IT Security & Audit Policy Page 1 Of 91 - NSIT

Transcription

IT Security & Audit PolicyPage 1 of 91

Prepared by: Department Of IT, Govt. Of NCT Of DelhiPrakash Kumar - Special Secretary (IT)Sajeev Maheshwari - System AnalystCDAC, NoidaAnuj Kumar Jain - Consultant (BPR)Rahul Singh - Consultant (IT)Arun Pruthi - Consultant (IT)Ashish Goyal - Consultant (IT)Rahul Goyal - Consultant (IT)“IT Security & Audit Policy” document is also available on the site http://it.delhigovt.nic.inSuggestions and comments are welcomed and can be posted at webupdate@hub.nic.inIT Security & Audit PolicyPage 3 of 91

INDEX1INTRODUCTION . 81.11.21.3INFORMATION SECURITY . 8DATA LOSS PREVENTION . 8ABOUT VIRUSES . 10A. POLICY FOR GENERAL USERS . 122POLICIES FOR GENERAL USERS. 142.12.22.32.42.52.6USING FLOPPIES/ CD/ FLASH DRIVES . 14PASSWORD . 14BACKUP . 14PHYSICAL SAFETY OF SYSTEM . 15COMPUTER FILES . 15GENERAL INSTRUCTIONS . 16B. POLICY FOR DEPARTMENT . 183DEPARTMENTAL POLICIES . 20C. POLICY FOR SYSTEM ADMINISTRATOR . 224SECURITY POLICY FOR PURCHASING HARDWARE . 245SECURITY POLICY FOR ACCESS CONTROL . RITY POLICY FOR NETWORKS. 326.16.26.36.46.56.67MANAGING ACCESS CONTROL STANDARDS . 25MANAGING USER ACCESS . 25SECURING UNATTENDED WORKSTATIONS . 26MANAGING NETWORK ACCESS CONTROLS . 26CONTROLLING ACCESS TO OPERATING SYSTEM SOFTWARE. 27MANAGING PASSWORDS . 27SECURING AGAINST UNAUTHORIZED PHYSICAL ACCESS . 28RESTRICTING ACCESS . 28MONITORING SYSTEM ACCESS AND USE . 29GIVING ACCESS TO FILES AND DOCUMENTS . 29MANAGING HIGHER RISKS SYSTEM ACCESS . 29CONTROLLING REMOTE USER ACCESS . 30RECOMMENDATIONS ON ACCOUNTS AND PASSWORDS . 30CONFIGURING NETWORKS . 32MANAGING THE NETWORK . 32ACCESSING NETWORK REMOTELY . 32DEFENDING NETWORK INFORMATION FROM MALICIOUS ATTACK . 33RECOMMENDATIONS ON NETWORK AND CONFIGURATION SECURITY . 33RECOMMENDATION ON HOST BASED FIREWALL . 34SECURITY POLICY FOR OPERATING SYSTEM. 35IT Security & Audit PolicyPage 4 of 91

8SECURITY POLICY FOR SOFTWARE . 368.18.28.38.48.59MANAGING OPERATIONAL PROGRAM LIBRARIES:. 36MANAGING PROGRAM SOURCE LIBRARIES:. 36CONTROLLING PROGRAM LISTING . 36CONTROLLING PROGRAM SOURCE LIBRARIES . 37CONTROLLING OLD VERSIONS OF PROGRAMS . 37SECURITY POLICY FOR CYBER CRIME. 379.1RECOMMENDATIONS ON TO WEB SERVERS AND EMAIL . 3810 BACKUP POLICIES. 3910.110.210.3BACKUP PROCESS . 39RESTORATION PROCESS . 40RECOMMENDATIONS ON BACKUP AND RECOVERY & DISASTER PLANNING . 4111 LAN SECURITY. 4211.111.211.311.411.511.6NETWORK ORGANIZATION . 42NETWORK SECURITY . 43NETWORK SOFTWARE . 46NETWORK HARDWARE . 48LAN BACKUP AND RECOVERY POLICIES. 49LAN PURCHASING POLICY . 4912 ROLE OF SYSTEM ADMINISTRATOR IN VIRUS PROTECTION. 5012.112.212.3COMPUTER VIRUSES: DETECTION AND REMOVAL METHODS . 50COMPUTER VIRUS CLASSIFICATION . 60RECOMMENDATION FOR ANTIVIRUS SOFTWARE USAGE . 6213 STAFF AWARENESS AND TRAINING . 6313.113.2STAFF AWARENESS . 63TRAINING. 6414 RECOMMENDATIONS FOR SYSTEM ADMINISTRATOR. 66D. POLICY FOR DBA. 6815 SECURITY POLICY FOR DBA . 7015.115.215.315.415.515.615.715.8POLICY ON TRANSFERRING AND EXCHANGING DATA . 70POLICY ON MANAGING DATA STORAGE . 71POLICY ON MANAGING DATABASES . 71POLICY ON PERMITTING EMERGENCY DATA AMENDMENT. 72POLICY ON SETTING UP NEW DATABASES . 72SECURITY POLICY FOR DATABASE. 72GUIDELINES/RECOMMENDATION FOR DBA. 74DBA SKILLS . 74IT Security & Audit PolicyPage 5 of 91

E. AUDIT POLICY . 7616 INFORMATION SYSTEMS AUDIT POLICY . 7816.116.216.3INTRODUCTION . 78AUDIT POLICY . 78QUESTIONNAIRE FOR AUDIT . 80F. ANNEXURE . 84IT Security & Audit PolicyPage 6 of 91

IT Security & Audit PolicyPage 7 of 91

1Introduction1.1Information SecurityInformation Security Policies are the cornerstone of information security effectiveness.The Security Policy is intended to define what is expected from an organization withrespect to security of Information Systems. The overall objective is to control or guidehuman behavior in an attempt to reduce the risk to information assets by accidental ordeliberate actions.Information security policies underpin the security and well being of informationresources. They are the foundation, the bottom line, of information security within anorganization.We all practice elements of data security. At home, for example, we make sure thatdeeds and insurance documents are kept safely so that they are available when weneed them. All office information deserves to be treated in the same way. In an office,having the right information at the right time can make the difference between successand failure. Data Security will help the user to control and secure information frominadvertent or malicious changes and deletions or unauthorized disclosure. There arethree aspects of data security:Confidentiality: Protecting information from unauthorized disclosure like to the press,or through improper disposal techniques, or those who are not entitled to have thesame.Integrity: Protecting information from unauthorized modification, and ensuring thatinformation, such as a beneficiary list, can be relied upon and is accurate andcomplete.Availability: Ensuring information is available when it is required. Data can be held inmany different areas, some of these are:!Network Servers!Personal Computers and Workstations!Laptop and Handheld PCs!Removable Storage Media (Floppy Disks, CD-ROMS, Zip Disks, Flash Driveetc.)!Data Backup Media (Tapes and Optical Disks)1.2Data Loss PreventionLeading Causes of Data Loss:!Natural Disasters!Viruses!Human Errors!Software Malfunction!Hardware & System MalfunctionComputers are more relied upon now than ever, or more to the point the data that iscontained on them. In nearly every instant the system itself can be easily repaired orIT Security & Audit PolicyPage 8 of 91

replaced, but the data once lost may not be retraceable. That's why of regular systemback ups and the implementation of some preventative measures are always stressedupon.Natural DisastersWhile the least likely cause of data loss, a natural disaster can have a devastatingeffect on the physical drive. In instances of severe housing damage, such as scoredplatters from fire, water emulsion due to flood, or broken or crushed platters, the drivemay become unrecoverable.The best way to prevent data loss from a natural disaster is an off site back up.Since it is nearly impossible to predict the arrival of such an event, there should bemore than one copy of the system back up kept, one onsite and one off. The type ofmedia back up will depend on system, software, and the required frequency needed toback up. Also be sure to check back ups to be certain that they have properly backedup.VirusesViral infection increases at rate of nearly 200-300 new Trojans, exploits and virusesevery month. There are approximately 65135 "wild" or risk posing viruses (sourceSARC dated Sep 1, 2003). With those numbers growing everyday, systems are at anever-increasing risk to become infected with a virus.There are several ways to protect against a viral threat:!Install a Firewall on system to prevent hacker’s access to user’s data.!Install an anti-virus program on the system and use it regularly for scanningand remove the virus if the system has been infected. Many viruses will liedormant or perform many minor alterations that can cumulatively disruptsystem works. Be sure to check for updates for anti virus program on a regularbasis.!Back up and be sure to test back ups from infection as well. There is no use torestore virus infected back up.!Beware of any email containing an attachment. If it comes from anonymoussender or don't know from where it has come or what it is, then don't open it,just delete it & block the sender for future mail.Human ErrorsEven in today's era of highly trained, certified, and computer literate staffing there isalways room for the timelessness of accidents. There are few things that might befollowed: !Be aware. It sounds simple enough to say, but not so easy to perform. Whentransferring data, be sure it is going to the destination. If asked "Would you liketo replace the existing file" make sure, before clicking "yes".!In case of uncertainty about a task, make sure there is a copy of the data torestore from.!Take extra care when using any software that may manipulate drives datastorage, such as: partition mergers, format changes, or even disk checkers.!Before upgrading to a new Operating System, take back up of most importantfiles or directories in case there is a problem during the installation. Keep inmind slaved data drive can also be formatted as well.!Never shut the system down while programs are running. The open files will,more likely, become truncated and n

Information Security Policies are the cornerstone of information security effectiveness. The Security Policy is intended to define what is expected from an organization with respect to security of Information Systems. The overall objective is to control or guide human behavior in an attempt to reduce the risk to information assets by accidental or deliberate actions. Information security policies underpin the File Size: 398KBPage Count: 90