POLICY EXAMPLES

Few excerpts from various organizations’ security policies:

Access control...
“Security procedures must be implemented to prevent unauthorized access to
computers, network resources and data. Only employees of [Company] and
contractors who have been briefed on the acceptable use policy of [Company] will be
given access to the network. Managers shall decide the level of access for each
employee. Final permission to access the network will be the responsibility of the
Security Committee. Individuals will be issued a unique username. When an
employee terminates employment, Personnel will notify the Security Committee and
IT, and steps will be taken to disable that user’s accounts and access to internal and
external networks. Account logon and logoff information will be recorded for
security audits.”

Warning notice...
“The following notice will be displayed to all users when they access [Company]
computer systems: ‘Warning: Only [Company] authorized users only are allowed to
use this system. Access by anyone else is unauthorized and prohibited by law.
Monitoring for purposes of administration and security may take place, to which you
consent by proceeding.’”

Password management...
“Passwords will have a minimum of six alphanumeric characters. No common words
or phrases are acceptable. Passwords should be difficult for others to guess.
Administrators will test for weak passwords. Passwords must be kept private. Do not
share them or write them down. Passwords must be changed every 90 days. After
three failed logon attempts, account access will not be permitted, and automatic
notification will be sent to the system administrator. Highly sensitive systems will
generate an alarm after excessive violations. Sessions will be suspended after twenty
minutes of inactivity.”

Strong authentication...
“Approved products will be used to gain remote access to the network, as well as to
highly sensitive systems. Keep strong authentication devices safe. Do not store them
with the computer to which they enable access. Report it immediately to the Security
Committee if an authentication device is lost or stolen, and administrators will
disable the device. The device’s associated Personal Identification Number (PIN) or
password must be kept private. Do not share it or write it down.”

Digital signatures and certificates...
“Only use Digital Certificates from [Company] approved Certificate Authorities. Use
digital certificates to identify both the user and the server, and in conjunction with
SSL. Protect stored certificates and keys with strong authentication.”

Data encryption for data at rest and in transit...
“Encryption must be used to secure data stored in non-secure locations or
transmitted over open networks, including the Internet. Encryption must be used to
secure at all times any data classified ‘highly sensitive.’ [Company] approved
encryption services and products must be used, with a minimum key length of
128-bits recommended for highly sensitive data. Note — the use of any algorithm or
device must also comply with the laws of the country in which that data encryption
will be used, and may necessitate a shorter key length.”

Encryption keys...
“The keys to be used for encryption must be generated by means that are not easily
reproducible by outside parties. Only [Company] approved hardware or software
random number generators will be used, to ensure security and interoperability.
Encryption keys will be treated as highly sensitive data with restricted access.
Encryption keys that must be transmitted, as in symmetrical or secret key systems,
must be transmitted by secure means: use of public key-exchange algorithms,
double-wrapped internal mail, double-wrapped courier mail. Encryption keys must be
changed at the same frequency as the passwords used to access information. All
encryption keys must be made available to management via [Company] approved
key recovery implementations.”