Information Security Best Practices: 205 Basic Rules

Appendix B: Sample Security Policy

Purpose

The purpose of establishing this information security policy for CORPORATION X is to protect corporate information and computer assets while allowing: 1) e-mail communication, 2) information transfer, and 3) access to the corporate website and web-based e-commerce server between customers, corporate affiliates, and corporate users. Also, it defines policies for protecting data within the corporation and addresses the confidentiality, data integrity, availability, accountability, and responsibility issues that each employee must be aware of and comply with while working for this corporation.

Threats

  1. Virus introduced by e-mail, web browsing, corporate web-site access, floppy, CD, tape, or ftp downloads.

  2. Denial of service attacks from the internet to corporate servers.

  3. Unauthorized login into computers by learned or hacked usernames and passwords for the purpose of reading, deleting, removing, or inserting data not approved by the responsible party of the computer resource.

  4. Unauthorized network access to server and workstation computers for the purpose of reading, deleting, removing, or inserting data not approved by the responsible party of the computer resource.

  5. Unauthorized physical access to corporate servers that may result in inadvertent or malicious shutoff, damage, or login access to the server.

  6. Unauthorized access to data by a user because of lack of file protection.

  7. Loss of data assurance (i.e., receipt of data without traceability) of confidential corporate data during network transfer.

  8. Loss of data integrity (i.e., data tampered with during transmission) of confidential corporate data during network transfer.

  9. Theft of disks and tapes.

  10. Unauthorized tampering with network resources that can lead to...