McBride Financial Services security concern is the company’s number one priority. During the requirements meeting with Hugh McBride has stated his top five concerns. They are: 1. Security of McBride’s Website – The first step to securing McBride’s website is a
dedicated IP address for the company’s website. If McBride select to host its website by Yahoo, MSN or etc we must request a Private Key and Certificate Signing Request. The Private Key must be kept safely and the Certificate Signing Request is required for the Certificate Authority during the registration process. Upon completion and confirmation of Hugh McBride’s identity by the Certificate Authority, a CRT file will be provided. McBride must provide the KEY and CRT file to the webhost for installation of the SSL. The recommended companies for the SSL are Thawte, GeoTrust, SecureBusinessServices.com and RapidSSL.com. 2. Customer Information Security at all locations – I recommend eEye Digital Software
coupled with the eEye Security Management Appliance 1505. Retina provides Network Security Scanner Appliance, which integrates security management appliance and prioritized policy management, patch management and vulnerability management. Network Vulnerability Assessments identifies network vulnerabilities, application vulnerabilities plus zero day threats. Network Discovery and Patch Assessment discovers all devices, operating systems, applications, patch levels and policy configurations. Finally, the All-In-One Enterprise Security Management couples everything you need pre-installed, pre-configured, pre-tunes for centralized vulnerability and patch management plus security incident management.
3. Secure Employee VPN – VPN is based on the idea of tunneling that involves establishing
and maintaining logical network connection. With this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol. The packets are transmitted between a VPN client and the server, finally deencapsulated on the receiving side. While inside the VPN service, your IP address is anonymous. The service hides your IP address behind its secured servers. 4. Secure Wi-Fi – Regardless of which wireless router you choose to use, a few simple steps
must be taken. First, change all default passwords and Service Set Identifier (SSID). Filter wireless connection by MAC addresses only. Finally, disable the SSID broadcasting. To protect your wired internal network from threats coming over the wireless network, create a wireless DMZ or perimeter network that's isolated from the LAN. That means placing a firewall between the wireless network and the LAN. Then you can require that in order for any wireless client to access resources on the internal network, he or she will have to authenticate with a remote access server and/or use a VPN. This provides an extra layer of protection. The typical 802.11b WAP transmits up to about 300 feet. A directional antenna will transmit the signal in a particular direction, instead of in a circle like the omni-directional antenna that usually comes built into the WAP. Thus, through antenna selection you can control both the signal range and its direction to help protect from outsiders. In addition, some WAPs allow you to adjust signal strength and direction via their settings. Transmit on a different frequency. One way to "hide" from hackers who use the more common 802.11b/g wireless technology is to go with 802.11a instead. Since it operates on a different frequency (the 5 GHz range, as opposed to the 2.4 GHz range in which b/g operate), NICs made for the more common
wireless technologies will not pick up its signals. Sure, this is a type of "security through obscurity"--but it is perfectly valid when used in conjunction with other security measures. After all, security through obscurity is exactly what we advocate when we tell people not to let others know their social security numbers and other identification information. 5. Remote Administrators – The remote administrators can use the same VPN to access or
correct issues with files or user caused problems.
Corporation User Policy Computer Use and Internet Policy Important disclaimer: The policy available on this page is only an example and is furnished merely as an illustration of its category. It is not meant to be taken and used without consultation with a licensed employment law attorney. If you are in need of a policy for a particular situation, you should keep in mind that any sample policy such as the one available below would need to be reviewed, and possibly modified, by an employment law attorney in order to fit your situation and to comply with the laws of your state. Downloading, printing, or reproducing any of these policies in any manner constitutes your agreement that you understand this disclaimer and that you will not use the policy for your company or individual situation without first having it approved and, if necessary, modified by an employment law attorney of your choice. USE OF COMPANY COMPUTERS AND INTERNET ACCESS The use of XYZ Company (Company) automation systems, including computers, fax machines, and all forms of Internet/Intranet access, is for company business and is to be used for authorized
purposes only. Brief and occasional personal use of the electronic mail system or the Internet is acceptable as long as it is not excessive or inappropriate, occurs during personal time (lunch or other breaks), and does not result in expense to the Company. Use is defined as "excessive" if it interferes with normal job functions, responsiveness, or the ability to perform daily job activities. Company automation systems are Company resources and are provided as business communications tools. Electronic communication "should not be used to solicit or sell products, distract coworkers, or disrupt the workplace." (See the XYZ Company Human Resources Handbook "Standards of Conduct"). Use of Company computers, networks, and Internet access is a privilege granted by management and may be revoked at any time for inappropriate conduct including, but not limited to: •
Sending chain letters;
•
Engaging in private or personal business activities;
•
Misrepresenting oneself or the Company;
•
Engaging in unlawful or malicious activities;
•
Using abusive, profane, threatening, racist, sexist, or otherwise objectionable language in either public or private messages;
•
Sending, receiving, or accessing pornographic materials;
•
Becoming involved in partisan politics;
•
Causing congestion, disruption, disablement, alteration, or impairment of Company networks or systems;
•
Infringing in any way on the copyrights or trademark rights of others;
•
Using recreational games; and/or
•
Defeating or attempting to defeat security restrictions on company systems and applications.
Using Company automation systems to create, view, transmit, or receive racist, sexist, threatening, or otherwise objectionable or illegal material is strictly prohibited. "Material" is defined as any visual, textual, or auditory entity. Such material violates the Company antiharassment policies and is subject to disciplinary action. The Company's electronic mail system must not be used to violate the laws and regulations of the United States or any other nation or any state, city, province, or other local jurisdiction in any way. Use of company resources for illegal activity can lead to disciplinary action, up to and including dismissal and criminal prosecution. Unless specifically granted in this policy, any non-business use of the Company's automation systems is expressly forbidden. If you violate these policies, you could be subject to disciplinary action up to and including dismissal. Ownership and Access of Electronic Mail and Computer Files The Company owns the rights to all data and files in any computer, network, or other information system used in the Company. The Company reserves the right to monitor computer and e-mail usage, both as it occurs and in the form of account histories and their content. The Company has the right to inspect any and all files stored in any areas of the network or on any
types of computer storage media in order to assure compliance with this policy and state and federal laws. The Company will comply with reasonable requests from law enforcement and regulatory agencies for logs, diaries, archives, or files on individual computer and e-mail activities. The Company also reserves the right to monitor electronic mail messages and their content. Employees must be aware that the electronic mail messages sent and received using Company equipment are not private and are subject to viewing, downloading, inspection, release, and archiving by Company officials at all times. No employee may access another employee's computer, computer files, or electronic mail messages without prior authorization from either the employee or an appropriate Company official. The Company has licensed the use of certain commercial software application programs for business purposes. Third parties retain the ownership and distribution rights to such software. No employee may create, use, or distribute copies of such software that are not in compliance with the license agreements for the software. Violation of this policy can lead to disciplinary action, up to and including dismissal. Confidentiality of Electronic Mail As noted above, electronic mail is subject at all times to monitoring, and the release of specific information is subject to applicable state and federal laws and Company rules, policies, and procedures on confidentiality. Existing rules, policies, and procedures governing the sharing of confidential information also apply to the sharing of information via commercial software. Since there is the possibility that any message could be shared with or without your permission or knowledge, the best rule to follow in the use of electronic mail for non-work-related information is to decide if you would post the information on the office bulletin board with your signature.
It is a violation of Company policy for any employee, including system administrators and supervisors, to access electronic mail and computer systems files to satisfy curiosity about the affairs of others. Employees found to have engaged in such activities will be subject to disciplinary action. Message Tone for Electronic Mail Users are expected to communicate with courtesy and restraint with both internal and external recipients. Electronic mail should reflect the professionalism of the Company and should not include language that could be construed as profane, discriminatory, obscene, sexually harassing, threatening, or retaliatory. It is recommended that using all capital letters, shorthand, idioms, unfamiliar acronyms, and slang be avoided when using electronic mail. These types of messages are difficult to read. Electronic Mail Tampering Electronic mail messages received should not be altered without the sender's permission; nor should electronic mail be altered and forwarded to another user and/or unauthorized attachments be placed on another's electronic mail message. Policy Statement for Internet/Intranet Browser(s) This policy applies to all uses of the Internet, but does not supersede any state or federal laws or company policies regarding confidentiality, information dissemination, or standards of conduct. The use of Company automation systems is for business purposes only. Brief and occasional personal use is acceptable as long as it is not excessive or inappropriate, occurs during personal time (lunch or other breaks), and does not result in expense to the Company.
Use is defined as "excessive" if it interferes with normal job functions, responsiveness, or the ability to perform daily job activities. Examples of inappropriate use are defined in "Inappropriate Use of the Internet/Intranet". Managers determine the appropriateness of the use and whether such use is excessive. The Internet is to be used to further the Company's mission, to provide effective service of the highest quality to the Company's customers and staff, and to support other direct job-related purposes. Supervisors should work with employees to determine the appropriateness of using the Internet for professional activities and career development. The various modes of Internet/Intranet access are Company resources and are provided as business tools to employees who may use them for research, professional development, and work-related communications. Limited personal use of Internet resources is a special exception to the general prohibition against the personal use of computer equipment and software. Employees are individually liable for any and all damages incurred as a result of violating company security policy, copyright, and licensing agreements. All Company policies and procedures apply to employees' conduct on the Internet, especially, but not exclusively, relating to: intellectual property, confidentiality, company information dissemination, standards of conduct, misuse of company resources, anti-harassment, and information and data security. Violation of these policies and/or state and federal laws can lead to disciplinary action, up to and including dismissal and possible criminal prosecution.
Inappropriate Use of the Internet/Intranet Use of Company computer, network, or Internet resources to access, view, transmit, archive, or distribute racist, sexist, threatening, or otherwise objectionable or illegal material is strictly prohibited. "Material" is defined as any visual, textual, or auditory item, file, page, graphic, or other entity. Such material violates the Company's anti-harassment policies and is subject to company disciplinary action. No employee may use the Company's Internet/Intranet facilities to deliberately propagate any virus, worm, Trojan horse, trap-door program code, or other code or file designed to disrupt, disable, impair, or otherwise harm either the Company's networks or systems or those of any other individual or entity. The Company's Internet/Intranet facilities and computing resources must not be used to violate the laws and regulations of the United States or any other nation or any state, city, province, or other local jurisdiction in any way. Use of Company resources for illegal activity can lead to disciplinary action, up to and including dismissal and criminal prosecution. Internet/Intranet Security The Company owns the rights to all data and files in any information system used in the Company. Internet use is not confidential and no rights to privacy exist. The Company reserves the right to monitor Internet/Intranet usage, both as it occurs and in the form of account histories and their content. The Company has the right to inspect any and all files stored in private areas of the network or on any types of computer storage media in order to assure compliance with this policy and state and federal laws. The Company will comply with reasonable requests from law
enforcement and regulatory agencies for logs, diaries, archives, or files on individual Internet activities. Existing rules, policies, and procedures governing the sharing of work-related or other confidential information also apply to the sharing of information via the Internet/Intranet. Please refer to the appropriate program handbook [Name of Handbook], the Confidentiality Guidelines, and the Company rules regarding the release of confidential information. The Company has taken the necessary actions to assure the safety and security of our network. Any employee who attempts to disable, defeat, or circumvent Company security measures is subject to disciplinary action, up to and including dismissal.
Virtual Private Network (VPN) Policy 1.0 Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the corporate network. 2.0 Scope This policy applies to all employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator.
3.0 Policy Approved employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy. Additionally, 1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to internal networks. 2. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. 3. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. 4. Dual (split) tunneling is NOT permitted; only one network connection is allowed. 5. VPN gateways will be set up and managed by network operational groups. 6. All computers connected to internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers. 7. VPN users will be automatically disconnected from 's network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
8. The VPN concentrator is limited to an absolute connection time of 24 hours. 9. Users of computers that are not -owned equipment must configure the equipment to comply with 's VPN and Network policies. 10. Only InfoSec-approved VPN clients may be used. 11. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of 's network, and as such are subject to the same rules and regulations that apply to -owned equipment, i.e., their machines must be configured to comply with InfoSec's Security Policies. 4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Resources: http://www.eeye.com/html/products/remappliance/ http://www.eeye.com/html/assets/pdf/ApplianceMatrix.pdf http://articles.techrepublic.com.com/5100-10878_11-5876956.html http://articles.techrepublic.com.com/5100-10878_11-1047941.html http://techrepublic.com.com/5100-6350_11-5807148.html