Nct It Policy

7/30/2019 Nct It Policy

1/90

IT Securi ty & Audit Polic y Page 1 of 91


2/90


3UHSDUHGE\

Department Of IT, Govt. Of NCT Of DelhiPrakash Kumar - Special Secretary (IT)

6DMHHY0DKHVKZDUL6\VWHP$QDO\VW

CDAC, Noida$QXM.XPDU-DLQ&RQVXOWDQW%35

5DKXO6LQJK&RQVXOWDQW,7$UXQ3UXWKL&RQVXOWDQW,7$VKLVK*R\DO&RQVXOWDQW,75DKXO*R\DO&RQVXOWDQW,7

,76HFXULW\$XGLW3ROLF\GRFXPHQWLVDOVRDYDLODEOHRQWKHVLWH http://it.delhigovt.nic.in6XJJHVWLRQVDQGFRPPHQWVDUHZHOFRPHGDQGFDQEHSRVWHGDW [email protected]


3/90


,1'(;

1 INTRODUCTION ............................................................................... 8

1.1 INFORMATION SECURITY .............................................................................................. 8

1.2 DATA LOSS PREVENTION.............................................................................................. 8

1.3 ABOUT VIRUSES ......................................................................................................... 10

A. POLICY FOR GENERAL USERS ..................................... 12

2 POLICIES FOR GENERAL USERS................................................. 14

2.1 USING FLOPPIES/ CD/ FLASH DRIVES........................................................................ 14

2.2 PASSWORD................................................................................................................. 14

2.3 BACKUP ..................................................................................................................... 142.4 PHYSICAL SAFETY OF SYSTEM................................................................................... 15

2.5 COMPUTERFILES ....................................................................................................... 15

2.6 GENERAL INSTRUCTIONS ........................................................................................... 16

B. POLICY FOR DEPARTMENT............................................. 18

3 DEPARTMENTAL POLICIES .......................................................... 20

C. POLICY FOR SYSTEM ADMINISTRATOR .................. 22

4 SECURITY POLICY FOR PURCHASING HARDWARE.................. 24

5 SECURITY POLICY FOR ACCESS CONTROL .............................. 25

5.1 MANAGING ACCESS CONTROL STANDARDS ............................................................... 25

5.2 MANAGING USERACCESS .......................................................................................... 255.3 SECURING UNATTENDED WORKSTATIONS.................................................................. 26

5.4 MANAGINGNETWORKACCESS CONTROLS ................................................................ 26

5.5 CONTROLLING ACCESS TO OPERATING SYSTEM SOFTWARE....................................... 275.6 MANAGING PASSWORDS............................................................................................. 27

5.7 SECURING AGAINST UNAUTHORIZED PHYSICAL ACCESS ........................................... 28

5.8 RESTRICTING ACCESS ................................................................................................. 285.9 MONITORING SYSTEM ACCESS AND USE .................................................................... 29

5.10 GIVING ACCESS TO FILES AND DOCUMENTS............................................................... 29

5.11 MANAGING HIGHERRISKS SYSTEM ACCESS .............................................................. 295.12 CONTROLLING REMOTE USERACCESS ....................................................................... 30

5.13 RECOMMENDATIONS ON ACCOUNTS AND PASSWORDS .............................................. 30

6 SECURITY POLICY FOR NETWORKS........................................... 32

6.1 CONFIGURINGNETWORKS .......................................................................................... 32

6.2 MANAGING THENETWORK......................................................................................... 32

6.3 ACCESSINGNETWORKREMOTELY ............................................................................. 326.4 DEFENDINGNETWORKINFORMATION FROM MALICIOUS ATTACK............................. 33

6.5 RECOMMENDATIONS ON NETWORK AND CONFIGURATION SECURITY........................ 33

6.6 RECOMMENDATION ON HOST BASED FIREWALL ......................................................... 34

7 SECURITY POLICY FOR OPERATING SYSTEM........................... 35


4/90


8 SECURITY POLICY FOR SOFTWARE ........................................... 36

8.1 MANAGING OPERATIONAL PROGRAM LIBRARIES:...................................................... 368.2 MANAGING PROGRAM SOURCE LIBRARIES:................................................................ 36

8.3 CONTROLLING PROGRAM LISTING.............................................................................. 36

8.4 CONTROLLING PROGRAM SOURCE LIBRARIES ............................................................ 378.5 CONTROLLING OLD VERSIONS OF PROGRAMS ............................................................ 37

9 SECURITY POLICY FOR CYBER CRIME....................................... 37

9.1 RECOMMENDATIONS ON TO WEB SERVERS AND EMAIL ............................................. 38

10 BACKUP POLICIES......................................................................... 39

10.1 BACKUP PROCESS ....................................................................................................... 39

10.2 RESTORATION PROCESS.............................................................................................. 40

10.3 RECOMMENDATIONS ON BACKUP AND RECOVERY & DISASTERPLANNING .............. 41

11 LAN SECURITY............................................................................... 4211.1 NETWORKORGANIZATION ......................................................................................... 42

11.2 NETWORKSECURITY .................................................................................................. 43

11.3 NETWORKSOFTWARE................................................................................................. 4611.4 NETWORKHARDWARE ............................................................................................... 48

11.5 LAN BACKUP AND RECOVERY POLICIES.................................................................... 49

11.6 LAN PURCHASING POLICY......................................................................................... 49

12 ROLE OF SYSTEM ADMINISTRATOR IN VIRUS PROTECTION... 50

12.1 COMPUTERVIRUSES: DETECTION AND REMOVAL METHODS ..................................... 50

12.2 COMPUTERVIRUS CLASSIFICATION............................................................................ 60

12.3 RECOMMENDATION FORANTIVIRUS SOFTWARE USAGE ............................................. 62

13 STAFF AWARENESS AND TRAINING ........................................... 63

13.1 STAFF AWARENESS..................................................................................................... 63

13.2 TRAINING.................................................................................................................... 64

14 RECOMMENDATIONS FOR SYSTEM ADMINISTRATOR.............. 66

D. POLICY FOR DBA................................................................... 68

15 SECURITY POLICY FOR DBA........................................................ 70

15.1 POLICY ON TRANSFERRING AND EXCHANGING DATA................................................. 7015.2 POLICY ON MANAGING DATA STORAGE ..................................................................... 7115.3 POLICY ON MANAGING DATABASES ........................................................................... 71

15.4 POLICY ON PERMITTING EMERGENCY DATA AMENDMENT......................................... 72

15.5 POLICY ON SETTING UPNEW DATABASES .................................................................. 7215.6 SECURITY POLICY FORDATABASE.............................................................................. 72

15.7 GUIDELINES/RECOMMENDATION FORDBA................................................................ 74

15.8 DBA SKILLS............................................................................................................... 74


5/90


E. AUDIT POLICY ......................................................................... 76

16 INFORMATION SYSTEMS AUDIT POLICY .................................... 78

16.1 INTRODUCTION ........................................................................................................... 78

16.2 AUDIT POLICY ............................................................................................................ 78

16.3 QUESTIONNAIRE FORAUDIT ....................................................................................... 80

F. ANNEXURE ................................................................................ 84


6/90



7/90


1 Introduction

1.1 Information Security

,QIRUPDWLRQ6HFXULW\3ROLFLHVDUHWKHFRUQHUVWRQHRILQIRUPDWLRQVHFXULW\HIIHFWLYHQHVV7KH6HFXULW\3ROLF\LV LQWHQGHGWRGHILQHZKDWLVH[SHFWHGIURPDQRUJDQL]DWLRQZLWKUHVSHFWWRVHFXULW\RI,QIRUPDWLRQ6\VWHPV7KHRYHUDOOREMHFWLYHLVWRFRQWURORUJXLGHKXPDQEHKDYLRULQDQDWWHPSWWRUHGXFHWKHULVNWRLQIRUPDWLRQDVVHWVE\DFFLGHQWDORUGHOLEHUDWHDFWLRQV,QIRUPDWLRQ VHFXULW\ SROLFLHV XQGHUSLQ WKH VHFXULW\ DQG ZHOO EHLQJ RI LQIRUPDWLRQUHVRXUFHV7KH\DUHWKHIRXQGDWLRQWKHERWWRPOLQHRILQIRUPDWLRQVHFXULW\ZLWKLQDQRUJDQL]DWLRQ:HDOOSUDFWLFHHOHPHQWVRIGDWDVHFXULW\$WKRPHIRUH[DPSOHZHPDNHVXUHWKDWGHHGVDQGLQVXUDQFHGRFXPHQWVDUHNHSWVDIHO\VRWKDWWKH\DUHDYDLODEOHZKHQZH

QHHGWKHP$OORIILFHLQIRUPDWLRQGHVHUYHVWREHWUHDWHGLQWKHVDPHZD\,QDQRIILFHKDYLQJWKHULJKWLQIRUPDWLRQDWWKHULJKWWLPHFDQPDNHWKHGLIIHUHQFHEHWZHHQVXFFHVVDQG IDLOXUH 'DWD 6HFXULW\ ZLOO KHOS WKH XVHU WR FRQWURO DQG VHFXUH LQIRUPDWLRQ IURPLQDGYHUWHQWRUPDOLFLRXVFKDQJHVDQGGHOHWLRQVRUXQDXWKRUL]HGGLVFORVXUH7KHUHDUHWKUHHDVSHFWVRIGDWDVHFXULW\Confidentiality3URWHFWLQJLQIRUPDWLRQIURPXQDXWKRUL]HGGLVFORVXUHOLNHWRWKHSUHVVRU WKURXJK LPSURSHU GLVSRVDO WHFKQLTXHVRU WKRVH ZKR DUHQRWHQWLWOHGWR KDYH WKHVDPHIntegrity 3URWHFWLQJ LQIRUPDWLRQ IURP XQDXWKRUL]HG PRGLILFDWLRQ DQG HQVXULQJ WKDWLQIRUPDWLRQ VXFK DV D EHQHILFLDU\ OLVW FDQ EH UHOLHG XSRQ DQG LV DFFXUDWH DQG

FRPSOHWHAvailabi li ty(QVXULQJLQIRUPDWLRQLVDYDLODEOHZKHQLWLVUHTXLUHG'DWDFDQEHKHOGLQPDQ\GLIIHUHQWDUHDVVRPHRIWKHVHDUH 1HWZRUN6HUYHUV 3HUVRQDO&RPSXWHUVDQG:RUNVWDWLRQV /DSWRSDQG+DQGKHOG3&V 5HPRYDEOH 6WRUDJH 0HGLD )ORSS\ 'LVNV &'5206 =LS 'LVNV )ODVK 'ULYH

HWF 'DWD%DFNXS0HGLD7DSHVDQG2SWLFDO'LVNV

1.2 Data Loss Prevention

/HDGLQJ&DXVHVRI'DWD/RVV 1DWXUDO'LVDVWHUV 9LUXVHV +XPDQ(UURUV 6RIWZDUH0DOIXQFWLRQ +DUGZDUH6\VWHP0DOIXQFWLRQ&RPSXWHUVDUHPRUHUHOLHGXSRQQRZWKDQHYHURUPRUHWRWKHSRLQWWKHGDWDWKDWLVFRQWDLQHGRQWKHP,QQHDUO\HYHU\LQVWDQWWKHV\VWHPLWVHOIFDQEHHDVLO\UHSDLUHGRU


8/90


UHSODFHGEXWWKHGDWDRQFHORVWPD\QRWEHUHWUDFHDEOH7KDWVZK\RIUHJXODUV\VWHPEDFNXSVDQGWKHLPSOHPHQWDWLRQRIVRPHSUHYHQWDWLYHPHDVXUHVDUHDOZD\V VWUHVVHGXSRQNatural Disasters:KLOH WKHOHDVW OLNHO\ FDXVH RI GDWD ORVV D QDWXUDOGLVDVWHU FDQKDYH D GHYDVWDWLQJ

HIIHFWRQWKHSK\VLFDOGULYH,Q LQVWDQFHVRIVHYHUHKRXVLQJGDPDJHVXFKDVVFRUHGSODWWHUVIURPILUHZDWHUHPXOVLRQGXHWRIORRGRUEURNHQRUFUXVKHGSODWWHUVWKHGULYHPD\EHFRPHXQUHFRYHUDEOH7KH EHVW ZD\ WR SUHYHQW GDWD ORVV IURP D QDWXUDO GLVDVWHU LV DQoff site back up6LQFHLWLVQHDUO\LPSRVVLEOHWRSUHGLFWWKHDUULYDORIVXFKDQHYHQWWKHUHVKRXOGEHPRUHWKDQRQHFRS\RI WKHV\VWHPEDFNXSNHSWRQHRQVLWHDQGRQHRII7KHW\SHRIPHGLDEDFNXSZLOOGHSHQGRQV\VWHPVRIWZDUHDQGWKHUHTXLUHGIUHTXHQF\QHHGHGWREDFNXS$OVREHVXUHWRFKHFNEDFNXSVWREHFHUWDLQWKDWWKH\KDYHSURSHUO\EDFNHGXSViruses

9LUDO LQIHFWLRQ LQFUHDVHVDWUDWH RIQHDUO\ QHZ 7URMDQV H[SORLWV DQGYLUXVHVHYHU\ PRQWK 7KHUH DUH DSSUR[LPDWHO\ wild RU ULVN SRVLQJ YLUXVHV VRXUFH6$5&GDWHG6HS:LWKWKRVHQXPEHUVJURZLQJHYHU\GD\V\VWHPVDUHDWDQHYHULQFUHDVLQJULVNWREHFRPHLQIHFWHGZLWKDYLUXV7KHUHDUHVHYHUDOZD\VWRSURWHFWDJDLQVWDYLUDOWKUHDW ,QVWDOOD)LUHZDOORQV\VWHPWRSUHYHQWKDFNHUVDFFHVVWRXVHUVGDWD ,QVWDOO DQ DQWLYLUXV SURJUDP RQ WKH V\VWHP DQG XVH LWUHJXODUO\ IRU VFDQQLQJ

DQG UHPRYH WKH YLUXV LI WKH V\VWHP KDV EHHQ LQIHFWHG 0DQ\ YLUXVHV ZLOO OLHGRUPDQW RU SHUIRUP PDQ\ PLQRU DOWHUDWLRQV WKDW FDQ FXPXODWLYHO\ GLVUXSWV\VWHPZRUNV%HVXUHWRFKHFNIRUXSGDWHVIRUDQWLYLUXVSURJUDPRQDUHJXODUEDVLV

%DFNXSDQGEHVXUHWRWHVWEDFNXSVIURPLQIHFWLRQDVZHOO7KHUHLVQRXVHWRUHVWRUHYLUXVLQIHFWHGEDFNXS

%HZDUH RI DQ\ HPDLO FRQWDLQLQJ DQ DWWDFKPHQW ,I LW FRPHV IURP DQRQ\PRXVVHQGHURUGRQWNQRZIURPZKHUHLWKDVFRPHRUZKDWLWLVWKHQGRQWRSHQLW

MXVWGHOHWHLWEORFNWKHVHQGHUIRUIXWXUHPDLOHuman Errors(YHQLQWRGD\VHUDRIKLJKO\WUDLQHGFHUWLILHGDQGFRPSXWHU OLWHUDWH VWDIILQJWKHUHLVDOZD\V URRP IRU WKH WLPHOHVVQHVV RI DFFLGHQWV 7KHUH DUH IHZ WKLQJV WKDW PLJKW EHIROORZHG %HDZDUH,WVRXQGVVLPSOHHQRXJKWRVD\EXWQRWVRHDV\WRSHUIRUP:KHQ

WUDQVIHUULQJGDWDEHVXUHLWLVJRLQJWRWKHGHVWLQDWLRQ,IDVNHGWould you liketo replace the existing filePDNHVXUHEHIRUHFOLFNLQJ\HV

,QFDVHRIXQFHUWDLQW\DERXWDWDVNPDNHVXUHWKHUHLVDFRS\RIWKHGDWDWRUHVWRUHIURP

7DNH H[WUD FDUH ZKHQ XVLQJ DQ\ VRIWZDUH WKDW PD\ PDQLSXODWH GULYHV GDWDVWRUDJHVXFKDVSDUWLWLRQPHUJHUVIRUPDWFKDQJHVRUHYHQGLVNFKHFNHUV

%HIRUHXSJUDGLQJWRDQHZ2SHUDWLQJ6\VWHPWDNHEDFNXSRIPRVWLPSRUWDQWILOHVRU GLUHFWRULHV LQFDVHWKHUH LVD SUREOHP GXULQJ WKH LQVWDOODWLRQ.HHSLQPLQGVODYHGGDWDGULYHFDQDOVREHIRUPDWWHGDVZHOO

1HYHUVKXWWKHV\VWHPGRZQZKLOHSURJUDPVDUHUXQQLQJ7KHRSHQILOHVZLOOPRUHOLNHO\EHFRPHWUXQFDWHGDQGQRQIXQFWLRQDO


9/90


Software Malfunction6RIWZDUHPDOIXQFWLRQLVDQHFHVVDU\HYLOZKHQXVLQJDFRPSXWHU(YHQWKHZRUOGVWRSSURJUDPVFDQQRWDQWLFLSDWHHYHU\HUURUWKDWPD\RFFXURQDQ\JLYHQSURJUDP7KHUHDUHVWLOOIHZWKLQJVWKDWFDQOHVVHQWKHULVNV %HVXUHWKHVRIWZDUHXVHGZLOOPHDQW21/


10/90


11/90


A. Policy For General Users


12/90



13/90


2 Polic ies for General Users

2.1 Using Floppies/ CD/ Flash Drives

)ORSS\ VKRXOG EH XVHG LQ FRQVXOWDWLRQ ZLWK V\VWHP DGPLQLVWUDWRULQFKDUJHFRPSXWHUFHQWHUDQGVKRXOGEHVFDQQHGEHIRUHXVH

8QRIILFLDO)ORSSLHV&'VRU)ODVK'ULYHVVKRXOGQRWEHXVHGRQRIILFHV\VWHPV

)ORSS\ VKRXOG EH ZULWHSURWHFWHG LI GDWD LV WR EH WUDQVIHUUHG IURP IORSS\ WR

V\VWHP

2.2 Password

.HHSWKHV\VWHPVFUHHQVDYHUHQDEOHGZLWKSDVVZRUGSURWHFWLRQ

'RQWVKDUHRUGLVFORVH\RXUSDVVZRUG8VHUVKRXOGQRWKDYHHDVLO\GHWHFWDEOHSDVVZRUGVIRU1HWZRUNDFFHVVVFUHHQ

VDYHUHWF$ VWURQJ SDVVZRUG PXVW EH DV ORQJ DV SRVVLEOH LQFOXGH PL[HGFDVH OHWWHUV

LQFOXGH GLJLWV DQG SXQFWXDWLRQ PDUNV QRW EH EDVHG RQ DQ\ SHUVRQDOLQIRUPDWLRQQRWEHEDVHGRQDQ\GLFWLRQDU\ZRUGLQDQ\ODQJXDJH

1HYHUXVHWKHVDPHSDVVZRUGWZLFH

&KDQJHSDVVZRUGDWUHJXODULQWHUYDOV

2.3 Backup

%DFNXSVKRXOGEHPDLQWDLQHGUHJXODUO\RQWKHVSDFHSURYLGHGRQFHQWUDOVHUYHURIWKHGHSDUWPHQWRURQWKHVWRUDJHPHGLDDVSHUGHSDUWPHQWSROLF\

.HHSSDSHUFRS\RIVHUYHUFRQILJXUDWLRQILOH

.HHSWKH'$7VRURWKHUUHPRYDEOHPHGLDLQDVHFXUHORFDWLRQDZD\IURPWKHFRPSXWHU

$OZD\VEDFNXSWKHGDWDEHIRUHOHDYLQJWKHZRUNVWDWLRQ

)RUVHQVLWLYHDQGLPSRUWDQWGDWDRIIVLWHEDFNXSVKRXOGEHXVHG


14/90


2.4 Physical Safety of System

3URWHFW WKH V\VWHP IURP XQDXWKRUL]HG XVH ORVV RU GDPDJH HJ WKH GRRUVKRXOGEHORFNHGZKHQQRWLQWKHRIILFH

.HHSSRUWDEOHHTXLSPHQWVHFXUH

3RVLWLRQPRQLWRUDQGSULQWHUVVRWKDWRWKHUVFDQQRWVHHVHQVLWLYHGDWD

.HHSIORSS\GLVNVDQGRWKHUPHGLDLQDVHFXUHSODFH

6HHNDGYLFHRQGLVSRVDORIHTXLSPHQW

5HSRUW DQ\ ORVV RI GDWD RU DFFHVVRULHVWR WKH6\VWHP $GPLQLVWUDWRULQFKDUJH

FRPSXWHUFHQWHU

.HHSWKHV\VWHPDQGVHQVLWLYHGDWDVHFXUHIURPRXWVLGHUV

*HWDXWKRUL]DWLRQEHIRUHWDNLQJHTXLSPHQWRIIVLWH

7DNHFDUHZKHQPRYLQJHTXLSPHQW5HDGLQVWUXFWLRQRQPRYLQJHTXLSPHQW

,QVWDOO 836 V\VWHP ZLWKDGHTXDWH EDWWHU\ EDFNXSVWRDYRLG DQ\ GDWD ORVV RU

FRUUXSWLRQGXHWRSRZHUIDLOXUH6\VWHPVKRXOGEHSURSHUO\VKXWGRZQEHIRUHOHDYLQJWKHRIILFH

/RJRIIWKHV\VWHPLI\RXDUHOHDYLQJ\RXUVHDW

1HYHUUHPRYHWKHFDEOHVZKHQ\RXU3&LVSRZHUHG21VLQFHWKLVFDQFDXVH

DQHOHFWULFDOVKRUWFLUFXLW'RQRWVWRSVFDQGLVNLIV\VWHPSURPSWVWRUXQLWDWWKHWLPHRIV\VWHPVWDUWXS

$OZD\VXVHPRXVHRQPRXVHSDG

%HJHQWOHZKLOHKDQGOLQJNH\ERDUGDQGPRXVH

'RQRWRSHQFDVHRIWKHKDUGZDUH

0DNHVXUHWKDWWKHUHLVVRPHVODFNLQWKHFDEOHVDWWDFKHGWR\RXUV\VWHP

2.5 Computer Files

$OO ILOH OHYHOVHFXULW\GHSHQGVXSRQWKHILOH V\VWHP2QO\WKH PRVW VHFXUHILOHV\VWHP VKRXOG EH FKRVHQIRU WKH VHUYHU 7KHQ XVHU SHUPLVVLRQ IRU LQGLYLGXDOILOHVIROGHUVGULYHVVKRXOGEHVHW


15/90


$Q\GHIDXOWVKDUHVVKRXOGEHUHPRYHG2QO\UHTXLUHGILOHDQGREMHFWVKDUHVVKRXOGEHHQDEOHGRQWKHVHUYHU1HYHUGRZQORDGRUUXQDWWDFKHGILOHVIURPXQNQRZQHPDLO,'

$OZD\VNHHSILOHVLQWKHFRPSXWHULQRUJDQL]HGPDQQHUIRUHDV\DFFHVVLELOLW\,I

UHTXLUHGFUHDWHQHZIROGHUVDQGVXEIROGHUV$YRLGFUHDWLQJMXQNILOHVDQGIROGHUV

6\VWHP ILOHV DQG OLEUDULHV VKRXOG QRW EH DFFHVVHG DV LW FDQ FDXVH

PDOIXQFWLRQLQJRIV\VWHP:KHQWUDQVIHUULQJGDWDEHVXUHLWLVJRLQJWRWKHGHVWLQDWLRQ,IDVNHGWould

you like to replace the existing filePDNHVXUHEHIRUHFOLFNLQJ\HV

2.6 General Instruct ions

,QFDVHRIXQFHUWDLQW\DERXWDWDVNPDNHVXUHWKHUHLVDFRS\RIWKHGDWDWRUHVWRUHIURP

)ROORZ LQVWUXFWLRQV RU SURFHGXUHV WKDW FRPHV IURP 6\VWHP

DGPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUHWLPHWRWLPH8VHUVDUHQRWVXSSRVHGWRGRKLVRUKHUSHUVRQDOZRUNRQFRPSXWHUV

3OHDVH LQWLPDWH 6\VWHP DGPLQLVWUDWRU,QFKDUJH FRPSXWHU FHQWUH LQ FDVH RI

V\VWHPPDOIXQFWLRQ8VHU VKRXOG DOZD\V ZRUN RQ KLVKHU DOORWWHG PDFKLQHV ,Q FDVH RI DQ\

XUJHQF\HPHUJHQF\XVHUPD\XVHRWKHUVPDFKLQHZLWKFRQVXOWDWLRQRI6\VWHPDGPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUH

$QWLYLUXV VRIWZDUH VKRXOG EH XSGDWHG WLPHO\ LQ FRQVXOWDWLRQ ZLWK 6\VWHP

$GPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUH

'RQWJLYHRWKHUVWKHRSSRUWXQLW\WRORRNRYHU\RXUVKRXOGHULI\RXDUHZRUNLQJRQVHQVLWLYHGDWDFRQWHQWV

'RQRWXVHXQQHFHVVDU\VKDUHZDUH'R QRW LQVWDOO RU FRS\ VRIWZDUH RQ V\VWHP ZLWKRXW SHUPLVVLRQ RI 6\VWHP

DGPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUH$YRLGXQQHFHVVDU\FRQQHFWLYLW\RI,QWHUQHW


16/90


'RQW SDQLF LQ FDVH V\VWHP KDQJV 5HSRUW LW \RXU ,7 1RGDO 2IILFHU6\VWHP

$GPLQLVWUDWRU,QFKDUJHFRPSXWHUFHQWUH,IORFNDQGNH\V\VWHPLVDYDLODEOHWKHQXVHUVKRXOGHQVXUHWKHVHFXULW\RIDOO

WKHSDUWVRIWKHFRPSXWHU

3OHDVHHQVXUHWKDWSUHLQVWDOOHG$QWLYLUXVLVUXQQLQJRQWKHV\VWHP

)RRG DQG GULQNV VKRXOG QRW EH SODFHG QHDU V\VWHPV &XS RI 7HD &RIIHH RU

ZDWHUJODVVVKRXOGQRWEHRQ&38RU0RQLWRURU.H\%RDUG$OZD\VSRZHURIIWKHV\VWHPZKHQFOHDQLQJLW1HYHUXVHZHWFORWKIRUZLSLQJWKHVFUHHQ

1HYHUVKXWWKHV\VWHPGRZQZKLOHSURJUDPVDUHUXQQLQJ7KHRSHQILOHVZLOO

PRUHOLNHO\EHFRPHWUXQFDWHGDQGQRQIXQFWLRQDO1HYHUVWDFNERRNVILOHVRURWKHUPDWHULDOVRQWKH&38

3ODFHWKHFRYHURQWKHFRPSXWHUVZKHQ\RXFORVHWKHFRPSXWHUVDWWKHHQGRI

WKHGD\


17/90


B. Policy For Department


18/90



19/90


3 Departmental Polic ies

'HSDUWPHQW VKRXOG KDYH D V\VWHP DGPLQLVWUDWRU RU LQFKDUJH RI FRPSXWHUFHQWUH

'HSDUWPHQWDOVWDIIVKRXOGEHDZDUHRI'HOKL*RYW6HFXULW\SROLFLHV 'HSDUWPHQW VKRXOG KDYH LWV RZQ ZULWWHQ VHFXULW\ SROLFLHV VWDQGDUGV DQG

SURFHVVHVLIQHHGHG 7KHUH VKRXOG EH FOHDUO\ GHILQHG V\VWHP VHFXULW\ SURFHGXUHV IRU WKH

$GPLQLVWUDWRU 3HUVRQQHOLQ WKHGHSDUWPHQWVKRXOGKDYHVXIILFLHQWDXWKRULW\WR DFFRPSOLVK,7

VHFXULW\UHODWHGGXWLHVDQGSROLFLHV

&RPSHWHQWSHUVRQQHOVKRXOGEHDYDLODEOHWREDFNXS,7VHFXULW\UHODWHGGXWLHVLQWKHHYHQWWKHUHJXODU6\VWHP$GPLQLVWUDWRULVXQDYDLODEOH

'HSDUWPHQWVKRXOGKDYHDSURFHVVWRDGGUHVVLQFLGHQWVRUFRPSURPLVHV &RPSXWHUHTXLSPHQWVKRXOGEHVLWXDWHGVDIHO\DQGIUHHIURPSRWHQWLDOGDQJHU

LHOHDN\URRIVHWF 8QLQWHUUXSWLEOH3RZHU6XSSOLHV836VKRXOGSURWHFWVHUYHUVDQGZRUNVWDWLRQV +HDWLQJ FRROLQJ DQGYHQWLODWLRQ VKRXOGNHHS \RXU V\VWHPVDW WKHDSSURSULDWH

WHPSHUDWXUHDQGKXPLGLW\ 'HSDUWPHQWVKRXOGKDYHSODQVWRXVHVRIWZDUHWKDWHQIRUFHVVWURQJSDVVZRUGV 7KHUHVKRXOGEHZULWWHQSURFHGXUHVIRUIRUJRWWHQSDVVZRUGV 3K\VLFDOVHFXULW\DXGLWVKRXOGEHFRQGXFWHG 'HSDUWPHQWVKRXOGKDYHSK\VLFDOVHFXULW\VWDQGDUGVDQGSURFHGXUHV 7KHUH VKRXOG EH SURFHGXUHV IRU ORFNLQJ ,7 RIILFHV WHOHSKRQH FORVHWV DQG

FRPSXWHUURRPV 'HSDUWPHQWVKRXOGKDYHDQDODUPV\VWHP $FFHVVHVVKRXOGEHVHFXUHZKHQRIILFHVGHSDUWPHQWVDUHYDFDQW :RUNVWDWLRQVDQGODSWRSVVKRXOGEHORFNHGGRZQWRGHWHUWKHIW

'HSDUWPHQW VKRXOG KDYH D QHWZRUN PDSGLDJUDP RI WKH /$1 /RFDO $UHD

1HWZRUN


20/90


7KHUHVKRXOGEHDSDUWQHUVKLSZLWKYHQGRUVZKRFDQKHOSLQDQHPHUJHQF\LI

\RXUHTXLSPHQWLVGDPDJHGGXHWRGLVDVWHU %DFNXSILOHVVKRXOGEHVHQWRIIVLWHWRDSK\VLFDOO\VHFXUHORFDWLRQ

'HSDUWPHQWVKRXOGVWRUHPHGLDRIIVLWH (QYLURQPHQW RI D VHOHFWHG RIIVLWH VWRUDJH DUHD WHPSHUDWXUH KXPLGLW\ HWF

VKRXOGEHZLWKLQWKHPDQXIDFWXUHUVUHFRPPHQGHGUDQJHIRUWKHEDFNXSPHGLD 'HSDUWPHQWVKRXOGKDYHDFRQILJXUDWLRQDVVHWFRQWUROSODQIRUDOOKDUGZDUHDQG

VRIWZDUHSURGXFWV 7UDLQHG DXWKRUL]HG LQGLYLGXDOV VKRXOG RQO\ EH DOORZHG WR LQVWDOO FRPSXWHU

HTXLSPHQWDQGVRIWZDUH


21/90


C. Policy For System Administrator


22/90



23/90


4 Security Policy for Purchasing Hardware

All purchases of new systems and hardware or new components for existing systemsmust be made in accordance with Information Security and other Organizationpolicies, as well as technical standards fixed by the govt. Such requests to purchasemust be based upon a User Requirements Specification document and take account

of longer term organizational operations needs.7KH SXUFKDVH RI QHZ FRPSXWHUV DQG SHULSKHUDOV UHTXLUHV FDUHIXO FRQVLGHUDWLRQ RIRSHUDWLRQVQHHGVEHFDXVHLWLVXVXDOO\H[SHQVLYHWRPDNHVXEVHTXHQWFKDQJHV,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ $SSURYDORISXUFKDVHRI1HZ6\VWHP+DUGZDUH 7KHV\VWHPPXVWKDYHDGHTXDWHFDSDFLW\RUHOVHLWPD\QRWEHDEOHWRSURFHVV

WKHGDWD

:KHUHKDUGZDUHPDLQWHQDQFHLVSRRURUXQUHOLDEOHLWJUHDWO\LQFUHDVHVWKHULVNWR WKHRUJDQL]DWLRQ EHFDXVH LQ WKHHYHQW RI IDLOXUHSURFHVVLQJFRXOG VLPSO\6723

8VHU UHTXLUHPHQW VSHFLILFDWLRQ LQFOXGLQJ GHSOR\PHQW DQG XVH RI DYDLODEOHUHVRXUFHVDQGSURSRVHGXVHRIQHZHTXLSPHQWV


24/90


5 Securi ty Policy for Access Control

3ROLF\IRUDFFHVVFRQWUROGHILQHVDFFHVVWRFRPSXWHUV\VWHPVWRYDULRXVFDWHJRULHVRIXVHUV$FFHVV&RQWUROVWDQGDUGVDUHWKHUXOHVZKLFKDQRUJDQL]DWLRQDSSOLHVLQRUGHU

WR FRQWURO DFFHVV WR LWV LQIRUPDWLRQ DVVHWV 6XFK VWDQGDUGV VKRXOG DOZD\V EHDSSURSULDWHWRWKHRUJDQL]DWLRQVRSHUDWLRQDQGVHFXULW\QHHGV7KHGDQJHUVRIXVLQJLQDGHTXDWHDFFHVVFRQWUROVWDQGDUGVUDQJHIURPLQFRQYHQLHQFHWRFULWLFDOORVVRUGDWDFRUUXSWLRQ

6HFXULW\IRU$FFHVV&RQWUROGHSHQGVXSRQIROORZLQJSRLQWV

5.1 Managing Access Control Standards

Access Control standards for information systems must be established bymanagement and should incorporate the need to balance restrictions to prevent

unauthorized access against the need to provide unhindered access to meetoperational needs.

,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ

7KH ODFN RI XQLIRUP VWDQGDUGV FRQWUROOLQJ WKH DFFHVV WR LQIRUPDWLRQ DQGV\VWHPVFDQOHDGWRGLVSDULWLHVDQGZHDNQHVVHV

:KHUH DFFHVV FRQWURO LV QRW PRGLILHG LQ UHVSRQVH WR HQKDQFHG VHQVLWLYLW\ RISURFHVVHG LQIRUPDWLRQ WKH ULVN RI D EUHDFK WR LWV FRQILGHQWLDOLW\ ZLOO LQFUHDVHSHUKDSVVXEVWDQWLDOO\

$FFHVV FRQWURO VWDQGDUGV WKDW DUH WRR WLJKW RU LQIOH[LEOH FDQ LPSHGH WKHGHSDUWPHQWVGD\WRGD\DFWLYLWLHVDQGIUXVWUDWHVWDII

5.2 Managing User Access

Access to all systems must be authorized by the owner of the system and suchaccess, including the appropriate access rights (or privileges) must be recorded in an

Access Control List. Such records are to be regarded as Highly Confidentialdocuments and safeguarded accordingly.

*RRG PDQDJHPHQW RIXVHU DFFHVVWR LQIRUPDWLRQV\VWHPVDOORZV WR LPSOHPHQW WLJKW

VHFXULW\FRQWUROVDQGWRLGHQWLI\EUHDFKHVRI$FFHVV&RQWUROVWDQGDUGV


/DFNRIDPDQDJHGDFFHVVFRQWUROSURFHGXUHFDQUHVXOWLQXQDXWKRUL]HGDFFHVVWRLQIRUPDWLRQV\VWHPVWKHUHE\FRPSURPLVLQJFRQILGHQWLDOLW\DQGSRWHQWLDOO\WKHLQWHJULW\RIWKHGDWD


25/90


/RJRQVFUHHQVRUEDQQHUVZKLFKVXSSO\LQIRUPDWLRQDERXWWKHV\VWHPSULRUWRVXFFHVVIXOORJRQVKRXOGEHUHPRYHGDVWKH\FDQDVVLVWXQDXWKRUL]HGXVHUVWRJDLQDFFHVV

:KHUHUHJXODWLRQDQGGRFXPHQWDWLRQRI$FFHVV&RQWUROKDVEHHQLQIRUPDOWKLVFDQIUXVWUDWHWKHUHDOORFDWLRQRIGXWLHVEHFDXVHWKHUHDUHQRUHFRUGVRIFXUUHQWDFFHVVULJKWVDQGSULYLOHJHV

$OORFDWLQJLQDSSURSULDWHSULYLOHJHVWRLQH[SHULHQFHGVWDIIFDQUHVXOWLQDFFLGHQWDOHUURUVDQGSURFHVVLQJSUREOHPV

5.3 Securing Unattended Workstations

Equipment is always to be safeguarded appropriately especially when leftunattended.

&RPSXWHU HTXLSPHQW ZKLFK LV ORJJHG RQ DQG XQDWWHQGHG FDQ SUHVHQW D WHPSWLQJWDUJHWIRUXQVFUXSXORXVVWDIIRUWKLUGSDUWLHVRQWKHSUHPLVHV+RZHYHUDOOPHDVXUHVWRPDNHLWVHFXUHVKRXOGREVHUYHWKH$FFHVV&RQWUROSROLF\


8QDXWKRUL]HG DFFHVV RI DQ XQDWWHQGHG ZRUNVWDWLRQ FDQ UHVXOW LQ KDUPIXO RUIUDXGXOHQWHQWULHVHJPRGLILFDWLRQRIGDWDIUDXGXOHQWHPDLOXVHHWF

$FFHVVWRDQXQDWWHQGHGZRUNVWDWLRQFRXOGUHVXOWLQGDPDJHWRWKHHTXLSPHQWGHOHWLRQRIGDWDDQGRUWKHPRGLILFDWLRQRIV\VWHPFRQILJXUDWLRQILOHV

5.4 Managing Network Access Controls

Access to the resources on the network must be strictly controlled to preventunauthorized access, Access to all computing and information systems andperipherals shall be restricted unless explicitly authorized.

&RQQHFWLRQVWRWKHQHWZRUNLQFOXGLQJXVHUVORJRQKDYHWR EHSURSHUO\PDQDJHGWRHQVXUHWKDWRQO\DXWKRUL]HGGHYLFHVSHUVRQVDUHFRQQHFWHG


8QDXWKRUL]HG DFFHVV WR SURJUDPV RU DSSOLFDWLRQV FRXOG OHDG WR IUDXGXOHQW

WUDQVDFWLRQVRUIDOVHHQWULHV :KHUHSK\VLFDORUORJLFDODFFHVVKDVQRWEHHQFRQWUROOHGXVHUVPD\ILQGDQG

H[SORLW XQLQWHQWLRQDO DFFHVV URXWHV WR V\VWHPV DQG QHWZRUN UHVRXUFHV )RUH[DPSOHWKH\FRQQHFWD ODSWRSWRDZDOOVRFNHWE\SDVVWKHORJLQVHUYHUDQGFRQQHFWGLUHFWO\WRWKHPDLQVHUYHU

8QDXWKRUL]HG H[WHUQDO DFFHVV WR WKH QHWZRUN ZLOO XVXDOO\ UHVXOW LQ GDPDJHFRUUXSWLRQDQGDOPRVWFHUWDLQORVVRIFRQILGHQWLDOLW\RILQIRUPDWLRQ6XFKKDFNVDUHXVXDOO\PRWLYDWHGE\PDOLFLRXVRUIUDXGXOHQWLQWHQW


26/90


,QFRPSOHWHRULQFRUUHFWGDWDLQDXVHUVQHWZRUNDFFHVVSURILOHFRXOGUHVXOWLQWKHLU EHLQJ SHUPLWWHG WR PRGLI\ GHOHWH RU KDYH DFFHVV WR FRQILGHQWLDOLQIRUPDWLRQRQLQDSSURSULDWHQHWZRUNUHVRXUFHV

0RGLILFDWLRQPDGHWRDQHWZRUNDFFHVVSURILOHZLWKRXWDGHTXDWHFKDQJHFRQWUROSURFHGXUHV LQ SODFH FRXOG UHVXOW LQ XQH[SHFWHG DQG SUREDEO\ DFFLGHQWDODFFHVVWRXQDXWKRUL]HGQHWZRUNUHVRXUFHV

8VHU ,' WKDW VXJJHVWV WKHLU SULYLOHJHV HJ D XVHU ,' RI DOOSULYV PD\ LQYLWHKDFNHUVWRWU\KDUGWRFUDFNWKHLUSDVVZRUG

&RQQHFWLRQV WR D WKLUG SDUW\ QHWZRUN HJ LQ HFRPPHUFH VLWXDWLRQV FDQQRWRQO\SRVVLEO\LQWURGXFHYLUXVHVEXWFDQDOVRGLVUXSWEXVLQHVVRSHUDWLRQVZKHUHGDWDLVLQDGYHUWHQWO\WUDQVPLWWHGLQWRWKHQHWZRUN

5.5 Controll ing Access to Operating System Software

Access to operating system commands is to be restricted to those persons who areauthorized to perform systems administration / management functions. Even, thensuch access must be operated under dual control requiring the specific approval of

senior management.

7KH RSHUDWLQJ V\VWHP FRQWUROV D FRPSXWHUV RSHUDWLRQ SUHORDGHG ZLWK LW DUHFRPPDQGV DQG XWLOLWLHV ZKLFK VHWXS DQG PDLQWDLQ WKH FRPSXWHUV HQYLURQPHQW $OOV\VWHPVIURP3&VWR ODUJHVHUYHUV VKRXOGEH KDUGHQHGWRUHPRYH DOOXQQHFHVVDU\GHYHORSPHQWWRROVDQGXWLOLWLHVSULRUWRGHOLYHU\WRHQGXVHUV

,QIRUPDWLRQ 6HFXULW\ LVVXHV WREH FRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ

6WDII ZLWK DFFHVV WR WKH FRPPDQG OLQH FRXOG VXFFHHG LQ H[HFXWLQJ V\VWHP

FRPPDQGVZKLFKFRXOGGDPDJHDQGFRUUXSWWKHV\VWHPDQGGDWDILOHV 2SHUDWLQJ V\VWHP FRPPDQGV FRXOG EH XVHG WR GLVDEOHRU FLUFXPYHQW DFFHVV

FRQWURODQGDXGLWORJIDFLOLWLHVHWF

5.6 Managing Passwords

The selection of passwords, their use and management as a primary means tocontrol access to systems is to strictly adhere to best practice guideline. In particular,passwords shall not be shared with any other person for any reason.

0RVW FRPSXWHU V\VWHPV DUH DFFHVVHG E\ D FRPELQDWLRQ RI 8VHU ,' DQG SDVVZRUG

7KLV SROLF\ GLVFXVVHV WKH PDQDJHPHQW RI SDVVZRUGV IURP DQ DGPLQLVWUDWRUVSHUVSHFWLYH


3DVVZRUG DOORFDWLRQYLD WKH6\VWHP$GPLQLVWUDWRURURWKHU WHFKQLFDOVWDII FDQFRPSURPLVH DFFHVVFRQWURO GXULQJZKLFKWLPHXQDXWKRUL]HG DFFHVV PD\WDNHSODFH7KLVZLOOEHDQXQDFFHSWDEOHULVNIRUKLJKO\VHQVLWLYHV\VWHPV


27/90


3DVVZRUGVWKDW DUHVKDUHGPD\ DOORZXQDXWKRUL]HGDFFHVVWR WKH LQIRUPDWLRQV\VWHPV

8VHUVZKRQHHGWRDFFHVVPXOWLSOHV\VWHPVPD\NHHSDKDQGZULWWHQQRWHRIWKH GLIIHUHQW SDVVZRUGV HJ LQ D GLDU\ HVSHFLDOO\ ZKHUH WKH\ DUH FKDQJHGIUHTXHQWO\ +RZHYHU VXFK LQVHFXUH UHFRUGV PDNH DQ HDV\ WDUJHW IRU LOOLQWHQWLRQHGSHUVRQVZLVKLQJWREUHDNLQWRWKHV\VWHP

5.7 Securing Against Unauthor ized Physical Access

Physical access to high security areas is to be controlled with strong identificationand authentication techniques. Staff with authorization to enter such areas is to beprovided with information on the potential security risks involved.

3HUVRQDO ZKR ZRUN LQ RU KDYH DFFHVV WR KLJK VHFXULW\ DUHDV PD\ EH SXW XQGHUSUHVVXUH WR UHYHDO DFFHVV FRGHV RU NH\V RU WR EUHDFK VHFXULW\ E\ SHUIRUPLQJXQDXWKRUL]HGLOOHJDOWDVNVVXFKDVFRS\LQJFRQILGHQWLDOLQIRUPDWLRQ7KHRUJDQL]DWLRQVKRXOG SURYLGH DGHTXDWH LQIRUPDWLRQ UHJDUGLQJ DQG VDIHJXDUGV WR SUHYHQW VXFK

HYHQWXDOLWLHV


$ PHPEHU RI VWDII PD\ EH WKUHDWHQHG RU FRHUFHG WR GLVFORVH FRQILGHQWLDODFFHVVFRGHVSURFHGXUHVRULQIRUPDWLRQDERXWWKHRUJDQL]DWLRQVV\VWHPV

$ PHPEHU RI VWDII PD\ EH WKUHDWHQHG RU FRHUFHG RXWVLGH WKH ZRUN SODFH WRGLVFORVH FRQILGHQWLDO DFFHVV FRGHV SURFHGXUHV RU LQIRUPDWLRQ DERXW WKHRUJDQL]DWLRQVV\VWHPV

6HFXULW\DVSHFWVVKRXOGEHGHVLJQHGLQVXFKDPDQQHUWKDWWKHUHVSRQVLELOLW\RIKLJKVHFXULW\ GDWD FDQ EH DFFHVVLEOH DPRQJ YDULRXV RIILFHUV ,Q FDVH VHFXULW\ EUHDFKRFFXUVDWRQHOHYHOLWFDQEHSUHYHQWHGRQRWKHUOHYHOV7KHDSSOLFDWLRQVKRXOGKDYHPXOWLOHYHOSDVVZRUGDXWKHQWLFDWLRQLHWKHGDWDFRXOGEHDFFHVVLEOHRQO\DIWHUDXWKHQWLFDWLRQE\JURXSRIDXWKRUL]HGSHUVRQQHO

5.8 Restricting Access

Access controls are to be set at an appropriate level which minimizes informationsecurity risks yet also allows the organizations business activities to be carriedwithout undue hindrance.

$FFHVV WR V\VWHPV DQG WKHLU GDWD PXVW EH UHVWULFWHG WR HQVXUH WKDW LQIRUPDWLRQ LVGHQLHGWRXQDXWKRUL]HGXVHUV

+RZHYHULQDSSURSULDWHUHVWULFWLRQVFRXOGUHVXOWLQLQGLYLGXDOXVHUVEHLQJXQDEOHWRGRWKHLU MRE DQG FDXVH GHOD\V DQG HUURUV LQ OHJLWLPDWH GDWD SURFHVVLQJ 6LPLODUO\H[FHVVLYH SULYLOHJH FRXOG DOORZ DQ DXWKRUL]HG XVHU WR GDPDJH LQIRUPDWLRQ V\VWHPVDQGILOHVFDXVLQJGHOD\VDQGHUURUV


28/90



([FHVVLYHV\VWHPVSULYLOHJHVFRXOGDOORZDXWKRUL]HGXVHUVWRPRGLI\RUPRUHOLNHO\ FRUUXSWGHVWUR\ WKH RSHUDWLQJ V\VWHP FRQILJXUDWLRQ DQG DSSOLFDWLRQVRIWZDUHVHWWLQJZLWKJUDYHUHVXOWV

/DFNRIDFFHVVUHVWULFWLRQVFRXOGo $OORZVWDIIDQGWKLUGSDUWLHVWRPRGLI\GRFXPHQWVDQGRWKHUGDWDILOHo 5LVN ORVV RI FRQILGHQWLDOLW\ DQG LQWHJULW\ DQG DOVR SRVVLEOH OHJDO IRU

SRWHQWLDOLQIULQJHPHQWVRIWKH'DWD3URWHFWLRQ$FWRUORFDOHTXLYDOHQW

5.9 Monitoring System Access and Use

Access is to be logged and monitored to identify potential misuse of systems orinformation.

6\VWHP DFFHVV PXVW EH PRQLWRUHG UHJXODUO\ WR SUHYHQW DWWHPSWV DW XQDXWKRUL]HG

DFFHVVDQGWRFRQILUPWKDWDFFHVVFRQWUROVWDQGDUGVDUHHIIHFWLYH

,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ :LWKRXWIUHTXHQWPRQLWRULQJLWLVGLIILFXOWWRDVVHVVWKHHIIHFWLYHQHVVRIDFFHVV

FRQWUROV8QDXWKRUL]HGDFFHVVFDQUHPDLQXQGHWHFWHGHQDEOLQJNQRZOHGJHRIWKLVVHFXULW\KROHWREHSDVVHGWRSHUVRQVZLWKSRVVLEOHPDOLFLRXVRUIUDXGXOHQWLQWHQW7KHFRQVHTXHQFHVFDQEHVHULRXV

:LWKRXW KDUG HYLGHQFH RI D VHFXULW\ EUHDFK LW LV GLIILFXOW WR WDNH GLVFLSOLQDU\DFWLRQDQGLWPD\EHLPSRVVLEOHWRWDNHOHJDODFWLRQ

5.10 Giving Access to Files and Documents

Access to information and documents is to be carefully controlled, ensuring that onlyauthorized personal may have access to sensitive information.


:LWKSRRURULQDGHTXDWHDFFHVVFRQWURORYHUGRFXPHQWVDQGILOHVLQIRUPDWLRQPD\ EH FRSLHG RU PRGLILHG E\ XQDXWKRUL]HG SHUVRQV RU EHFRPH FRUUXSWHG

XQLQWHQWLRQDOO\RUPDOLFLRXVO\ :KHUHWKH$FFHVV&RQWUROLVVHHQDVRYHUO\UHVWULFWLYHXVHUVFRXOGEHWHPSWHG

WRVKDUHSULYLOHJHGDFFRXQWVORJLQSDVVZRUGLQRUGHUWRDFFHVVLQIRUPDWLRQ

5.11 Managing Higher Risks System Access

Access Controls for highly sensitive information or high risk systems are to be set inaccordance with the value and classification of the information assets beingprotected.


29/90


+LJK ULVN V\VWHPV UHTXLUH PRUH VWULQJHQW DFFHVV FRQWURO VDIHJXDUGV GXH WR WKHFRQILGHQWLDOLW\RIWKHLQIRUPDWLRQWKH\SURFHVVDQGRUWKHSXUSRVHRIWKHV\VWHPHJWKH IXQGV WUDQVIHU V\VWHPV XVHG E\ EDQNV ,GHDOO\ WKH RSHUDWLQJ V\VWHPV IRU VXFKV\VWHPVVKRXOGEHKDUGHQHGWRIXUWKHUHQKDQFHVHFXULW\,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGH

WKHIROORZLQJ $FFHVV WR D FULWLFDO V\VWHP IURP D ZRUNVWDWLRQ H[WHUQDO WR LWV GHVLJQDWHG

RSHUDWLRQDUHDFDQWKUHDWHQLWVLQWHJULW\DQGVDIHW\ $FFHVVFRQWURO ERWKSK\VLFDO DQGORJLFDOVKRXOGEH PHDVXUDEO\ KLJKHUWKDQ

IRURWKHUV\VWHPV 'XDOFRQWURODQGVHJUHJDWLRQRIGXWLHVVKRXOGEHFRQVLGHUHGIRUDOOIXQFWLRQV 3ULYLOHJHVVKRXOGEHUHGXFHGWRWKHORZHVWOHYHOWRUHDVRQDEO\SHUIRUPWKHMRE

FRQFHUQHG 3HUVRQDOVKRXOGEHFDUHIXOO\VHOHFWHGZLWKWKHLUUHFRUGVYHWWHGIRUVXLWDELOLW\IRU

VXFKMREV

5.12 Controll ing Remote User Access

Remote access control procedures must provide adequate safeguards through robustidentification, authentication and encryption techniques.

5HPRWH XVHUV HLWKHU WHOHZRUNHUV RU SHUVRQDO RQ RIILFLDO WULSV HWF PD\ QHHG WRFRPPXQLFDWH GLUHFWO\ ZLWK WKHLU RUJDQL]DWLRQV V\VWHPV WR UHFHLYHVHQG GDWD DQGXSGDWHV

6XFK XVHUV DUH SK\VLFDOO\ UHPRWHDQGWKH\ ZLOORIWHQ EH FRQQHFWLQJ WKURXJK SXEOLF

LQVHFXUHQHWZRUNV7KLVLQFUHDVHVWKHWKUHDWRIXQDXWKRUL]HGDFFHVV


7KHXVHRID8VHU,'DQGSDVVZRUGDVWKHVROHPHDQVRIDFFHVVFRQWUROPD\SURYLGH LQDGHTXDWH VHFXULW\ WR HQDEOH DFFHVV WR WKH RUJDQL]DWLRQV V\VWHPHVSHFLDOO\ZKHUHWHOHSKRQHGLDOXSDFFHVVLVSHUPLWWHG

5.13 Recommendations On Accounts and Passwords

3DVVZRUGVVKRXOGEHFKDQJHGIUHTXHQWO\ 'HSDUWPHQW VKRXOG KDYH DQ DFFRXQW UHPRYDO SURFHVV IRU SHUVRQV ZKR KDYH

JRQHRXWRIGHSDUWPHQW 'HSDUWPHQWVKRXOGKDYHDPHWKRGIRULGHQWLI\LQJXQDXWKRUL]HGXVHUV5HJXODU

FURVVFKHFNLQJVKRXOGEHGRQHWRPDNHVXUHWKHSUHVHQFHRIDXWKRUL]HXVHU7KLVFDQEHGRQHWKURXJKYHULI\LQJZLWKRWKHUPDLQWDLQHGGDWDOLNHDWWHQGDQFHUHFRUGHWF

6WDIIVVKRXOGUHFHLYHFRPSXWHUVHFXULW\DZDUHQHVVWUDLQLQJ 'HSDUWPHQW VKRXOG PDLQWDLQ D 'RFXPHQW RI LGHQWLWLHV KDYLQJ URRW DFFHVV WR

GHSDUWPHQWDOLQIRUPDWLRQ


30/90


'HSDUWPHQW VKRXOG PDLQWDLQ WKH LGHQWLW\ RI WKRVH KDYLQJ UHPRWH DFFHVV WRGHSDUWPHQWDOLQIRUPDWLRQ

7KHUH VKRXOG EH ZULWWHQ SURFHGXUHV IRU FORVLQJ DFFRXQWV ZKHQ DQ HPSOR\HHWHUPLQDWHVHPSOR\PHQWRUPRYHVRXWRIWKHGHSDUWPHQW


31/90


6 Securi ty Policy For Networks

6.1 Configuring Networks

The network must be designed and configured to deliver high performance andreliability to meet the needs of the operations whilst providing a high degree of accesscontrols and range of privilege restrictions.7KH FRQILJXUDWLRQ RI QHWZRUN LPSDFWV GLUHFWO\ RQ LWV SHUIRUPDQFH DQG DIIHFWV LWVVWDELOLW\DQGLQIRUPDWLRQVHFXULW\,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ

3RRUQHWZRUNVWDELOLW\FDQWKUHDWHQRSHUDWLRQV ,QDGHTXDWH FRQWURO RYHU DFFHVV WR QHWZRUN FDQ MHRSDUGL]H WKH FRQILGHQWLDOLW\

DQGLQWHJULW\RIGDWD 6ORZRULQDGHTXDWHV\VWHPUHVSRQVHWLPHVLPSHGHWKHSURFHVVLQJ

6.2 Managing the Network

Suitably qualified staff are to manage the organizations network, and preserve itsintegrity in collaboration with the nominated individual system owners.

$OOEXWWKHVPDOOHVWQHWZRUNVZKHUHFKDQJHVDUHUHODWLYHO\LQIUHTXHQWUHTXLUHRQJRLQJPDQDJHPHQW

,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ ,QDSSURSULDWHFRQWURORYHUDFFHVVWRWKHQHWZRUNZLOOWKUHDWHQWKHFRQILGHQWLDOLW\

DQGLQWHJULW\RIGDWD ,QDGHTXDWHFDSDFLW\FDQPDNHHIILFLHQWRSHUDWLRQGLIILFXOWRULPSRVVLEOH 6ORZRULQDGHTXDWHV\VWHPUHVSRQVHWLPHVLPSHGHWKHSURFHVVLQJ

6.3 Accessing Network Remotely

Remote access to the organizations network and resources will only be permitted

providing that authorized users are authenticated, data is encrypted across thenetwork, and privileges are restricted.

5HPRWH DFFHVV LV WUDGLWLRQDOO\ SURYLGHG E\PHDQV RI GLDOXSRU OHDVHGSKRQH OLQHV+RZHYHUWKH9LUWXDO3ULYDWH1HWZRUNSURYLGHVDFFHVVDFURVVSXEOLFQHWZRUNVHJWKH,QWHUQHW

,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ


32/90


,QDGHTXDWH,QWHUQHW6HFXULW\VDIHJXDUGVFDQDOORZXQDXWKRUL]HGDFFHVVWRWKHQHWZRUNZLWKSRWHQWLDOO\GLVDVWURXVFRQVHTXHQFHV

:HDNGLDOLQVHFXULW\VWDQGDUGVFDQJLYHXQDXWKRUL]HGDFFHVVWRWKHQHWZRUNWKHFRQVHTXHQFHVRIZKLFKFRXOGEHYHU\VHULRXV

6.4 Defending Network Information from Malicious Attack

System hardware, operating and application software, the networks andcommunication systems must all be adequately configured and safeguarded againstboth physical attack and unauthorized network intrusion.

7KH PHDVXUHV VKRXOG EH WDNHQ WR GHIHQG FRPSXWHU KDUGZDUH DJDLQVW SK\VLFDOGDPDJHDQGVRIWZDUHIURPXQDXWKRUL]HGXVDJH,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ

+DUGZDUH FDQ EH SK\VLFDOO\ GDPDJHG WKURXJK D PDOLFLRXV DFW SHUKDSVQHFHVVLWDWLQJDV\VWHPFORVHGRZQRUGHOD\HGRSHUDWLRQV

8QDXWKRUL]HG DQGLQDSSURSULDWH XVHRI VRIWZDUH FDQOHDG WR PDOLFLRXV DQGRUIUDXGXOHQWDPHQGPHQWRIGDWD

6.5 Recommendations On Network and Configuration Securi ty

'HSDUWPHQWVKRXOGKDYHDQLQYHQWRU\RIGHYLFHVDWWDFKHGWRWKHQHWZRUN 7KHURRPMDFNVVKRXOGEHPDSSHGWRDVZLWFKSRUW 7KHUHVKRXOGEHDSROLF\DVWRKRZQHWZRUNVHUYLFHVDUHDFFHVVHGE\XVHUV

'HSDUWPHQWVKRXOGKDYHQHWZRUNGRFXPHQWDWLRQWRDVVLVWSUREOHPUHVROXWLRQRIDFRPSXWHURUQHWZRUNGHYLFH

'HSDUWPHQWVKRXOGKDYHWKHDELOLW\WRFRQWLQXHWRIXQFWLRQLQWKHHYHQWRIDZLGHDUHDQHWZRUNIDLOXUH

'HSDUWPHQWVKRXOGKDYHDQHWZRUNGLDJUDPWKDWLQFOXGHV,3DGGUHVVHVURRPQXPEHUVDQGUHVSRQVLEOHSDUWLHV

(QGXVHUVVKRXOGEHSUHYHQWHGIURPGRZQORDGLQJDQGRULQVWDOOLQJVRIWZDUH &RQWHQWV RI V\VWHP ORJV VKRXOG EH SURWHFWHG IURP XQDXWKRUL]HG DFFHVV

PRGLILFDWLRQDQGRUGHOHWLRQ &'520$XWRUXQIHDWXUHVKRXOGEHGLVDEOHGRQDOOZRUNVWDWLRQV 7UXVWHGZRUNVWDWLRQVVKRXOGEHVHFXUHGLIXVHGIRURWKHUSXUSRVHV

7UXVWHGZRUNVWDWLRQVVKRXOGEH66/RU931HQDEOHG 7UXVWHGZRUNVWDWLRQVVKRXOGEHUHTXLUHGWRKDYHFRPSOH[SDVVZRUGV 6HFXULW\SUHFDXWLRQVVKRXOGEHWDNHQIRUGLDOLQPRGHPV $GPLQLVWUDWRUDFFRXQWDQGDQ\HTXLYDOHQWDFFRXQWVRQDOOZRUNVWDWLRQVVKRXOG

EHOLPLWHGWRWKHRIILFHWHFKQLFDOVXSSRUWSHUVRQ )LOH VKDULQJ VKRXOG EHSURSHUO\ SHUPLWWHG DQGVHFXUHG RQ DQ\ ZRUNVWDWLRQ LQ

WKHGHSDUWPHQW )LOH VKDULQJ VKRXOG EH XQERXQG IURP 7&3,3 WUDQVSRUW WR SUHYHQW DFFHVV

IURPWKH,QWHUQHWZKLOHOHDYLQJLWERXQGWR1HW%(8,IRUORFDOWUDQVSRUW


33/90


6.6 Recommendation on Host based firewall

6RPHRQHVKRXOGPRQLWRULIDQ\RQHLVDFFHVVLQJFULWLFDOGDWD 7KHUHVKRXOGEHSURFHVVIRUPDQDJLQJLQGLYLGXDOILUHZDOOVRQDOOGHVNWRSV 6HWWLQJVVKRXOGEHSDVVZRUGSURWHFWHG /RJVVKRXOGEHRIWHQUHYLHZHG

7KHUHVKRXOGEHFHQWUDOPRQLWRULQJRIVHWWLQJVDQGORJV


34/90


7 Securi ty Policy For Operating System

&RPSXWHU SURJUDPV WKDW DUH SULPDULO\ RU HQWLUHO\ FRQFHUQHG ZLWK FRQWUROOLQJ WKHFRPSXWHUDQGLWVDVVRFLDWHGKDUGZDUHUDWKHUWKDQZLWKSURFHVVLQJZRUNIRUXVHUVDUHNQRZQDV2SHUDWLQJ6\VWHP&RPSXWHUVFDQRSHUDWHZLWKRXWDSSOLFDWLRQVRIWZDUHEXW

FDQQRWUXQZLWKRXWDQ2SHUDWLQJ6\VWHP

Operating Systems must be regularly monitored and all required housekeepingroutines adhered to.

7KH RSHUDWLQJ V\VWHP RI GHVNWRS V\VWHPV ZLWKLQ GHSDUWPHQWV ZLOO JHQHUDOO\ UXQZLWKRXW VXEVWDQWLDO LQWHUIHUHQFH +RZHYHU IRU VHUYHUV PLQLFRPSXWHUV DQGPDLQIUDPHV HVSHFLDOO\ WKRVH UXQQLQJ PDWXUH 2SHUDWLQJ 6\VWHPV 26 GD\ WR GD\KRXVHNHHSLQJLVXVXDOO\UHTXLUHG

,QIRUPDWLRQ VHFXULW\ LVVXHV WR EH FRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKH SROLF\ LQFOXGH

WKHIROORZLQJ

:KHUH DQ XSJUDGHG RSHUDWLQJ V\VWHP IDLO WR SHUIRUP DV H[SHFWHG WKLV FDQUHVXOWLQDORVVRIVWDELOLW\RUHYHQWKHWRWDOIDLOXUHRIVRPHV\VWHPV

:KHUH KRXVHNHHSLQJ DQG URXWLQH VXSSRUW DUH LQIRUPDO RU LQFLGHQW OHGZHDNQHVVHV LQ WKH VHFXULW\ VDIHJXDUGV FDQ JR XQGHWHFWHG DQG RIIHU WKHSRWHQWLDOIRUIUDXGRUPDOLFLRXVGDPDJH


35/90


8 Securi ty Policy For Software

8.1 Managing Operational Program Libraries:

Only designated staff may access operational program libraries. Amendments mayonly be made using a combination of technical access control and robust proceduresoperated under dual control.

0DQDJLQJ WKH GLUHFWRULHV ZLWKLQ FRPSXWHUV LQ ZKLFK RSHUDWLRQDO OLYH VRIWZDUH LVVWRUHG

,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ

,IRSHUDWLRQDOSURJUDPOLEUDULHVDUHSRRUO\SURWHFWHGVRIWZDUHDQGFRQILJXUDWLRQILOHV FRXOGEHPRGLILHG ZLWKRXW DXWKRUL]DWLRQUHVXOWLQJ LQGLVUXSWLRQWRV\VWHPDQGRURWKHULQFLGHQWV

8QDXWKRUL]HG XVHRI SURGXFWLRQ VRIWZDUH FDQ FDXVH GLVUXSWLRQ WR V\VWHPVRUIUDXGDJDLQVWWKHGHSDUWPHQW

8.2 Managing Program Source Libraries:

Only designated staff may access program source libraries. Amendments may onlybe made using a combination of technical access control and robust procedures

operated under dual control. Managing the directory areas within the system wherethe source code, object code of live and development systems are held. Live anddevelopment libraries must always be kept separate.,QIRUPDWLRQ VHFXULW\ LVVXHVWREHFRQVLGHUHG ZKHQ LPSOHPHQWLQJ WKHSROLF\ LQFOXGHWKHIROORZLQJ /DFN RI WKH VRXUFH FRGH FDQ PDNH LW GLIILFXOW RU LPSRVVLEOH WR PDLQWDLQ WKH

V\VWHPV 8QDXWKRUL]HGDPHQGPHQWRIVRXUFHFRGHFDQUHVXOW LQV\VWHPIDLOXUHVDQGRU

PDOLFLRXVGDPDJH

8.3 Controlling Program List ing

Program listing must be controlled and kept fully up to date at all time.&RQWUROOLQJLQFOXGHVWDNLQJSULQWRXWVUHSRUWVHOHFWURQLFRUKDUGFRS\RIWKHDSSOLFDWLRQVRXUFHFRGHWKDWPDNHVXSWKHSURJUDPVUXQRQWKHV\VWHPV,QIRUPDWLRQ VHFXULW\ LVVXHV WREH FRQVLGHUHG ZKHQ LPSOHPHQWLQJWKH SROLF\ LQFOXGHWKHIROORZLQJ


36/90


/RVVRUXQDYDLODELOLW\RIDOLVWLQJFDQUHVXOWLQGHOD\VLQLGHQWLI\LQJWKHVRXUFHRIDV\VWHPSUREOHPWKHUHVXOWRIZKLFKFRXOGEHVHYHUH

+DYLQJ D SURJUDP OLVWLQJ DYDLODEOH FDQ EH XVHG E\ DQ\RQH ZLWK LOO LQWHQW RUVHHNLQJ WR GHIUDXG DV LW JLYHV WKHP WKH SUHFLVH ORJLF DQG URXWLQHV IRU WKHV\VWHPLQTXHVWLRQ

8.4 Controll ing Program Source Libraries

Formal change control procedures with comprehensive audit trails are to be used tocontrol program source libraries.0RQLWRULQJDQGLQYHVWLJDWLQJFKDQJHVPDGHWRSURJUDPVRXUFHOLEUDULHV,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ $Q\XQDXWKRUL]HGFKDQJHVPDGHWRWKHSURJUDPVRXUFHOLEUDULHVFDQRSHQWKH

GRRUWRSRWHQWLDOHUURURUIUDXG ,I DXGLW WUDLO UHSRUWV DQG HYHQW ORJV DUH QRW UHJXODUO\ UHYLHZHG LQFLGHQWV FDQ

UHPDLQXQGHWHFWHG

8.5 Controll ing Old Versions of Programs

Formal change control procedures with comprehensive audit trails are to be used tocontrol versions of old programs.&RQWUROOLQJWKHZD\LQZKLFKXVHUKDQGOHWKHDSSOLFDWLRQFRGHRISURJUDPVZLWKLQWKHV\VWHPZKLFKKDVEHHQVXSHUVHGHGRUGLVFRQWLQXHG

,QIRUPDWLRQ6HFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLF\ LQFOXGHWKHIROORZLQJ ,IWKHSURJUDPOLEUDU\KDVEHHQUHPRYHGRUXSGDWHGXVHUPD\QRWEHDEOHWR

DFFHVVRUUHYHUWWRWKHROGHUYHUVLRQRIWKHDSSOLFDWLRQLIQHHGEH7KLVFRXOGFDXVHVHYHUHSUREOHPVZKHUHWKHUHDUHIRXQGWREHPDMRUEXJVLQWKHQHZHUYHUVLRQ

%HZDUH RI ROG YHUVLRQV RI SURJUDPV EHLQJ FRQIXVHG ZLWK WKH ODWHVW YHUVLRQUHVXOWLQJHLWKHULQWKHORVVRIUHFHQWHQKDQFHPHQWRUDIDLOXUHRIRWKHUV\VWHPVZKLFKGHSHQGRQUHFHQWIHDWXUHV

9 Securi ty Policy for cyber crime

Security on the network is to be maintained at the highest level. Those responsiblefor the network and external communications have to receive proper training in riskassessment and how to build secure systems which minimize the threats from cybercrime.

7KHUH LV D YHU\ KLJK ULVN RI H[WHUQDO VHFXULW\ EUHDFKHV ZKHUH QHWZRUN VHFXULW\ LVLQDGHTXDWH


37/90


,QIRUPDWLRQVHFXULW\LVVXHVWREHFRQVLGHUHGZKHQLPSOHPHQWLQJWKHSROLFLHVLQFOXGHWKHIROORZLQJ

&ULPLQDOV PD\ WDUJHW GHSDUWPHQWV LQIRUPDWLRQ V\VWHP UHVXOWLQJ LQ VHULRXVILQDQFLDOORVVDQGGDPDJHWRGHSDUWPHQWVRSHUDWLRQVDQGUHSXWDWLRQ

&\EHUFULPHLVDQHYHULQFUHDVLQJDUHDRIFRQFHUQDQGVXLWDEOHWUDLQLQJLVWREH

JLYHQWRWKRVHSHUVRQVUHVSRQVLEOHIRUQHWZRUNVHFXULW\WRPLQLPL]HVXFKULVNV

9.1 Recommendations On to Web Servers and Email

:HEVHUYHUVKRXOGEHVHWWRRQO\DFFHSWWUDIILFRQSRUW :HEVHUYHUVKRXOGEHVHWWRUHMHFWDWWHPSWVWRUHPRWHO\DGPLQLVWHULW :HEVHUYHUVKRXOGEHVHWWRDXWKHQWLFDWHFHUWDLQXVHUWUDIILF )73VHUYHUVVKRXOGEHVHWWRDXWKHQWLFDWHXVHUV 7UDIILFVKRXOGEHHQFU\SWHGVHFXUHG (PDLOVHUYHUVKRXOGEHVHWWRVFDQPDLODQGDWWDFKPHQWVIRUYLUXVHV

(PDLOVHUYHUVKRXOGEHVHWWRUHMHFWDWWDFKPHQWV (PDLOVHUYHUVKRXOGEHVHW127WRDFWDVDUHOD\ :HEDFFHVVWRHPDLOVKRXOGEHVHFXUHG &OLHQWFRQQHFWLRQVIURPRXWVLGHWKHVXEQHWVKRXOGEHVHFXUHGHQFU\SWHG


38/90


10 Backup Policies

6\VWHPDGPLQLVWUDWRURUWKHQRGDORIILFHUZLOOEHUHVSRQVLEOHIRUGHYHORSLQJDUHJLPHQIRU EDFNLQJ XS WKH V\VWHPV GHSHQGLQJ XSRQ FRQILJXUDWLRQ VRIWZDUH DSSOLFDWLRQVQDWXUH RI GDWD DQG RWKHU IDFWRUV 7KHVH UHJLPHQV PXVW EH GRFXPHQWHG DQG PDGH

DYDLODEOHWRXVHUVIRUUHIHUHQFHV$GPLQLVWUDWRUZLOODOVRHQVXUHWKHVHSURFHGXUHVDUHIROORZHGVWULFWO\DQGLPSOHPHQWHGDVSHUUXOHV'HSDUWPHQWVZLOOHQVXUHWKHLU%DFNXSPHGLDGHYLFHVVXFKDVWDSH'ULYHV&'520DQG )ODVK 'ULYHV HWF IRU QHFHVVDU\ EDFNXS 'HSDUWPHQWV VKRXOG DOVR WU\ WR VHWLQIUDVWUXFWXUH IRU WDNLQJ EDFNXS RYHU WKH QHWZRUN IRU WKHLU 6XE2IILFHV 5HPRWH%DFNXS6HUYLFHVFRXOGDOVREHWDNHQIRUEDFNXSDQGUHFRYHU LPSRUWDQWGDWDXVLQJDVHFXUHDQGWUXVWHGVHUYHURQWKH,QWUDQHW'HSDUWPHQWVVKRXOGPDLQWDLQEDFNXSLQIUDVWUXFWXUHLQFOXGLQJXSJUDGLQJWKHKDUGZDUHDQGVRIWZDUHDVQHHGHG

10.1 Backup Process

The purpose of backup is to protect the files on the disks from catastrophic loss. Thebackup of disk files is performed on a daily basis to protect data from being lost due toa hardware or software malfunction.

3ROLFLHV5HFRPPHQGDWLRQVRQ%DFNXSRI$SSOLFDWLRQVDQG'RFXPHQWV

7KHLQGLYLGXDOXVHULVUHVSRQVLEOHIRUHQVXULQJWKHQHFHVVDU\DQGUHJXODUEDFNXSRI

GRFXPHQWILOHVRIKLVKHURZQFRPSXWHU+HUHDUHVRPHSROLFLHVDQGJXLGHOLQHVWRNHHSLQPLQG

)RU,QGLYLGXDO'HVNWRS

7KH XVHU VKRXOG NHHS RULJLQDO DSSOLFDWLRQ GLVNHWWHV RU &'V IRU VSHFLDOL]HGVRIWZDUHDORQJZLWKOLFHQVLQJLQIRUPDWLRQLQFDVHDQ\RIWKDWVRIWZDUHQHHGVWREHUHLQVWDOOHG

%DFNXSVKRXOGEHWDNHQRQUHPRYDEOHVWRUDJHPHGLDRUGHYLFHVVXFKDV=LSGULYHVIORSS\ 'LVNV&'520)ODVK'ULYHVHWFUHIHUDQQH[XUHIRUGHWDLOVRIWKHVHGHYLFHV$SSURSULDWHEDFNXSVRIWZDUHFDQDOVREHXVHGIRUWDNLQJUHJXODU

EDFNXSV 8VHUV DQGRU WKHLU GHSDUWPHQWV DUH UHVSRQVLEOH IRU SXUFKDVLQJ UHPRYDEOH

PHGLDHJ=LSGLVNVHWF ,Q FDVH RI ORVW RU GDPDJHG V\VWHP ILOHV DQG VWDQGDUG DSSOLFDWLRQV XVHU LV

UHTXLUHGWRFDOO6\VWHPDGPLQLVWUDWRU,71RGDO2IILFHUIRUVROXWLRQ

7RHQVXUHWKHVDIHW\RIWKHLUEDFNXSILOHVXVHUVVKRXOG

.HHS YHU\ LPSRUWDQW EDFNXSXQGHU ORFN DQG NH\ +RZHYHU RQHFRS\ PD\EHNHSWLQDQRWKHUEXLOGLQJLISRVVLEOHIRUUHVWRUDWLRQSXUSRVH


39/90


.HHS GRFXPHQWV LQ DQ DSSURSULDWH IROGHU DQG DVVLJQ VLPLODU QDPHV IRU HDV\EDFNXS

%DFNXSHQWLUH'RFXPHQWVIROGHUWRWKHUHPRYDEOHPHGLDDWOHDVWRQFHDZHHNRUGDLO\LIGRFXPHQWVDUHIUHTXHQWO\FUHDWHGFKDQJHG

0DLQWDLQ DW OHDVW EDFNXS VHWV DOWHUQDWLQJ WKHLU XVH 7KXV LI ODWHVW EDFNXSJRHVEDGWKHUHZLOOVWLOOEHWKHRWKHUEDFNXSRIROGHUYHUVLRQ

7DSHV FDQ EH UHXVHG EXW ZLWK WLPH DV TXDOLW\ RI D WDSH GHJUDGHV SURSHUSUHFDXWLRQVPXVWEHWDNHQ,IDWDSHJRHVEDGPDUNLWDVEDGDQGGLVFDUGLW%HIRUHWKURZLQJWDSHGHVWUR\WKHGLVNVRWKDWVRPHRQHGRHVQWWU\WRXVHLW

)RU1HWZRUN8VHUV8VHUV FRQQHFWHG WR /$1 ZLOO EH DOORFDWHG VWRUDJH DUHD RQ D QHWZRUN VHUYHU 7KLVVWRUDJHDUHDZLOOEHXVXDOO\DVHSDUDWHGULYHDQGPDLQWDLQHGE\V\VWHPDGPLQLVWUDWRURUDSHUVRQQRPLQDWHGDVDQRGDORIILFHUIRUWKDWGHSDUWPHQW7KLVGULYHZLOOFRQWDLQIROGHUVRUGLUHFWRULHVE\ WKHVDPH QDPH RI V\VWHPZKLFK FDQ WKHQ EHDFFHVVHG LQH[SORUHUE\JLYLQJFRUUHFWSDVVZRUG)LOHVFDQEHFRSLHGIURPWKHXVHUVZRUNVWDWLRQWRWKLVIROGHU7KHVHGULYHIROGHUV VKRXOGEHEDFNHGXSWRPDJQHWLFWDSH'$7DQG

WKHWDSHVVKRXOGWKHQIXUWKHUEDFNXSWRDQRIIVLWHVWRUDJHIDFLOLW\SURYLGHGIRUVHFXULW\DQGGLVDVWHUUHFRYHU\ ,W LVVWURQJO\UHFRPPHQGHG WKDW WKHEDFNXS WDSHVVKRXOGEHNHSWLQDIDURIIEXLOGLQJ)LOH%DFNXS7KH 6KDUH GULYH IROGHUV VKRXOG EH EDFNHG XS WR PDJQHWLF WDSH FDUWULGJHV HDFKZHHNGD\QLJKW2IIVLWH6WRUDJH,QRUGHUWRSURYLGHGLVDVWHUUHFRYHU\FDSDELOLW\EDFNXSWDSHVVKRXOGEHEDFNHGXSWRDVHFXUHRIIVLWHVWRUDJHIDFLOLW\

7KHEDFNXSWDSHVVKRXOGEHPDLQWDLQHGLQRIIVLWHVWRUDJHDFFRUGLQJWRWKHIROORZLQJVFKHGXOH :HHNGD\WDSHVVKRXOGEHVWRUHGRIIVLWHIRUWZRZHHNV 0RQWKO\WDSHVVKRXOGEHUHWDLQHGRIIVLWHIRURQH\HDU )LVFDO


40/90


7KHFXUUHQWVWDWXVRIWKHDIIHFWHGGLVNDUHDSDUWLWLRQRUYROXPH ,QGLFDWHWKHGDWHRIWKHODVWNQRZQJRRGYHUVLRQRIWKHILOHWKLVZRXOGKHOSWR

LGHQWLI\WKHVHWRIEDFNXSWDSHVWRXVHLQDWWHPSWLQJWRUHVWRUHWKHILOH ,IHPDLOQHHGVWREHUHVWRUHGLQGLFDWHWKHQDPHRIWKHXVHUVPDLOVHUYHUWKH

8VHUQDPHXVHGWRORJRQWRWKHPDLOVHUYHUDQGWKHGDWHVXEMHFWHWFRIWKHHPDLO

,QWKHFDVHRIPLQRUILOHORVVOLNHDFFLGHQWDOUHPRYDODGGLWLRQDOLQIRUPDWLRQLVQHHGHG

7KHFRPSOHWHILOHQDPHVRIWKHORVWILOHV 7KHWLPHILOHVZHUHODVWPRGLILHGRUFUHDWHG 7KHWLPHILOHVZHUHORVWRUGHVWUR\HG

,I WKH XVHU QHHGV DQ DUFKLYHG WDSH NHSW RIIVLWH LW LV YHU\ LPSRUWDQW WKDW WKH XVHUVKRXOG KDYH WKH IROORZLQJ LQIRUPDWLRQ EHFDXVH RI WKH VLJQLILFDQW FRVW LQYROYHG LQUHWULHYLQJDQGUHVWRULQJWKHP

7KHQDPHRIWKHFRPSXWHUDWWKHWLPHRIWKHEDFNXS 7KHPRQWKVDQG\HDURIWKHEDFNXS

10.3 Recommendations On Backup and Recovery & Disaster Planning

)LOHVVKRXOGEHNHSWRQVLWHLQDVHFXUHORFDWLRQ &ULWLFDOILOHVVKRXOGEHUHJXODUO\EDFNHGXS %DFNXSILOHVVKRXOGEHSHULRGLFDOO\UHVWRUHGDVDWHVWWRYHULI\WKH\DUHXVDEOH 7KHUHPXVWEHD ZULWWHQFRQWLQJHQF\SODQWRSHUIRUPFULWLFDOSURFHVVLQJLQWKH

HYHQWWKDWRQVLWHZRUNVWDWLRQVDUHXQDYDLODEOH 7KHUHVKRXOGEHDSODQWRFRQWLQXHGHSDUWPHQWDOZRUNLQJLQWKHHYHQWZKHQWKH

FHQWUDOV\VWHPVDUHGRZQIRUDQH[WHQGHGSHULRG &RQWLQJHQF\SODQVKRXOGEHSHULRGLFDOO\WHVWHGWRYHULI\WKDWLWFRXOGEHIROORZHG

WRUHVXPHFULWLFDOSURFHVVLQJ &ULWLFDO GDWD VKRXOG EH VWRUHG RQ D GHSDUWPHQW VHUYHU WR SURWHFW IURP

FRPSURPLVH


41/90


11 LAN Security

$V LQGLFDWHG HDUOLHUWKH RIILFHKDV WR KDYHD VHSDUDWH SROLF\IRU VWDQGDORQH3&V LQDGGLWLRQ WR WKH /$1 VHFXULW\ SROLF\ ,Q WKH HYHQW RI D FRQIOLFW WKH QHWZRUN SROLF\

VXSHUVHGHVWKH VWDQGDORQH SROLF\ $OOHPSOR\HHVRIWKHGHSDUWPHQWDUH UHTXLUHG WRUHDGWKLVSROLF\DQGIROORZWKHSURFHGXUHVWKHUHLQ7KLVQHWZRUNSROLF\DGGUHVVHVWKHIROORZLQJVSHFLILFLVVXHV 'RFXPHQWDWLRQRI1HWZRUN$SSOLFDWLRQVDQG6\VWHP6RIWZDUH 'DWDFRQILGHQWLDOLW\LQWHJULW\DQGDYDLODELOLW\RYHUWKHQHWZRUN )UHTXHQF\DQGUHWHQWLRQSHULRGVIRUQHWZRUNEDFNXS $XWKRUL]HGXVHRIQHWZRUNUHVRXUFHV $GKHUHQFHWRVRIWZDUHOLFHQVLQJDJUHHPHQWV 1HWZRUN+DUGZDUHPDLQWHQDQFH

3UREOHPORJJLQJUHSRUWLQJDQGPRQLWRULQJ 8VHUUHVSRQVLELOLWLHVIRUVHFXULW\ZRUNVWDWLRQPDLQWHQDQFHDQGEDFNXSRIGDWD

ILOHV 3UHYHQWLRQDQGGHWHFWLRQRIQHWZRUNYLUXVHV

11.1 Network Organization

7KLV VHFWLRQ FRYHUV NH\ GHILQLWLRQV WKDW DUH XVHG LQ WKLV SROLF\ DQG GHVFULEHV WKHGHSDUWPHQWDOVWUXFWXUHUHODWLQJWR3&VDQG/$1V

(A) Definitions3HUVRQDO &RPSXWHU 3& DOVR FDOOHG 1RGH $ VPDOO FRPSXWHU FRQWDLQLQJ DPRWKHUERDUG ZLWK D &HQWUDO 3URFHVVLQJ 8QLW &38 PHPRU\ FKLSV DVVRFLDWHGVXSSRUWLQJSURFHVVRUVDQGVORWVVRFNHWVRUSOXJVIRUDWWDFKLQJSHULSKHUDOHTXLSPHQWVXFKDVDNH\ERDUGYLGHRPRQLWRUIORSS\GLVNDQGKDUGGLVN3&VPD\EHXVHGDVVWDQGDORQHZRUNVWDWLRQVDVDFOLHQWLQDQHWZRUNRUDVDWHUPLQDOIRUDPLQLFRPSXWHURUPDLQIUDPH1HWZRUN$VHULHVRI3&VFRQQHFWHGLQVRPHW\SHRIWRSRORJ\JHQHUDOO\DVWDUULQJRUEXVXVLQJDVSHFLDOQHWZRUNRSHUDWLQJV\VWHP126WKDWDOORZVWKH3&VWRVKDUH

GDWDDQGUHVRXUFHV/RFDO $UHD 1HWZRUN /$1 $ QHWZRUN WKDW LV VHW XS IRU D GHSDUWPHQW RU OLPLWHGJHRJUDSKLFDUHD $SHHUWRSHHUQHWZRUNVKDUHV UHVRXUFHVZLWK RWKHU 3&V $FOLHQWVHUYHU/$1FDQLQFOXGHPLGUDQJHDQGOHJDF\ILOHVHUYHUVDQGGDWDEDVHVHUYHUV:LGH $UHD 1HWZRUN :$1: $ QHWZRUN WKDW FRQQHFWV VHYHUDO QHWZRUNV LQ GLVWDQWORFDWLRQV 7KH WHUPV QHWZRUN /$1 DQG :$1 DUH V\QRQ\PRXV ZLWK UHJDUG WRDSSOLFDELOLW\RIWKHSROLFLHVGHVFULEHGKHUHLQ


42/90


(B) Job Descriptions1HWZRUNDGPLQLVWUDWRU

7KH GXWLHV RI WKH QHWZRUN DGPLQLVWUDWRU VKDOO LQFOXGH PRQLWRULQJ QHWZRUN HIILFLHQF\UHVSRQVH WLPH XWLOL]DWLRQ RI GLVN VSDFH HWF WURXEOHVKRRWLQJ QHWZRUN SUREOHPV

PRQLWRULQJ HQYLURQPHQWDO FRQGLWLRQV EDFNLQJ XS WKH V\VWHP VKDUHG GDWD ILOHV DQGDSSOLFDWLRQ SURJUDPV RQ WKH ILOH VHUYHU DQG SUHYHQWLQJ DQG GHWHFWLQJ FRPSXWHUYLUXVHV2WKHU GXWLHV LQFOXGH HQVXULQJ WKDW QHWZRUN VHFXULW\ IHDWXUHV LQ WKH 126 DUHLPSOHPHQWHGUHFRPPHQGLQJVRIWZDUHDQGKDUGZDUHDFTXLVLWLRQVQHHGHGWRPDLQWDLQRSHUDWLQJHIILFLHQF\FRQWDFWLQJQHWZRUNPDLQWHQDQFHFRQWUDFWRUVUHJDUGLQJWHFKQLFDOSUREOHPV GHOHWLQJ DQG DGGLQJ XVHUV FRRUGLQDWLQJ WKH LQVWDOODWLRQ RI QHZ QHWZRUNKDUGZDUH DQG VRIWZDUH DQG PDLQWDLQLQJ DQ LQYHQWRU\ RI QHWZRUN KDUGZDUH DQGVRIWZDUH 7KH QHWZRUN DGPLQLVWUDWRU ZLOO UHSRUW VXVSHFWHG VHFXULW\ SUREOHPV WR WKH1RGDO 2IILFHU6\VWHP $GPLQLVWUDWRU,QFKDUJH &RPSXWHU &HQWUH DQG ZLOO FRRUGLQDWHZLWKWKHVHFXULW\RIILFHURQSURGXFLQJVHFXULW\UHSRUWV7KHQHWZRUNVHFXULW\RIILFHUZLOO

DGGUHVVDQ\VHFXULW\FRQFHUQVLGHQWLILHGE\WKHUHSRUW1HWZRUN6HFXULW\2IILFHU

'XWLHV RI WKH QHWZRUN VHFXULW\ RIILFHU LQFOXGH PRQLWRULQJ VHFXULW\ YLRODWLRQV RQ WKHQHWZRUN XQDXWKRUL]HGDQGXQVXFFHVVIXODFFHVVDWWHPSWV SDVVZRUG DGPLQLVWUDWLRQDQGDQ\RWKHUGXW\GHHPHGQHFHVVDU\E\WKH%RDUGRULWVFRPPLWWHHVWRHQKDQFHWKHVHFXULW\RIWKHQHWZRUN'HSDUWPHQWVKRXOGKDYHLWVRZQ1HWZRUN6HFXULW\2IILFHUWRSHUIRUP DERYH GXWLHV KRZHYHU 1HWZRUN 6HFXULW\ 2IILFHU FRXOG EH DUUDQJH IRUPDLQWHQDQFHRI:$1

(C) Compliance with Policy7KH +HDGV RI WKH GHSDUWPHQW DUH UHVSRQVLEOH IRU HQVXULQJ WKDW WKHLU HPSOR\HHVFRPSO\ ZLWK WKH SROLF\ 7KH ,7 0DQDJHU LV UHVSRQVLEOH IRU UHSRUWLQJ WR WKH QHWZRUNDGPLQLVWUDWRUDQ\VXSSRUWQHHGVRUFRQFHUQVH[FHSWVHFXULW\6HFXULW\FRQFHUQVZLOOEHFRPPXQLFDWHGWRWKHQHWZRUNVHFXULW\RIILFHU

11.2 Network Secur ity

7KLV VHFWLRQ GLVFXVVHV WKH W\SHV RI VHFXULW\ DQG VHFXULW\ SROLF\ UHJDUGLQJ DFFHVVFRQWUROSDVVZRUGVDQGGDWDVHFXULW\LQDQHWZRUNHGHQYLURQPHQW

(A) Types of Securi ty7KH2IILFHVQHWZRUNKDVIRXUW\SHVRIVHFXULW\ /RJLQ3DVVZRUGLQLWLDODFFHVV 7UXVWHHGLUHFWRU\OHYHODFFHVV 'LUHFWRU\GLUHFWRU\OHYHODFFHVV )LOHDWWULEXWHVILOHOHYHO


43/90


/RJLQ3DVVZRUG6HFXULW\LVDFWLYDWHGZKHQDXVHUORJVLQWRWKHQHWZRUN7KHVHUYHUUHTXLUHVERWKDUHFRJQL]DEOH XVHU QDPH DQG D SDVVZRUG (DFK XVHU FKRRVHV KLV RU KHU RZQSDVVZRUG ZKLFK LV HQFU\SWHG E\ WKH V\VWHP ,I WKH XVHU IRUJHWV WKH SDVVZRUG WKHQHWZRUNDGPLQLVWUDWRUPXVWDVVLJQDQHZRQH

7UXVWHH$WUXVWHHLV DXVHUZKR KDVEHHQ JLYHQULJKWVWRDGLUHFWRU\DQGWKH ILOHVLW FRQWDLQV7UXVWHH ULJKWV FDQ EH DVVLJQHG WR ERWK LQGLYLGXDOV DQG JURXSV $ WUXVWHH ZLOO QRWDVVLJQGLUHFWRU\RUILOHULJKWVWRDXVHUZKRGRHVQRWKDYHDOHJLWLPDWHQHHGWRXVHWKDWILOHRUGLUHFWRU\7UXVWHHVZLOOHQVXUHWKDWFRQILGHQWLDORIILFHLQIRUPDWLRQWRZKLFKWKH\KDYH DFFHVV LV QRW ZULWWHQWR UHPRYDEOH PHGLD DQG WUDQVSRUWHG RII2IILFH SUHPLVHVXQOHVV DXWKRUL]HG E\ WKH GHSDUWPHQWDO VXSHUYLVRU RU SHUIRUPHG E\ DXWKRUL]HGLQGLYLGXDOVDVSDUWRIEDFNXSDQGHPHUJHQF\UHFRYHU\SURFHGXUHV,QDGGLWLRQUHSRUWVSULQWHGXVLQJWKHGDWDVKRXOGEHGLVWULEXWHGRQO\WRDXWKRUL]HGXVHUV'LUHFWRU\

7KHGLUHFWRU\VHFXULW\GHILQHVDXVHUVULJKWVLQDJLYHQGLUHFWRU\7KHVHULJKWVDUH 6XSHUYLVRUDVVLJQVWKHULJKWVIRUWKHGLUHFWRU\ $FFHVVFRQWUROWUXVWHHDVVLJQPHQWV )LOHVFDQVHDUFK 0RGLI\ILOHQDPHVDQGDWWULEXWHV &UHDWHQHZILOHVRUVXEGLUHFWRULHV (UDVHH[LVWLQJILOHVRUVXEGLUHFWRULHV 5HDGILOHV :ULWHILOHV7KH RZQHU ZLOO QRW DVVLJQ ULJKWV WR XVHUV ZKR GR QRW KDYH D OHJLWLPDWH QHHG RU

DXWKRULW\WRYLHZRUXVHWKHLQIRUPDWLRQ)LOH$WWULEXWHV7KHRZQHURIDILOHKDVWKHULJKWWRVHWWKHIROORZLQJDWWULEXWHV 6KDUHDEOHUHDGRQO\ 6KDUHDEOHUHDGZULWH 1RQVKDUHDEOHUHDGRQO\ 1RQVKDUHDEOHUHDGZULWH +LGGHQILOH 'HOHWHLQKLELW

5HQDPHLQKLELW

$VVLJQPHQWRIWKHVHULJKWVLV GHVLJQHGWRSUHYHQWDFFLGHQWDOFKDQJHVRUGHOHWLRQVWRWKHILOHV7KHRZQHURIDILOHFRQWDLQLQJFRQILGHQWLDOLQIRUPDWLRQZLOOQRWDVVLJQDFFHVVWRDXVHUWKDWGRHVQRWKDYHDOHJLWLPDWHQHHGRUDXWKRULW\WRXVHWKHILOH(B) Network Security Policy7KHREMHFWLYHRIWKH2IILFHVQHWZRUNVHFXULW\SROLF\LVWRSURYLGHDGHTXDWH,7FRQWUROVRYHUWKHQHWZRUN6HFXULW\IHDWXUHVDYDLODEOHRQ WKHQHWZRUNZLOOEHLPSOHPHQWHGDVQHHGHG WR UHVWULFW XVHUV WR WKH UHVRXUFHV DQG ULJKWV QHFHVVDU\ WR SHUIRUP DOO WKH


44/90


GXWLHV RI WKHLU MRE GHVFULSWLRQV DGHTXDWHO\ 7KH QHWZRUN DGPLQLVWUDWRU EDVHG RQ DZULWWHQXVHU VHWXS IRUP IURPWKH GHSDUWPHQWDO VXSHUYLVRU VKRZLQJSDVVZRUGULJKWVDQGQRUPDO ZRUNVFKHGXOHLQLWLDOO\DVVLJQV ULJKWV7KHULJKWVPD\EHH[SDQGHGRQO\ZLWKWKHZULWWHQDSSURYDORIWKHGHSDUWPHQWDOVXSHUYLVRU

$FFHVV&RQWURO

7KHQHWZRUNDGPLQLVWUDWRUZLOOLPSOHPHQWDYDLODEOHVHFXULW\DFFHVVFRQWUROIHDWXUHVRIWKHQHWZRUN7KHVHIHDWXUHVLQFOXGHWKHDELOLW\WRUHVWULFW )LOHVWKDWDXVHUFDQDFFHVV 7LPHSHULRGVWKDWDXVHUFDQORJRQWRWKHQHWZRUN 'D\VRIWKHZHHNWKDWDXVHUFDQORJRQWRWKHQHWZRUN :RUNVWDWLRQVWKDWDXVHUFDQDFFHVV

2QFH LPSOHPHQWHG QHWZRUN DFFHVV VKRXOG EH UHVWULFWHG WR QRUPDO ZRUNLQJ KRXUVZKHQHYHUSRVVLEOH'HSDUWPHQWDOVXSHUYLVRUVFDQJUDQWH[FHSWLRQVEDVHGRQQHHGRUVKLIWFRQVLGHUDWLRQV$GHTXDWHVXSHUYLVLRQDQGUHYLHZRIZRUNDUHUHTXLUHGIRUXVHUV

ZKR KDYH DFFHVVEH\RQGQRUPDO ZRUNLQJ KRXUV*HQHUDOO\XVHUVVKRXOGEH DOORZHGDFFHVVRQO\IURPSUHVSHFLILHGZRUNVWDWLRQVQRGHV3DVVZRUGV7KH QHWZRUN DGPLQLVWUDWRU VHWV XS WKH XVHU DQG WKH XVHU LV UHTXLUHG WR HQWHU DSDVVZRUGRQWKHILUVWORJRQ3DVVZRUGVZLOOEHVHWWRH[SLUHHYHU\QLQHW\GD\V7KHV\VWHPZLOOEHVHWWRSURPSWWKHXVHUIRUDSDVVZRUGFKDQJHDXWRPDWLFDOO\)DLOXUHWRPDNHWKHFKDQJHZLOOFDXVHWKHV\VWHPWRORFNRXWWKHXVHU$OVRUHSHDWHGDWWHPSWVWR ORJ RQ ZLWK DQ LQFRUUHFW SDVVZRUG ZLOO FDXVH WKH LQWUXGHU GHWHFWLRQ ORFNRXW WRDFWLYDWH7KHQHWZRUNVRIWZDUHVKRXOGQRWGLVSOD\WKHSDVVZRUGRQWKHVFUHHQ8VHUVVKRXOGQRWOHWDQ\RQHVHHWKHLUSDVVZRUGDVWKH\DUHNH\LQJLWLQ

8VHUSDVVZRUGV VKRXOG KDYH D PLQLPXP RIVL[ GLJLWV ZLWK D PL[ RI DOSKDEHWLF DQGQXPHULFFKDUDFWHUV8VHUVZLOOQRWXVHSDVVZRUGVWKDWFDQEHHDVLO\JXHVVHGVXFKDVIDPLO\ QDPHV ELUWKGD\V DQG FRPPRQO\ XVHG GHIDXOW SDVVZRUGV VXFK DV WHVWSDVVZRUG RUGHPR 8VHUVDUHQRW UHVWULFWHGE\WHUPLQDO EXW DUH SURKLELWHGIURPORJJLQJRQWRPRUHWKDQRQHWHUPLQDODWDWLPH8VHUVDUHPDLQO\VXEMHFWWRDQLQDFWLYHORJ RII DQG DXWRPDWLF ORJ RII LV QRW DOZD\V DYDLODEOH XVHUV VKRXOG PDQXDOO\ ORJ RIIZKHQQRWXVLQJWKHWHUPLQDOIRUWKDWSHULRGRIWLPHRUORQJHU:KHQDXVHUOHDYHVWKH2IILFHWKHSHUVRQQHOGHSDUWPHQWZLOOQRWLI\WKHQHWZRUNDGPLQLVWUDWRUZKRZLOOGHOHWHWKH XVHUV SDVVZRUG $OVR LID SDVVZRUG LV FRPSURPLVHG WKH XVHU ZLOO FKDQJH WKHSDVVZRUG

'DWD6HFXULW\'DWDVKRXOGEHVDYHGWRWKHDSSURSULDWHGLUHFWRU\QRUPDOO\HLWKHUWKHJURXSGLUHFWRU\RUWKHGHSDUWPHQWDOGLUHFWRU\,QVRPHFDVHVWKHVXSHUYLVRUDXWKRUL]HVWKHXVHRIWKHXVHUV ORFDO GLUHFWRU\ IRUVWRULQJFHUWDLQ W\SHV RI GDWD 2WKHU PHPEHUVRI WKH JURXSDFFHVV LQIRUPDWLRQRQ WKH JURXS GLUHFWRU\ 0HPEHUV RI WKHGHSDUWPHQW FDQDFFHVVGHSDUWPHQWDOGLUHFWRULHV7KHXVHUVORFDOGLUHFWRU\LVRQWKH3&DQGFDQEHDFFHVVHGRQO\E\WKHXVHU


45/90


8VHU5HVSRQVLELOLWLHVIRU'DWD6HFXULW\8VHUV DUH UHVSRQVLEOH IRU EDFNLQJ XS ILOHV RQ WKHLU LQGLYLGXDO 3& KDUG GULYHV DQGGHSDUWPHQWDO VXSHUYLVRUV VKRXOG YHULI\ WKDW XVHUV DUH GRLQJ VR RQ D UHJXODU EDVLV8VHUV DUHDOVR UHVSRQVLEOH IRU WKH VHFXULW\ RI WKHLU LQGLYLGXDOZRUNVWDWLRQV LQFOXGLQJVHFXULW\RI3&EDFNXSGLVNV

8VHUVDUHUHVSRQVLEOHIRUDFFHVVVHFXULW\3DVVZRUGVVKRXOGQRWEH ZULWWHQGRZQRUVHHQE\RWKHUVZKHQWKH\DUHNH\HGLQ2WKHUUHODWHGUHVSRQVLELOLWLHVLQFOXGHQRWLQJDQGUHSRUWLQJPDLQWHQDQFHSUREOHPV VXFKDV GLVNHUURUPHVVDJHVEHIRUHWKH\FDQFDXVH ORVV RI GDWD HQVXULQJ WKDW WKH3&GDWD GLVNV DUHQRWVXEMHFWHGWR H[FHVVLYHKHDWHOHFWULFDOILHOGVGLUWVPRNHIRRG SDUWLFOHVRU VSLOOHGOLTXLGVDQGHQVXULQJWKDWWKH3&KDVDVXUJHSURWHFWRU(C) Monitoring the Network'DWD6FRSH

$ GDWDVFRSHLV D GHYLFHXVHGWR PRQLWRUQHWZRUN WUDIILF ,WVXVHKRZHYHU UHTXLUHV

DGGLWLRQDO VHFXULW\ FRQWUROV WR SUHYHQW DEXVH 1HWZRUN 6HFXULW\ 2IILFHU PD\ KDYHDFFHVVRIGDWDVFRSHWRUHGXFHDQ\PLVKDSSHQLQJ3HUIRUPDQFH0RQLWRULQJ'DWDLQWHJULW\DQGVHFXULW\DUHHQKDQFHGZKHQWKHV\VWHPLVUXQQLQJVPRRWKO\DQGLVDW SHDN SHUIRUPDQFH7KH QHWZRUNDGPLQLVWUDWRU VKRXOGPRQLWRUSHUIRUPDQFHRI WKHV\VWHPXVLQJDYDLODEOHGLDJQRVWLFWRROV2QHRIWKHGXWLHVRIWKHQHWZRUNDGPLQLVWUDWRULVWRWURXEOHVKRRWDQ\SUREOHPVRQWKHQHWZRUNDQGPDLQWDLQLQJSHUIRUPDQFHORJV

(D) Prevention and Detection of Viruses

7KHVFKHGXOHUIRUWKHQHWZRUNVDQWLYLUXVVRIWZDUHZLOOEHVHWWRVFDQPHPRU\DQGDOOILOHVRQWKHQHWZRUNRQDGDLO\EDVLV:DUQLQJPHVVDJHVZLOOEHFDUHIXOO\HYDOXDWHGDQG FRUUHFWLYH DFWLRQ WDNHQ ,I D YLUXV LV GLVFRYHUHG WKH /$1 VHFXULW\ RIILFHU ZLOOLQYHVWLJDWHWKHRULJLQRIWKHYLUXV7KHSROLF\IRUSUHYHQWLQJYLUXVHVZLOOEHHYDOXDWHGWRGHWHUPLQHWKHFDXVHIRUWKHVHFXULW\IDLOXUH7KHVHFXULW\RIILFHUZLOOUHFRPPHQGDFWLRQWRSUHYHQWIXWXUHRFFXUUHQFHV7KH RULJLQ RI PRVW YLUXVHV LV SLUDWHG VRIWZDUH RU VKDUHZDUH RU SXEOLF GRPDLQVRIWZDUH GRZQORDGHG IURP D EXOOHWLQ ERDUG RQOLQH VHUYLFH RU WKH ,QWHUQHW $OOVRIWZDUHZLOOEHVFDQQHGIRUYLUXVHVEHIRUHEHLQJORDGHGRQD3&

7KHQHWZRUNDGPLQLVWUDWRUZLOOSXUFKDVHDQGLQVWDOODQWLYLUXVVRIWZDUHXSGDWHVDVWKH\EHFRPHDYDLODEOH,I WKH RULJLQ RI WKH YLUXV LV GXH WR QHJOLJHQFH RU SROLF\ YLRODWLRQ RQ WKH SDUW RI DQHPSOR\HHWKDWHPSOR\HHZLOOEHVXEMHFWWRDSSURSULDWHGLVFLSOLQDU\DFWLRQZKLFKPD\LQFOXGHWHUPLQDWLRQ

11.3 Network Software

7KLVVHFWLRQGHILQHVSROLFLHVUHJDUGLQJ


46/90


(A)6RIWZDUHOLFHQVLQJYLRODWLRQV(B)$XWKRUL]HGVRIWZDUH(C)3HUVRQDOXVHRI2IILFHVRIWZDUH(D)2ZQHUVKLSRIVRIWZDUH(E)&XVWRPGHYHORSPHQWRIVRIWZDUH(F)6XSSRUWRISXUFKDVHGVRIWZDUH

(A) Software Licensing Violations

$OOVRIWZDUHLQVWDOOHGRQ2IILFH3&VDQGRQWKHQHWZRUNZLOOFRPSO\ZLWKWKHVRIWZDUHVOLFHQVLQJDJUHHPHQW6RIWZDUHOLFHQVHGIRUDVHUYHULVOLPLWHGWRWKHQXPEHURIXVHUVFRYHUHG E\ WKH OLFHQVH $Q RULJLQDO GLVN PXVW H[LVW IRU HDFK VRIWZDUH DSSOLFDWLRQLQVWDOOHGRQDXVHUV3&7KHRQO\H[FHSWLRQLVVRIWZDUHZLWKDVLWHOLFHQVHRUSXEOLFGRPDLQVRIWZDUHRQDQDXWKRUL]HGOLVW,QWKHFDVHRIDXWKRUL]HGVKDUHZDUHSURGXFWVLIWKH 2IILFH XVHV WKH VRIWZDUH EH\RQG WKH WULDO SHULRG WKH DXWKRU ZLOO EH SDLG WKHVXJJHVWHG FRQWULEXWLRQ 6RFDOOHG SLUDWHG VRIWZDUH ZLOO QRW EH LQVWDOOHG RQ 2IILFH3&V

(B) Authorized Software2QO\ VRIWZDUH DXWKRUL]HG E\ WKH 2IILFH PD\ EH LQVWDOOHG RQ D QHWZRUN RU RQ DQLQGLYLGXDO3&8VHUVZLOOQRWLQVWDOOSHUVRQDOVRIWZDUHRQD3&ZLWKRXWWKHDSSURYDORIWKHLU VXSHUYLVRU 1R JDPHV RU HQWHUWDLQPHQW SDFNDJHV ZLOO EH LQVWDOOHG 7KH RZQHUPXVWVKRZSURRIRIRZQHUVKLS$QDQWLYLUXVSURJUDPZLOOEHUXQEHIRUHLQVWDOOLQJDQ\SURJUDPRQD3&7KH2IILFHZLOOGLVFRXUDJHWKHXVHRIRWKHUWKDQVWDQGDUGDXWKRUL]HGVRIWZDUH

(C) Personal Use of Office Software

8VHUVPD\127FRS\2IILFHRZQHGVRIWZDUHIRUWKHLUSHUVRQDOXVHIRUGLVWULEXWLRQWRRWKHUV RU IRU XVH RQ DQRWKHU 2IILFH 3& 2IILFH VRIWZDUH PD\ EH FRSLHG RQO\ IRUOHJLWLPDWHEDFNXSSXUSRVHV

(D) Ownership of Software3& VRIWZDUH GHYHORSHG E\ 2IILFH HPSOR\HHV RQ 2IILFHRZQHG HTXLSPHQW DQG RUGXULQJQRUPDOZRUNLQJKRXUVLVRZQHGE\WKH2IILFH

(E) Support of Purchased Software

7KH RIILFHU LQ FKDUJH XVXDOO\ WKH QHWZRUN DGPLQLVWUDWRU RI WKH GHSDUWPHQW WKDWUHFRPPHQG /$1EDVHG FRPPHUFLDO VRIWZDUH LV UHVSRQVLEOH IRU FRPSOHWLQJ DQGUHWXUQLQJ WKH SURGXFW UHJLVWUDWLRQ IRUPV $ FRS\ RI WKH UHFHLSW DQG SURGXFWLGHQWLILFDWLRQ QXPEHU XVXDOO\ WKH VHULDO QXPEHU VKRXOG EH UHFRUGHG IRU UHIHUHQFHZKHQPDNLQJVXSSRUWFDOOV2IILFHU LQFKDUJH RU ,7PDWWHUVRU 1RGDO 2IILFHU ,7 RIXVHU GHSDUWPHQWV DVPD\EHDXWKRUL]HGE\WKH+2'VKRXOGQRWHIURPWKHER[RUVRIWZDUHOLFHQVHLQIRUPDWLRQWKHVXSSRUW SHULRG H[SLUDWLRQ DQG FRRUGLQDWH ZLWK XVHUV WR HQVXUH WKDW FDOOV DUH PDGHEHIRUHH[SLUDWLRQRIWKHVHUYLFHSHULRG


47/90


)RURWKHUWKDQRIIWKHVKHOI/$1VRIWZDUHWKH2IILFHZLOOREWDLQDZULWWHQDJUHHPHQWGHWDLOLQJ WHUPV RI PDLQWHQDQFH VXSSRUW 7KH FRQWUDFW ZLOO FOHDUO\ GHILQH KDUGZDUHPDLQWHQDQFHVHUYLFHVDQGFRVWV

11.4 Network Hardware

7KLVVHFWLRQZLOOGLVFXVVWKH2IILFHVSROLF\UHJDUGLQJWKHIROORZLQJ(A)8VHUUHVSRQVLELOLWLHVIRUKDUGZDUH(B)+DUGZDUHPDLQWHQDQFH(C),QWHJUDWLRQZLWKRWKHUV\VWHPV(D)0RGHPV

(A) User Responsibili ties for Hardware+DUGZDUH UHIHUV WR WKH SK\VLFDO FRPSRQHQWV RI WKH /$1WKH 3& ZRUNVWDWLRQV

PRQLWRUV SHULSKHUDO HTXLSPHQW URXWHUV PRGHPV HWF 8VHUV DUH UHVSRQVLEOH IRUWDNLQJUHDVRQDEOHFDUHRIWKHV\VWHPDQGUHSRUWLQJWRDVXSHUYLVRUDQ\PDLQWHQDQFHSUREOHPV SDUWLFXODUO\ GLVN HUURUV RU RWKHU SUREOHPV WKDW PLJKW FDXVH ORVV RI GDWD8VHUV PD\ QRW UHPRYH KDUGZDUH IURP WKH 2IILFH RU WUDQVIHU HTXLSPHQW WR RWKHUORFDWLRQVLQWKH2IILFHZLWKRXWVXSHUYLVRU\DSSURYDO 8VHUVVKRXOGDYRLGVXEMHFWLQJ3&VWRH[FHVVLYHYLEUDWLRQRUEXPSV+DUGMROWV

ZKLOHD3&LVUXQQLQJFDQGDPDJHWKHKDUGGLVNGULYH6PRNHKHDWPDJQHWLFILHOGV DQGH[FHVVLYH GXVW FDQDOVR GDPDJH/$1 HTXLSPHQW $OO3&VVKRXOGKDYHDVXUJHSURWHFWRU

8VHUVVKRXOGXVHJRRGMXGJPHQWZKHQHDWLQJRUGULQNLQJLQWKHYLFLQLW\RI3&V

DQG/$1HTXLSPHQW 7KHQHWZRUNDGPLQLVWUDWRUVKRXOGORFDWHWKHVHUYHULQDVHFXUHDUHD

(B) Hardware Maintenance7KH QHWZRUN DGPLQLVWUDWRU PD\ IURP WLPH WR WLPH JHW LQWR DQQXDO PDLQWHQDQFHDJUHHPHQWVIRUVHOHFWHGHTXLSPHQWDVGHHPHGQHFHVVDU\7KHQHWZRUNDGPLQLVWUDWRUZLOOKDYHHPHUJHQF\SKRQHQXPEHUVDQGFRQWUDFWVRXUFHVDYDLODEOHLWLVQHFHVVDU\WRUHSODFHRUUHSDLUFULWLFDOQHWZRUNFRPSRQHQWVTXLFNO\

(C) System Integration

8VHUVFDQXWLOL]H3&VDVWHUPLQDOVFRQQHFWHGWRDPDLQIUDPHDVZHOODVZRUNVWDWLRQVFRQQHFWHGWRDQHWZRUN'DWDPRYHVEDFNDQGIRUWKEHWZHHQWKHQHWZRUNDQGRWKHUV\VWHPVXVLQJWKHRSHQVWDQGDUGSURWRFRO(D) Modems7KH2IILFH XVHVPRGHPVIRU FRPPXQLFDWLRQZLWKVHOHFWHG GHSDUWPHQWV FOLHQWV DQGHPSOR\HHV0RGHPVZLOOEHWXUQHGRIIZKHQQRWLQXVH7KHQHWZRUNDGPLQLVWUDWRUZLOODFWLYDWH DSSOLFDEOHVHFXULW\ IHDWXUHVWKDW DUH DYDLODEOH7KHVHQLRUPDQDJHPHQW ZLOO


48/90


DSSURYH PRGHP FRQWUROV 7KH IROORZLQJ PRGHP FRQWUROV VKRXOG EH LPSOHPHQWHG LISHUPLWWHGE\KDUGZDUHDQGVRIWZDUH /LPLWDWLRQRIWKHDFWLYLWLHVWKDWFDQEHSHUIRUPHG $XWRFDOOEDFNWRLGHQWLI\GLDOLQXVHUV 3DVVZRUGV

8QLTXHRSHUDWRULGHQWLILFDWLRQ $XWRPDWLFORJRIIDIWHUDSUHGHWHUPLQHGQXPEHURIIDLOHGDFFHVVDWWHPSWV

11.5 LAN Backup and Recovery Polic ies

7KHQHWZRUNDGPLQLVWUDWRUZLOOLGHQWLI\FULWLFDODQGRUVHQVLWLYHQHWZRUNGDWDILOHVDQGDSSOLFDWLRQV DQG HQVXUH WKDW WKHVH DUH DGHTXDWHO\ SURWHFWHG DQG EDFNHG XS 7KHQHWZRUN DGPLQLVWUDWRU LV UHVSRQVLEOH IRU EDFNXS DW WKH 2IILFHV GDWD FHQWHU 7KHUHVSRQVLELOLW\IRUEDFNLQJXSDWEUDQFKHVOLHVZLWKWKHDVVLVWDQWQHWZRUNDGPLQLVWUDWRUV

11.6 LAN Purchasing Policy

IT Steering Committee(YHU\GHSDUWPHQWVKRXOGKDYHDQ,7VWHHULQJFRPPLWWHHKHDGHGE\WKH+2',WLVWKHUHVSRQVLELOLW\RIWKH,7VWHHULQJFRPPLWWHHWRGHYHORSORQJWHUPDQGVKRUWWHUPSODQVIRUSXUFKDVLQJ /$1 KDUGZDUHDQGVRIWZDUH7KH FRPPLWWHHKDVWKH UHVSRQVLELOLW\ WRLQLWLDWH UHTXHVWV IRU PDMRU SXUFKDVHV 7KH QHWZRUN DGPLQLVWUDWRU LV UHVSRQVLEOH IRUSXUFKDVLQJWKHDSSURYHGHTXLSPHQWDQGVRIWZDUHDIWHUREVHUYLQJUHTXLUHGIRUPDOLWLHV


49/90


12 Role of System Administrator in Virus Protection

12.1 Computer Viruses: Detection and Removal Methods

(A) $QWL9LUXV3URJUDPV(B) 'HWHFWLRQRIDQ8QNQRZQ9LUXV(C) 3URSK\OD[LVRI&RPSXWHU,QIHFWLRQ(D) 5HFRYHU\RI$IIHFWHG2EMHFWV(A)Anti virus Programs

$QWLYLUXVSURJUDPVDUHWKHPRVWHIIHFWLYHPHDQVRIILJKWLQJYLUXVHV%XWWKHUHDUHQRDQWLYLUXVJXDUDQWHHLQJSHUFHQWSURWHFWLRQVIURPYLUXVHV&RPSUHKHQVLYHVRIWZDUHOLNH1RUWRQ,QWHUQHW6HFXULW\DQG0F$IHH$FWLYH9LUXV'HIHQVH$9'DUHWKHHDVLHVW

ZD\ WR FRPEDW PRVW FRPSXWHU VHFXULW\ WURXEOHV 6XFK VRIWZDUH SURYLGHV HVVHQWLDOSURWHFWLRQ IURP YLUXVHV KDFNHUV DQG RWKHU SULYDF\ WKUHDWV ,W LV QHFHVVDU\ WR SD\DWWHQWLRQWRVRPHWHUPVDVIROORZLQJXVHGLQDQWLYLUXVSURJUDPGLVFXVVLRQ )DOVH 3RVLWLYH ZKHQ DQ XQLQIHFWHG REMHFW ILOH VHFWRU RU V\VWHP PHPRU\

WULJJHUV WKH DQWLYLUXV SURJUDP 7KH RSSRVLWH WHUP )DOVH 1HJDWLYH PHDQVWKDWDQLQIHFWHGREMHFWDUULYHGXQGHWHFWHG

2QGHPDQG6FDQQLQJDYLUXVVFDQVWDUWVXSRQXVHUUHTXHVW,QWKLVPRGHWKHDQWLYLUXVSURJUDPUHPDLQVLQDFWLYHXQWLODXVHULQYRNHVLWIURPDFRPPDQGOLQHEDWFKILOHRUV\VWHPVFKHGXOHU

2QWKHIO\6FDQQLQJ DOOWKHREMHFWV WKDW DUH SURFHVVHGLQ DQ\ ZD\ RSHQHGFORVHGFUHDWHGUHDGIURPRUZULWWHQWRHWFDUHEHLQJFRQVWDQWO\FKHFNHGIRU

YLUXVHV ,Q WKLV PRGH WKHDQWLYLUXVSURJUDPLVDOZD\V DFWLYH ,W LVD PHPRU\UHVLGHQW DQG FKHFNV REMHFWV ZLWKRXW XVHU UHTXHVW

:KLFK$QWL9LUXV3URJUDPLV%HWWHU":KLFKDQWLYLUXVSURJUDPLVWKHEHVW"7KHDQVZHULVDQ\SURJUDPLIQRYLUXVHVOLYHLQWKHFRPSXWHUDQGXVHUXVHVRQO\DUHOLDEOHYLUXVIUHHVRIWZDUHVRXUFHDQGQRRWKHU+RZHYHU LI XVHU OLNHV XVLQJ QHZ VRIWZDUHRUJDPHVDFWLYH HPDLOXVHU OLNHV XVLQJ:RUGRUH[FKDQJLQJ([FHOVSUHDGVKHHWVWKHQRQHVKRXOGXVHVRPHNLQGRIDQWLYLUXVSURWHFWLRQ :KLFK RQH H[DFWO\ VKRXOG EH GHFLGHG RQ KLVKHU RZQ EXW WKHUH DUHVHYHUDO SRLQWV RI FRPSDULVRQ RI GLIIHUHQW DQWLYLUXV SURJUDPV 7KH IROORZLQJ SRLQWV

IURPWKHPRVWWROHDVWLPSRUWDQFHGHWHUPLQHWKHTXDOLW\RIDQWLYLUXVSURJUDPV 5HOLDELOLW\DQGFRQYHQLHQFHRIZRUN 'HWHFWLRQ RI DOO PDMRU NLQGV RI YLUXVHV VFDQQLQJ LQVLGH GRFXPHQW ILOHV

VSUHDGVKHHWV0LFURVRIW:RUG([FHOSDFNHGDQGDUFKLYHGILOHV $ELOLW\WRFXUHLQIHFWHGREMHFWV $YDLODELOLW\ RI WLPHO\XSGDWHVZKLFK LV WKH VSHHGRI WXQLQJD VFDQQHUWR QHZ

YLUXVHV $YDLODELOLW\ RI DQWLYLUXV YHUVLRQV IRU DOO WKH SRSXODU SODWIRUPV :LQGRZV

:LQGRZV171RYHOO1HW:DUH26$OSKD/LQX[HWF


50/90


$YDLODELOLW\ QRW RQO\ RQGHPDQG VFDQQLQJ EXW DOVR VFDQQLQJ RQWKHIO\FDSDELOLWLHV DYDLODELOLW\ RI VHUYHU YHUVLRQV ZLWK SRVVLELOLW\ IRU QHWZRUNDGPLQLVWUDWLRQ

6SHHGRIZRUNDQGRWKHUXVHIXOIHDWXUHVIXQFWLRQVEHOOVDQGZKLVWOHV5HOLDELOLW\ RI DQWLYLUXV SURJUDPV LV WKH PRVW LPSRUWDQW FULWHULRQ EHFDXVH HYHQ WKH

DEVROXWH DQWLYLUXV PD\ EHFRPH XVHOHVV LI LW LV QRW DEOH WR ILQLVK WKH VFDQQLQJSURFHVVDQG KDQJV,W ZLOO OHDYH D SRUWLRQRI WKH GLVNV DQG ILOHV XQFKHFNHGWKHUHE\OHDYLQJ WKH YLUXV LQWKH V\VWHP XQGHWHFWHG 7KH DQWLYLUXV PD\ DOVR EH XVHOHVV LI LWGHPDQGVVRPHVSHFLDONQRZOHGJHIURPDXVHUPRVWXVHUVDUHOLNHO\WRVLPSO\LJQRUHWKHDQWLYLUXVPHVVDJHVDQGSUHVV>2.@RU>&DQFHO@DWUDQGRPGHSHQGLQJRQZKLFKEXWWRQLVFORVHUWRWKHPRXVHFXUVRUDWWKLVWLPH$QGLIWKHDQWLYLUXVDVNVDQRUGLQDU\XVHUFRPSOLFDWHGTXHVWLRQVWRRRIWHQWKHXVHUZLOOPRVWOLNHO\VWRSUXQQLQJVXFKDQDQWLYLUXVDQGHYHQGHOHWHLWIURPWKHGLVN7LSVRQ8VDJHRI$QWL9LUXV3URJUDPV

$OZD\V VHH WKDW WKH ODWHVW DQWLYLUDO VRIWZDUH YHUVLRQ DYDLODEOH ,I VRIWZDUHXSGDWHVDUHDYDLODEOHFKHFNWKHPIRUIUHVKQHVV

,I D YLUXV KDV EHHQ IRXQG RQ WKH FRPSXWHU LW LV LPSHUDWLYH QRW WR SDQLF IRU

WKRVHZKRPHHWYLUXVHVGDLO\DUHPDUNOLNHWKLVPD\VHHPIXQQ\3DQLFNLQJQHYHUGRHVDQ\JRRGWKRXJKWOHVVDFWLRQVPD\UHVXOWLQELWWHUFRQVHTXHQFHV

,IDYLUXVLVIRXQGLQVRPHQHZO\DUULYHGILOHVDQGKDVQRWLQILOWUDWHGWKHV\VWHP

\HW WKHUH LV QR UHDVRQ WR ZRUU\ MXVW NLOO WKH ILOH RU UHPRYH WKH YLUXV ZLWKDQWLYLUXVSURJUDPDQGNHHSRQZRUNLQJ,IYLUXVLVIRXQGLQVHYHUDOILOHVDWRQFHRU LQ WKH ERRW VHFWRU WKH SUREOHP EHFRPHV PRUH VHULRXV EXW VWLOO LW FDQ EH

UHVROYHG ,Q WKHFDVH RIILOHYLUXV GHWHFWLRQ LI WKHFRPSXWHU LV FRQQHFWHG WR D QHWZRUN

GLVFRQQHFWLWIURPWKHQHWZRUNDQGLQIRUPWKHV\VWHPDGPLQLVWUDWRU,IWKHYLUXVKDV QRW \HW LQILOWUDWHG WKH QHWZRUN WKLV ZLOO SURWHFW WKH VHUYHU DQG RWKHUZRUNVWDWLRQVIURPYLUXVDWWDFN

,IWKHYLUXVKDVDOUHDG\LQIHFWHGWKHVHUYHUGLVFRQQHFWLRQIURPWKHQHWZRUNZLOO

QRWVWRS WKH YLUXV IURP LQILOWUDWLQJ LQWR WKHFRPSXWHU DJDLQ DIWHU LWV WUHDWPHQW5HFRQQHFWLRQ WR WKH QHWZRUN PXVW EH GRQH RQO\ DIWHU DOO WKH VHUYHUV DQGZRUNVWDWLRQVKDYHEHHQFXUHG

,IDERRWYLUXVKDVEHHQIRXQGGRQWGLVFRQQHFWWKHFRPSXWHUIURPWKHQHWZRUN

YLUXVHVRIWKLVNLQGGRQRWVSUHDGRYHULWH[FHSWILOHERRWYLUXVHV ,I WKH FRPSXWHU LV LQIHFWHG ZLWK D PDFURYLUXV WKHQ LQVWHDG RI GLVFRQQHFWLQJ

IURP QHWZRUN LW LV HQRXJK WR PDNH VXUH WKDW WKH FRUUHVSRQGLQJ HGLWRU:RUG([FHOLVLQDFWLYHRQDQ\FRPSXWHU

,IDILOHRUERRWYLUXVKDVEHHQGHWHFWHGPDNHVXUHWKDWHLWKHUWKHYLUXVLVQRQUHVLGHQWRUWKHUHVLGHQWSDUWRILWKDVEHHQGLVDUPHGZKHQVWDUWHGVRPHEXWQRWDOODQWLYLUXVHVDXWRPDWLFDOO\GLVDEOHUHVLGHQWYLUXVHVLQPHPRU\5HPRYDO


51/90


RIDYLUXVIURPWKHPHPRU\LVQHFHVVDU\WRVWRSLWVVSUHDGLQJ:KHQVFDQQLQJILOHV DQWLYLUXVHV RSHQ WKHP PDQ\ UHVLGHQW YLUXVHV LQWHUFHSW WKLV HYHQW DQGLQIHFWWKHILOHVEHLQJRSHQHG$VDUHVXOWWKHPDMRULW\LVLQIHFWHGEHFDXVHWKHYLUXVKDVQRWEHHQUHPRYHGIURPPHPRU\\HW7KHVDPHWKLQJPD\KDSSHQLQWKHFDVHRIERRWYLUXVHVDOOWKHGLVNHWWHVEHLQJFKHFNHGPD\EHFRPHLQIHFWHG,I WKH DQWLYLUXV XVHG GRHV QRW UHPRYH YLUXVHV IURP PHPRU\ UHERRW WKH

FRPSXWHUIURPDNQRZQXQLQIHFWHGDQGZHOOZULWWHQSURWHFWHGV\VWHPGLVNHWWH8VHUVKRXOGGRDFROGERRWE\SUHVVLQJ5HVHWRUSRZHURIIRQEHFDXVHVHYHUDOYLUXVHVVXUYLYHDIWHUDZDUPERRW6RPHYLUXVHVDSSO\DWHFKQLTXHDOORZLQJIRUWKHLUVXUYLYDOHYHQDIWHUWKHFROGERRW

:LWK WKH KHOS RI WKH DQWLYLUXV SURJUDP UHVWRUH WKH LQIHFWHG ILOHV DQG FKHFN

WKHP IRU IXQFWLRQDOLW\ $W WKH VDPH WLPH RU EHIRUH WUHDWPHQW EDFNXS WKHLQIHFWHGILOHVDQGSULQWVDYHWKHDQWLYLUXVORJVRPHZKHUH7KLVLVQHFHVVDU\IRUUHVWRULQJILOHVLQFDVHWKHWUHDWPHQWSURYHVWREHXQVXFFHVVIXOGXHWRDQHUURULQ DQWLYLUXVWUHDWPHQW PRGXOH RU EHFDXVH RI DQ LQDELOLW\ RI WKLV DQWLYLUXV WRFXUHWKLVNLQGRIYLUXV,QWKLVFDVHUHVRUWWRWKHVHUYLFHVRIVRPHRWKHUDQWL

YLUXV ,W LV PXFK PRUH UHOLDEOH RI FRXUVH WR VLPSO\ UHVWRUH WKH EDFNHG XS ILOHV LI

DYDLODEOHEXW VWLOO UHVRUW WRDQDQWLYLUXV ZKDW LI DOOWKHFRSLHV RI WKHYLUXVKDYHQWEHHQGHVWUR\HGRUVRPHEDFNHGXSILOHVDUHLQIHFWHGWRR"

,W LV ZRUWK PHQWLRQLQJ WKDW WKH TXDOLW\ RI ILOH UHVWRUDWLRQ E\ PDQ\ DQWLYLUXV

SURJUDPV OHDYHV PXFK WR EH GHVLUHG 0DQ\ SRSXODU DQWL YLUXVHV RIWHQLUUHYHUVLEO\ GDPDJH ILOHV LQVWHDG RI FXULQJ WKHP 7KHUHIRUH LI ILOH ORVVXQGHVLUDEOHH[HFXWHDOOWKHSUHYLRXVUHFRPPHQGDWLRQVFRPSOHWHO\

,Q WKH FDVH RI D ERRW YLUXV LW LV QHFHVVDU\ WR FKHFN DOO WKH GLVNHWWHV WR VHHZKHWKHU WKH\ DUHERRWDEOHLH FRQWDLQ '26 ILOHV RUQRW (YHQ D FRPSOHWHO\EODQNGLVNHWWHPD\EHFRPHDVRXUFHRIYLUDOLQIHFWLRQ LWLVHQRXJKWRIRUJHWLWLQWKHGULYHDQGUHERRWRIFRXUVHLIDGLVNHWWHERRWLVHQDEOHGLQ%,26

&RORQLHV RI YLUXVHV PD\ LQILOWUDWH EDFNXS FRSLHV RI VRIWZDUH WRR 0RUHRYHU

DUFKLYHV DQG EDFNXS FRSLHV DUH WKH PDLQ VRXUFH RI ORQJ NQRZQ YLUXVHV $YLUXV PD\ VLW LQ D GLVWULEXWLRQ FRS\ RI VRPH VRIWZDUH IRU DJHV DQG WKHQVXGGHQO\ DSSHDU DIWHU VRIWZDUH LQVWDOODWLRQ RQ D QHZ FRPSXWHU 1RERG\ FDQJXDUDQWHHUHPRYDORIDOOFRSLHVRIDFRPSXWHUYLUXVEHFDXVHDILOHYLUXVPD\DWWDFNQRWRQO\H[HFXWDEOHVEXWDOVRRYHUOD\PRGXOHVQRWKDYLQJ&20RU(;(

H[WHQVLRQV$ ERRWYLUXVPD\UHPDLQRQ VRPH GLVNHWWHVDQGDSSHDUVXGGHQO\DIWHUDQDWWHPSWWRERRWIURPLW7KHUHIRUHLWLVVHQVLEOHWRXVHVRPHUHVLGHQWDQWLYLUXV VFDQQHU FRQWLQXRXVO\ IRU VRPH WLPH DIWHU YLUXV UHPRYDO QRW WRPHQWLRQWKDWLWVEHWWHUWRDXVHVFDQQHUDWDOOWLPHV

(B) Detection of an Unknown Virus'HWHFWLRQRID7659LUXV '269LUXVHV,IWUDFHVRIYLUXVDFWLYLW\KDYHEHHQIRXQGLQDFRPSXWHUEXWQR

YLVLEOHFKDQJHVLQWKHILOHRU V\VWHP VHFWRUVRI GLVFVFDQEH IRXQG WKHQLW LV


52/90


TXLWHSRVVLEOHWKDWWKHFRPSXWHULVLQIHFWHGE\RQHRIWKH6WHDOWKYLUXVHV,QWKLVFDVHLWLVQHFHVVDU\WRERRWIURP'26XVLQJDYHULILHGYLUXVIUHHGLVNHWWHZLWKDEDFNXSFRS\RIWKH'26DQGGRWKHVDPHDVLQWKHFDVHRIQRQUHVLGHQWYLUDOLQIHFWLRQ +RZHYHU VRPHWLPHV WKLV LV XQGHVLUDEOH DQG LQ D IHZ FDVHV HYHQLPSRVVLEOH IRU H[DPSOH WKHUH LV NQRZQ FDVHV RI WKH SXUFKDVH RI QHZFRPSXWHUV ZKLFK KDYH DOUHDG\ EHHQ LQIHFWHG E\ D YLUXV 7KHQ GHWHFW DQG

QHXWUDOL]H WKH UHVLGHQW SDUW RI WKH YLUXV ZLWK WKH XVH RI 6WHDOWK WHFKQRORJ\7KHUHDUHVHYHUDOZD\VWRORRNLQWRWKHPHPRU\IRUWKHYLUXVRUIRULWVUHVLGHQWSDUWRILQIHFWLQJPHPRU\

:LQGRZV 9LUXVHV 'HWHFWLRQ RI D UHVLGHQW :LQGRZV YLUXV LV DQ H[WUHPHO\

GLIILFXOWWDVN$YLUXVLQWKH:LQGRZVHQYLURQPHQWDVDQDSSOLFDWLRQRUDVD9['GULYHU LV YLUWXDOO\ LQYLVLEOH EHFDXVH RI VHYHUDO PRUH GR]HQV RI DFWLYHDSSOLFDWLRQVDQG9['VQRWXQOLNHWKHYLUXVLQWKHLUH[WHUQDOGLVSOD\7RGHWHFWWKH YLUXV SURJUDPLQDQDFWLYH DSSOLFDWLRQV OLVW RU 9[' OLVW LW LV LPSHUDWLYH WRKDYH H[WHQVLYH NQRZOHGJH RI WKH LQWHUQDOV RI :LQGRZV DQG KDYH FRPSOHWHLQIRUPDWLRQDERXWDSSOLFDWLRQVDQGGULYHUVLQVWDOOHGLQWKLVSDUWLFXODUFRPSXWHU

7KHUHIRUHWKHRQO\VXLWDEOHZD\RIFDWFKLQJDUHVLGHQW:LQGRZVYLUXVLVWRERRWXS'26DQGFKHFNWKH:LQGRZVH[HFXWDEOHILOHVZLWKWKHKHOSRIWKHPHWKRGVGHVFULEHGDERYH

'HWHFWLRQRID%RRW9LUXV

$VDUXOHERRWVHFWRUVRIGLVNVFDUU\VPDOOSURJUDPVZKRVHSXUSRVHLVWRGHWHUPLQHERUGHUVDQGVL]HVRIORJLFDOGLVNVIRU0%50DVWHU%RRW5HFRUGRIKDUGGULYHVRURSHUDWLQJV\VWHPERRWXSIRUERRWVHFWRU,Q WKH EHJLQQLQJ XVHU VKRXOG UHDG WKH FRQWHQWV RI WKH VHFWRU VXVSHFWHG RI YLUXV

SUHVHQFH',6.(',7IURP1RUWRQ8WLOLWLHVRU$9387,/IURP$933URDUHEHVWVXLWHGIRUWKDW6RPHERRWYLUXVHVPD\EHGHWHFWHGDOPRVWLPPHGLDWHO\E\WKHSUHVHQFHRIYDULRXVWH[W VWULQJV IRU H[DPSOH WKH 6WRQHG YLUXV FRQWDLQV WKH VWULQJV


53/90


ILOHV DQG DIWHUZDUGV FRPSDUH LWV FXUUHQW ERRW VHFWRU ZLWK WKH RULJLQDO RQH RQ DQXQLQIHFWHGFRPSXWHU,IWKHERRWFRGHXQGHUZHQWVRPHFKDQJHVWKHQWKHYLUXVKDVEHHQFDXJKW'HWHFWLRQRID)LOH9LUXV

$V DOUHDG\ PHQWLRQHG YLUXVHV DUH GLYLGHG LQWR UHVLGHQW DQG QRQUHVLGHQW5HVLGHQW YLUXVHV IRXQG VRIDU VWRRGRXW IRUWKHLUPXFK JUHDWHU FUDIWLQHVVDQGVRSKLVWLFDWLRQLQFRPSDULVRQZLWKQRQUHVLGHQW7KHUHIRUHZHVKDOOGLVFXVVWKHVLPSOHVWFDVH IRU VWDUWHUV DWWDFN RI DQ XQNQRZQ QRQUHVLGHQW YLUXV 6XFKDYLUXVDFWLYDWHVLWVHOIXSRQVWDUWLQJRI DQ\ LQIHFWHGSURJUDPVGRHVDOOLWKDVWRSDVVHV FRQWURO WR WKH KRVW SURJUDP DQG DIWHUZDUGV XQOLNH UHVLGHQW YLUXVHVGRHV QRW LQWHUIHUH ZLWK LWV ZRUN 7R GHWHFW VXFK D YLUXV LW LV QHFHVVDU\ WRFRPSDUHILOHVL]HRQGLVNVDQGLQEDFNXSFRSLHV,IWKLVGRHVQWKHOSGRDE\WHFRPSDULVRQRIGLVWULEXWLRQFRSLHVZLWKWKHZRUNLQJFRSLHV$WWKHSUHVHQWWKHUHDUHPDQ\VXFKSURJUDPVWKHVLPSOHVWRIWKHP&203XWLOLW\FDQEHIRXQGLQ'26

2QH PD\ DOVR H[DPLQH D KH[ GXPS RI H[HFXWDEOHV ,Q VRPH FDVHV LW LV

SRVVLEOHWRLPPHGLDWHO\GHWHFWYLUDOSUHVHQFHE\VRPHWH[WVWULQJVUHVLGLQJLQLWVFRGH )RU H[DPSOH PDQ\ YLUXVHV FRQWDLQ VWULQJV &20 &20 (;((;(0=&200$1'HWF7KHVHVWULQJVPD\RIWHQEHIRXQGDWWKHWRSRUHQGRIWKHLQIHFWHGILOHV

7KHUHLV\HWRQHPRUHPHWKRGIRUWKHYLVXDOGHWHFWLRQRIDYLUXVLQD'26ILOH,W

LVEDVHGRQWKHIDFWWKDWH[HFXWDEOHVWKHVRXUFHFRGHRIZKLFKZDVLQD KLJKOHYHOSURJUDPPLQJODQJXDJHKDYHDTXLWHGHILQLWHLQVLGHVWUXFWXUH,QWKHFDVHRI %RUODQG RU 0LFURVRIW && SURJUDP WKH FRGH VHJPHQW LV DW WKH YHU\

EHJLQQLQJ RI D ILOH LPPHGLDWHO\ IROORZHG E\ WKH GDWD VHJPHQW FRQWDLQLQJ DFRS\ULJKWQRWLFHZLWKWKHQDPHRIDFRPSLOHUYHQGRUFRPSDQ\DWWKHEHJLQQLQJ,IWKHGDWDVHJPHQWLQWKHGXPSLVIROORZHGE\RQHPRUHFRGHVHJPHQWWKHQLWPLJKWYHU\ZHOOEHWKDWWKHILOHLVLQIHFWHGZLWKDYLUXV7KHVDPHLVWUXHIRUWKHPRVWSDUWRIWKHYLUXVHVZKRVHWDUJHWLV:LQGRZVDQG26ILOHV,QWKHVH26H[HFXWDEOHVKDYHWKHIROORZLQJ VWDQGDUGRUGHURI VHJPHQWV FRGH VHJPHQWVIROORZHG E\ GDWDVHJPHQWV ,ID GDWD VHJPHQW LVIROORZHG E\ RQH PRUH FRGHVHJPHQWLWPD\EHWKHVLJQRIWKHSUHVHQFHRIDYLUXV

7KHDERYHPHWKRGVRIGHWHFWLRQRIILOHDQGERRWYLUXVHVDUHVXLWDEOHIRUPRVWUHVLGHQW

DQGQRQUHVLGHQWYLUXVHV'HWHFWLRQRID0DFUR9LUXV

&KDUDFWHULVWLFIHDWXUHVRIPDFURYLUXVHVDUH :RUGLQDELOLW\WRFRQYHUWDQLQIHFWHG:RUGGRFXPHQWWRDQRWKHUIRUPDW :RUG LQIHFWHGILOHVKDYHWKH7HPSODWH IRUPDWEHFDXVHZKHQLQIHFWLQJ:RUG

YLUXVHVFRQYHUWILOHVIURPWKH:RUG'RFXPHQWIRUPDWWR7HPSODWHIRUPDW :RUGRQO\LQDELOLW\WRVDYHDGRFXPHQWWRDQRWKHUGLUHFWRU\RUGLVNZLWKWKH

6DYH$VFRPPDQG


54/90


([FHO:RUGDOLHQILOHVDUHSUHVHQWLQWKH67$5783GLUHFWRU\ ([FHOYHUVLRQVDQG&RRNERRNVFRQWDLQUHGXQGDQWDQGKLGGHQ6KHHWV7RFKHFNWKHV\VWHPIRUYLUDOSUHVHQFHWKH7RROV0DFURPHQXLWHPFDQEHXVHG,IDOLHQPDFURVKDYHEHHQIRXQGWKH\PD\EHORQJWRDYLUXVEXWWKLVPHWKRGIDLOV LQWKHFDVHRI6WHDOWKYLUXVHVZKLFKGLVDEOHWKLVPHQXLWHPZKLFKLQLWVHOILVVXIILFLHQWWR

FRQVLGHUWKHV\VWHPLQIHFWHG&KDQJHV LQ:RUG ([FHO DQG :LQGRZVV\VWHPFRQILJXUDWLRQILOHV DUHDOVR D VLJQ RISRVVLEOH LQIHFWLRQ 0DQ\ YLUXVHV FKDQJH PHQX LWHPV XQGHU 7RROV2SWLRQV LQ RQHZD\ RU DQRWKHU HQDEOLQJ RU GLVDEOLQJ WKH IROORZLQJ IXQFWLRQV 3URPSW 7R 6DYH1RUPDO 7HPSODWH $OORZ )DVW 6DYH 9LUXV 3URWHFWLRQ 6RPH YLUXVHV VHW ILOHSDVVZRUGV DIWHU LQIHFWLQJ WKHP DQG D ORW RI YLUXVHV FUHDWH QHZ VHFWLRQV DQGRURSWLRQVLQWKH:LQGRZVFRQILJXUDWLRQILOH:,1,1,2IFRXUVHVXFKREYLRXVIDFWVVXFKDVDSSHDULQJPHVVDJHVRUGLDORJXHVZLWKVWUDQJHFRQWHQWVRULQDODQJXDJHRWKHUWKDQWKHGHIDXOWIRU WKLVLQVWDOODWLRQDUHDOVRVLJQVRI

YLUXV(C) Prophylaxis of Computer Infection :KHUHGR9LUXVHVFRPHIURP 7KHPDLQUXOHVRISURWHFWLRQ 7KHSUREOHPRI0DFUR9LUXV3URWHFWLRQ 0DFUR9LUXV3URWHFWLRQ)RU2IILFH;32QH RI WKH PDMRU PHWKRGV RI ILJKWLQJ FRPSXWHU YLUXVHV OLNH LQ PHGLFDO VFLHQFH LVWLPHO\ SURSK\OD[LV RU SUHYHQWLYH PHDVXUHV &RPSXWHU SUHYHQWLYH PHDVXUHV VXJJHVW

IROORZLQJ D VPDOO VHWRI UXOHV DOORZLQJ ORZHULQJ FRQVLGHUDEO\ WKH SRVVLELOLW\ RI YLUXVLQIHFWLRQDQGGDWDORVV7R GHILQH WKH PDLQ UXOHV RI FRPSXWHU K\JLHQH LW LVQHFHVVDU\ WR ILQG RXW WKH PDLQZD\VRIYLUXVLQWUXVLRQLQWRFRPSXWHUDQGFRPSXWHUQHWZRUN:KHUHGR9LUXVHV&RPH)URP

*OREDO$FFHVV1HWZRUNVDQG(PDLO (PDLO&RQIHUHQFHV)LOH6HUYHUV)73DQG%%6 /RFDO$FFHVV1HWZRUNV

3LUDWHG6RIWZDUH *HQHUDO$FFHVV3HUVRQDO&RPSXWHUV 5HSDLU6HUYLFHV

7KH0DLQ5XOHVRI3URWHFWLRQ

5XOH%H YHU\ FDUHIXO ZLWK SURJUDPV DQG GRFXPHQWV RI :RUG([FHO UHFHLYHG IURPJOREDO DFFHVV QHWZRUNV %HIRUH H[HFXWLQJ D ILOH RU RSHQLQJ DGRFXPHQWVSUHDGVKHHWGDWDEDVH EH VXUH WR FKHFN WKHP IRU YLUXVHV 8VH


55/90


FXVWRPL]HGDQWLYLUXVHVWRFKHFNWKHHQWLUHILOHFRPLQJYLDHPDLODQG,QWHUQHWRQWKHIO\

5XOH7RORZHUWKHULVNRILQIHFWLQJILOHVRQWKHVHUYHUQHWZRUNDGPLQLVWUDWRUVKDYHWRPDNH H[WHQVLYH XVH RI VWDQGDUG QHWZRUN VHFXULW\ IHDWXUHV XVHU DFFHVV

UHVWULFWLRQV VHWWLQJ UHDGRQO\ RU HYHQ H[HFXWH RQO\ DWWULEXWHV IRU DOO WKDWH[HFXWDEOHVXQIRUWXQDWHO\WKLVPD\QRWDOZD\VEHSRVVLEOHHWF8VH FXVWRPL]HGDQWLYLUXVHV FKHFNLQJ WKH ILOHV LQXVH RQWKH IO\ ,I IRU VRPHUHDVRQWKLVLVLPSRVVLEOHUXQFRQYHQWLRQDODQWLYLUXVSURJUDPVRQVHUYHUGLVNVUHJXODUO\7KHULVNRIFRPSXWHU QHWZRUN LQIHFWLRQEHFRPHV FRQVLGHUDEO\ ORZHULQFDVHRIXVHRIGLVNOHVVZRUNVWDWLRQV,W LVD JRRGLGHDEHIRUHUXQQLQJVRPHQHZ VRIWZDUH RQ WKH QHWZRUN WR WHVW LW RQ D VWDQGDORQH WULDO FRPSXWHU QRWFRQQHFWHGWRQHWZRUN

5XOH

,W LVEHWWHU WREX\VRIWZDUHGLVWULEXWLRQSDFNDJHVIURPRIILFLDO YHQGRUVLQVWHDG

RIKDYLQJIUHHFRS\IURPRWKHUVRXUFHVRUEX\LQJSLUDWHGFRSLHV7KLVZD\WKHULVN RI LQIHFWLRQ LV FRQVLGHUDEO\ ORZHU DOWKRXJK WKHUH DUH NQRZQ FDVHV RISXUFKDVH RI LQIHFWHG GLVWULEXWLRQ SDFNDJHV $V D FRQVHTXHQFH IURP WKLV UXOHJRHVWKHQHFHVVLW\RINHHSLQJGLVWULEXWLRQFRSLHVRIVRIWZDUHLQFOXGLQJFRSLHVRIRSHUDWLQJV\VWHPDQGSUHIHUDEO\RQZULWHSURWHFWHGGLVNHWWHV$OVRXVHRQO\ZHOOHVWDEOLVKHGVRXUFHRIVRIWZDUHDQGRWKHUILOHVDOWKRXJKWKLVLVQRWDOZD\VKHOSIXOIRUH[DPSOH IRU D ORQJ WLPHRQ WKH 0LFURVRIW :::VHUYHU WKHUH KDVEHHQ D GRFXPHQW LQIHFWHG ZLWK :D]]X PDFUR YLUXV $SSDUHQWO\ WKH RQO\UHOLDEOHVLWHVIURPWKHSRLQWRIYLHZRIYLUXVSURWHFWLRQDUH%%6IWS:::VLWHVRIDQWLYLUXVGHYHORSPHQWFRPSDQLHV

5XOH7U\QRWWR UXQXQFKHFNHGILOHVLQFOXGLQJWKRVHUHFHLYHGYLDFRPSXWHUQHWZRUN8VH RQO\ WKRVH SURJUDPV UHFHLYHG IURP UHOLDEOH VRXUFH %HIRUH UXQQLQJ WKHSURJUDPVEHVXUHWRFKHFNWKHPE\RQHRUVHYHUDODQWLYLUXVSURJUDPV(YHQLIQRQHRIWKHDQWLYLUXVSURJUDPVWULJJHUHGE\WKHILOHGRZQORDGHGIURPD%%6RUQHZVJURXSGRQWKXUU\WRUXQLW:DLWIRUDZHHNLWLVSRVVLEOHWKDWWKLVILOHLVLQIHFWHGZLWKVRPHQHZXQNQRZQYLUXVLQWKDWFDVHVRPHERG\HOVHPLJKWVWHSLQWRLWEHIRUHLQIRUPLQJDERXWLW,W LV DOVR GHVLUDEOH WR KDYH VRPH NLQG RI D UHVLGHQW DQWLYLUXV PRQLWRU ZKHQ

ZRUNLQJ ZLWK VRPH QHZ VRIWZDUH ,I YLUXV LQIHFWV H[HFXWHG SURJUDP VXFK DPRQLWRUZLOOKDYHWRGHWHFWYLUXVDQGSUHYHQWLWIURPVSUHDGLQJ

$OOWKLV OHDGVWRQHFHVVLW\RI OLPLWLQJRID QXPEHURISHUVRQVXVLQJD SDUWLFXODUFRPSXWHU0XOWLXVHUSHUVRQDOFRPSXWHUVDUHJHQHUDOO\PRVWSURQHWRLQIHFWLRQ

5XOH

8VHYDOLGDWLRQDQGGDWDLQWHJULW\FKHFNLQJXWLOLWLHV6XFKXWLOLWLHVOLNHWKHVSHFLDOGDWDEDVHV RI GLVNV V\VWHP DUHDV RU NHHS WKH HQWLUH V\VWHP DUHDV LQGDWDEDVHVDQGILOHLQIRUPDWLRQFKHFNVXPVVL]HVDWWULEXWHVODVWPRGLILFDWLRQGDWHV HWF 3HULRGLFDOO\ FRPSDUH VXFK GDWDEDVH LQIRUPDWLRQ ZLWK DFWXDO KDUG


56/90


GULYHFRQWHQWVEHFDXVH DQ\ LQFRQVLVWHQF\PLJKWEH DVLJQDORISUHVHQFHRI D7URMDQKRUVHRUYLUXV

5XOH

%DFNXSZRUNLQJILOHVSHULRGLFDOO\7KHH[SHQVHVRIEDFNXSVRIDOOVRXUFHFRGHILOHVGDWDEDVHILOHVGRFXPHQWILOHVHWFDUHPXFKORZHUWKDQWKHH[SHQVHVRI

UHVWRULQJWKHVHILOHVLQFDVHRIDYLUXVDWWDFNRUDFRPSXWHUPDOIXQFWLRQ,I GHSDUWPHQW KDYH D VWUHDPHU RU RWKHU PDVV VWRUDJH GHYLFH WKHQ LW PDNHVVHQVHWREDFNXSDOOWKHKDUGGULYHVFRQWHQWV7KHGXW\DQGWKHIDFWWKDWVXFKDEDFNXS FRS\ QHHGV D ORW RI WLPH WREHWKH FUHDWHG LW PDNHVVHQVH WRPDNHVXFKEDFNXSVOHVVRIWHQ

2WKHU5XOHV

,IWKHUHLVQRQHHGWRERRWWKHV\VWHPIURPDIORSS\GULYHHYHU\GD\VHWWKHERRWRUGHU LQ %,26 6HWXS DV &$ 7KLV ZLOO SURWHFW FRPSXWHU IURP ERRW YLUXVHVUHOLDEO\'RQRWUHO\RQWKHEXLOWLQ%,26YLUXVSURWHFWLRQPDQ\YLUXVHVSDVVLWE\ZLWK

WKHKHOSRIGLIIHUHQWWHFKQLTXHV7KHVDPHJRHVIRUDQWLYLUXVSURWHFWLRQZKLFKLVEXLOWLQWR:RUGDQG062IILFH7KLVSURWHFWLRQFDQDOVREHGLVDEOHGE\YLUXVRUE\XVHUEHFDXVHLWPD\EHDQXLVDQFH

7KH3UREOHPRI0DFUR9LUXV3URWHFWLRQ'XH WR WKH IDFW WKDWWKH PDFURYLUXV SUREOHPQRZDGD\V H[FHHGVDOO WKH RWKHUYLUXVUHODWHGSUREOHPVLWLVZRUWKRIDPRUHGHWDLOHGH[SODQDWLRQ7KHUHDUHVHYHUDOWHFKQLTXHVDQGDQXPEHURIEXLOWLQ:RUGDQG062IILFHIXQFWLRQV

DLPHGDWSUHYHQWLRQRIH[HFXWLQJDYLUXV7KHPRVWHIILFLHQWRIWKHPLV:RUGDQG([FHOVWDUWLQJIURPYHUVLRQVDEXLOWLQYLUXVSURWHFWLRQ:KHQRSHQLQJWKHILOHFRQWDLQLQJDQ\ PDFUR WKLV SURWHFWLRQ LQIRUPV DERXW LWV SUHVHQFH DQG VXJJHVWV GLVDEOLQJ WKLVPDFUR$VDUHVXOWWKHPDFURLVQRWRQO\GLVDEOHGEXWDOVRFDQQRWEHVHHQE\PHDQVRI:RUG([FHO6XFKDSURWHFWLRQLVUDWKHUUHOLDEOHEXWDEVROXWHO\XVHOHVVLIXVHUZRUNVZLWKPDFURVRIDQ\NLQGLWGRHVQRWPDNHGLIIHUHQFHEHWZHHQYLUXVPDFURVDQGQRQYLUXVPDFURVD

Nct It Policy

Documents

Transcript of Nct It Policy