Hello and welcome to I t. Security Policy Training on Cyber Eri.
This is part of module to the acceptable use policy
being taught by myself. Troy Lemaire
Learning objective for this module
is general use and ownership of systems
security, proprietary information of systems and the unacceptable use of systems inside of an organization.
If we look at the acceptable use policy,
this is a sands template, which allows you to look at the information in it and modify it for your needs within your organization
in the first section. The overview.
It speaks about the intent of publishing an acceptable use policy. It's not imposing restrictions,
but to establish a culture of openness, trust and integrity
list Internet, Internet and extra net related systems and other types of
systems that are used. Our software being used, such as the operating system, storage media,
email an FTP
modify these things as needed for your organization
and states that the systems are to be used for business purposes in serving the interests of the company
and our clients and customers in the course of normal operations
does that effective security is a team effort involving the participation on and support of every employee and affiliate who deals with information and or information systems
is the responsibility of every computer user to know that a guy lines and conduct activities accordingly.
Purpose of the policy to outline except we use of computer equipment.
These rules are in place to protect employees and the company. Inappropriate use exposes the company to risk, including viruses, compromise of network systems and legal issues.
Scope of the policy plots use of information Elektronik in computing device and network resource to conduct business are interact with internal networks and business systems owned or leased by the company.
Policy applies to employees, contractors, consultants, temporaries and other workers.
Modify this section. If you don't have any contractors and consultant or temporary workers, you want to make the policy fit to what is the way that your organization works.
We look at the body of the policy itself. The general use an ownership. Proprietary information is stored on Elektronik in computing devices owned or leased by the company, and you must ensure through legal or technical means that the proprietary information is protected in accordance with the data protection standard.
You have a responsibility to promptly report the theft loss are unauthorized disclosure of proprietary information,
and you may access user share the information on Lee to extent that it's authorized a necessary to fulfill your job duties.
Employees responsible for exercising good judgment regarding the reasonableness of personal use.
Individual departments responsible creating guidelines concerning personal use.
In the absence of such policies, employees should be guided by department of policies and personal use.
And if there's any uncertainty, employees should consult their supervisors Are managers
security network maintenance purposes. Authorized individuals may monitor equipment,
and also the company reserves the right to audit any network Our systems on a periodic basis. To ensure compliance,
we look at security and proprietary information. All mobile computing devices that connect to the network must comply with the minimum access policy
system level and user level passwords must comply with the password policy, which we will cover MAWR in this side. Very training.
All devices must be secured with a password protected screen saver with automatic activation set to 10 minutes or less. If in your organization you use a 15 minute lockout, which is
one of the more common time frames, you can modify this policy for that
most in my employees, from a company email address to any type of news groups or any type of message boards would need to contain a disclaimer stating that ist opinion of their the use of themselves and not of the company.
And you. You must use extreme caution when opening email attachments received from unknown senders because they can contain malware or viruses or other things.
Now get into the UN except that we use portion of this policy. This portion is something that you might need a modify based on the needs of your organization whenever it comes to specific things inside of it. If, for example, you say we do not allow you to, because you two eats up a lot of band with and can affect the network
and the Internet usage of employees that wood might want to be spelled out to where you will put
videos are. If it's Netflix, it will be streaming media something to that effect, so that you can specifically state those things within the policy it's known that is unacceptable. Use of a system
says that under no circumstances should employees
engage in any activity that's illegal,
and the listing below is not exhaustive, but it is an attempt to provide some type of framework of activities that or unacceptable
sistema network activities. Violations of the rights of any person,
unauthorized copying of copyrighted material.
Accessing data on account for any purpose other than conducting normal business
exporting of software, technical information, encryption software technology,
introduction of malicious programs into the network or the server
Revealing your account password to others are allowing others to use your account
using company computing device to active. Engage procuring a transmitter material that is in violation of sexual harassment and hostile workplace laws.
Making fraudulent offers of products, items or service is from the company.
Making statements about warranties expresses our implied unless it is part of your normal job duties
affecting security breaches Are disruptions of networking
lists out the types of security breaches that you have accessing the data, which is not
or the intended recipient are long into server on account that employees not expressly authorized to access.
Looking at port skinny or security scanning of any type. Execute any form of network monitoring that will intercept data is not part of your job role.
They're convening user authentication or security
introducing honey pots,
interfering with her, denying service to the user,
using any program scripts or commands, or sending messages with intent of Interfere Disabled users
session or their communication on the network.
Providing information about our list of company employees to parties outside of the company,
we look into the email and communication activities,
anything that includes sending of unsolicited email messages such as junk mail, any type of harassment,
unauthorized use of email headers,
solicitation of emails for any other email addresses other than that of the posters. Account with the intent to harass or collect replies.
Any type of change. The letter or policy schemes are forbidden
use of unsolicited email originating from the company's On the behalf of the company advertised any service hosted by the company. You're connected with the company's network
saying same or similar non business related messages to the large number of use that newsgroups.
Though we didn't get into the blogging and social media portion, this is the part that you will definitely need to look at on an annual basis because social media changes so quickly now.
But basically what is trying to say is blogging by employees need to be known that it is not the opinion of the employees and that it doesn't violate any of the company's policies.
Any type of confidential information about the company posted to any type of blogging site.
And she's not engaging the blogging that may harm or tarnished image or reputation of the company
get attributed. Any type of personal statements are opinions on to the company
depart from following all laws handling and disclosure copyrighted or export controlled materials such as the company's trademarks or logo's. Anything like that would not be used with any type of blogging activity
if we look at the compliance of it. This is where you will definitely need to work with your HR department, especially in regards to the social media things to make sure that whatever their policies are fit in line with your policies.
But the Info SEC team is gonna verify compliance through various methods,
such as business to reports, audits and feedback.
Exceptions to the policy must be approved ahead of time by the Info SEC team and then any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment. And again, this is gonna be something that is handled by the HR departments who would want to definitely work with them.
So, in summary in today's reflector, we discussed
general use in ownership, security, proprietary information and unacceptable use.
Except we use recap question employees responsible Exercising good judgment according the personal use.
What are individual departments responsible for?
And that would be individual departments responsible. Creating guidelines starting personal use of Internet, Internet and extra net systems.
Another policy recap. Question. Employees must use extreme caution when opening email attachments received from whom
that would be unknown. Senders, which could provide some type of malicious software inside of that email,
looking forward in the next lecture will start looking at encryption and the decryption policy.
If you have any questions or clarification,
as always, you can reach me on Cyberia message. My user name is that Troy Lemaire and thank you for attending this cyber every training