYHQWLWIURPVSUHDGLQJ
$OOWKLV OHDGVWRQHFHVVLW\RI OLPLWLQJRID QXPEHURISHUVRQVXVLQJD SDUWLFXODUFRPSXWHU0XOWLXVHUSHUVRQDOFRPSXWHUVDUHJHQHUDOO\PRVWSURQHWRLQIHFWLRQ
5XOH
8VHYDOLGDWLRQDQGGDWDLQWHJULW\FKHFNLQJXWLOLWLHV6XFKXWLOLWLHVOLNHWKHVSHFLDOGDWDEDVHV RI GLVNV V\VWHP DUHDV RU NHHS WKH HQWLUH V\VWHP DUHDV LQGDWDEDVHVDQGILOHLQIRUPDWLRQFKHFNVXPVVL]HVDWWULEXWHVODVWPRGLILFDWLRQGDWHV HWF 3HULRGLFDOO\ FRPSDUH VXFK GDWDEDVH LQIRUPDWLRQ ZLWK DFWXDO KDUG
-
7/30/2019 Nct It Policy
56/90
IT Securi ty & Audit Polic y Page 57 of 91
GULYHFRQWHQWVEHFDXVH DQ\ LQFRQVLVWHQF\PLJKWEH DVLJQDORISUHVHQFHRI D7URMDQKRUVHRUYLUXV
5XOH
%DFNXSZRUNLQJILOHVSHULRGLFDOO\7KHH[SHQVHVRIEDFNXSVRIDOOVRXUFHFRGHILOHVGDWDEDVHILOHVGRFXPHQWILOHVHWFDUHPXFKORZHUWKDQWKHH[SHQVHVRI
UHVWRULQJWKHVHILOHVLQFDVHRIDYLUXVDWWDFNRUDFRPSXWHUPDOIXQFWLRQ,I GHSDUWPHQW KDYH D VWUHDPHU RU RWKHU PDVV VWRUDJH GHYLFH WKHQ LW PDNHVVHQVHWREDFNXSDOOWKHKDUGGULYHVFRQWHQWV7KHGXW\DQGWKHIDFWWKDWVXFKDEDFNXS FRS\ QHHGV D ORW RI WLPH WREHWKH FUHDWHG LW PDNHVVHQVH WRPDNHVXFKEDFNXSVOHVVRIWHQ
2WKHU5XOHV
,IWKHUHLVQRQHHGWRERRWWKHV\VWHPIURPDIORSS\GULYHHYHU\GD\VHWWKHERRWRUGHU LQ %,26 6HWXS DV &$ 7KLV ZLOO SURWHFW FRPSXWHU IURP ERRW YLUXVHVUHOLDEO\'RQRWUHO\RQWKHEXLOWLQ%,26YLUXVSURWHFWLRQPDQ\YLUXVHVSDVVLWE\ZLWK
WKHKHOSRIGLIIHUHQWWHFKQLTXHV7KHVDPHJRHVIRUDQWLYLUXVSURWHFWLRQZKLFKLVEXLOWLQWR:RUGDQG062IILFH7KLVSURWHFWLRQFDQDOVREHGLVDEOHGE\YLUXVRUE\XVHUEHFDXVHLWPD\EHDQXLVDQFH
7KH3UREOHPRI0DFUR9LUXV3URWHFWLRQ'XH WR WKH IDFW WKDWWKH PDFURYLUXV SUREOHPQRZDGD\V H[FHHGVDOO WKH RWKHUYLUXVUHODWHGSUREOHPVLWLVZRUWKRIDPRUHGHWDLOHGH[SODQDWLRQ7KHUHDUHVHYHUDOWHFKQLTXHVDQGDQXPEHURIEXLOWLQ:RUGDQG062IILFHIXQFWLRQV
DLPHGDWSUHYHQWLRQRIH[HFXWLQJDYLUXV7KHPRVWHIILFLHQWRIWKHPLV:RUGDQG([FHOVWDUWLQJIURPYHUVLRQVDEXLOWLQYLUXVSURWHFWLRQ:KHQRSHQLQJWKHILOHFRQWDLQLQJDQ\ PDFUR WKLV SURWHFWLRQ LQIRUPV DERXW LWV SUHVHQFH DQG VXJJHVWV GLVDEOLQJ WKLVPDFUR$VDUHVXOWWKHPDFURLVQRWRQO\GLVDEOHGEXWDOVRFDQQRWEHVHHQE\PHDQVRI:RUG([FHO6XFKDSURWHFWLRQLVUDWKHUUHOLDEOHEXWDEVROXWHO\XVHOHVVLIXVHUZRUNVZLWKPDFURVRIDQ\NLQGLWGRHVQRWPDNHGLIIHUHQFHEHWZHHQYLUXVPDFURVDQGQRQYLUXVPDFURVD