IT policies and procedures are intended to keep companies, their employees, and their customers safe. Your organizations should have written acceptable use policies and and best practices included in the employee training manual and/or on-boarding documentation.
Depending on your organization’s industry and the type of data you work with, there may be additional policies that you may need to implement. Additional security may be required to be compliant with HIPAA, FISMA, GBLA and other regulatory mandates as well as with CTPAT, PCI and other industry-specific security frameworks.
Organizations and the individuals within them have unique needs, therefore policies should not be absolute. Implement a review process for policy exception requests. The objective should be to balance usability and user satisfaction while maintaining an acceptable level of security based on risk.
Create a statement defining what disciplinary actions will be taken with employees who violate security policies. Policies should be enforced if you wish to have them taken seriously.
Below you will find our own set of recommended policies which are partially derived from NIST (National Institute of Standards). We ask all of our clients to abide by them in order to maintain an adequate level of cyber safety.
Cyber Security Policies and Best Practices
Behavior Analysis/DLP/File Auditing
File auditing and DLP should be implemented to prevent sensitive information from leaving the network perimeter via unauthorized channels such as email, file uploads or copy/paste to portable media in organizations that store personal health records, personally identifiable information and/or intellectual property.
Data Loss Prevention (DLP) is a security measure that is designed to prevent the unauthorized access, use, or disclosure of sensitive or confidential data. DLP systems monitor data flows within an organization and use a set of rules or policies to identify and prevent the unauthorized access or transmission of sensitive data. DLP systems can be implemented at various points within an organization’s network, such as at the perimeter, on servers, or on endpoint devices, and can be configured to detect and prevent the transmission of sensitive data through various channels, such as email, web, or file transfer.
File auditing and DLP are important tools for protecting data within an organization and helping to ensure that sensitive information is not accessed or disclosed without authorization.
When users request changes to access control ACLs (changes in permissions or access) from our help desk, it must be approved by the company’s designated authorized contact. We will make no access control changes based on user requests without proper authorization. Organizations should assign a knowledgeable and trustworthy person as the authorized point of contact (POC) who will responsibly approve or deny ACL changes.
When a POC requests access to data (such as e-mails, database or folders) from an employee that is higher in rank, the request must be approved by the organization’s ownership or directorship. Any owner or director who requests access to another owner or director’s data will require the party’s agreement.
Ensure that contractors who have access to an organization’s network resources or physical assets are following the same security protocols as organizational personnel. This helps to ensure that sensitive data and systems are not compromised by unauthorized access or activities. Overall, these practices help to ensure that contractors who have access to an organization’s network resources or physical assets are following the appropriate security protocols and are not able to compromise the organization’s data or systems.
Make use of good password policies. Passwords should be at least 12 characters long (preferably phrases) that are easy to memorize but hard to guess. They should not contain information that can be extrapolated from social media or from casual conversation such as family & pet names, birth dates, schools attended or hobbies.
Disallow keeping passwords on sticky notes or stored electronically on PCs. Do not allow saving/storing passwords within browsers. Write passwords on paper and keep them in a combination safe or locked drawer. A secure, organization-approved password wallet or key ring may also be used. Do not share passwords with anybody, not even IT or help desk staff. If a technician resets and tell you your new password, make sure to change it immediately afterwards.
Do not reuse the same password or numerical variations of the same password for multiple services. Do not transmit passwords by email, text or smartphone apps (even if encrypted). A good strategy to memorize secure passwords is to use a mix of numbers and words in the form of a phrase, separated by special characters. For example: Chocolate=My.Favorite.Ice.Cream. The passwords used for work devices should be unique. Do not use the same passwords, or variations used in social media, public email, etc.
Portable Media Policies
Using portable media can be risky because it is often easy to lose track of these devices, and they can be used to transfer data to and from untrusted devices, which can be a conduit for malware. In order to reduce these risks, it is often a good idea to block the use of portable media unless it is specifically required for business purposes. Contact our help desk for assistance with transferring files securely without having to use portable media devices. We have a variety of tools that are available for securely transferring files.
Data Classification Policies
Data classification involves grouping data into different categories based on its sensitivity and the level of protection it requires. This can include things like personally identifiable information (PII), protected health information (PHI), and intellectual property (IP).
One key aspect of data classification is specifying which channels are approved for transferring different types of files, and with whom these files can be shared. By establishing clear rules for the exchange of sensitive files, organizations can help to ensure that sensitive data is not shared outside of approved channels or with unauthorized users.
To achieve this, organizations should define which channels are approved for transferring different types of files, and specify which users are authorized to access these files. These rules should be included in the organization’s acceptable use policy, and should be enforced using tools such as data loss prevention (DLP) systems.
By following these practices, organizations can help to ensure that sensitive data is protected and that it is only shared with authorized users through approved channels. This can help to reduce the risk of data breaches and protect the organization’s sensitive information.
Management & Administration
Administrative access to IT infrastructure is a function solely of Falcon IT Services and our staff. We research, test and scan all unknown programs prior to installation and insure integrity via the proper download sources. No other personnel should have administrative access to any devices, including the ability to install programs and make configuration changes to their PCs or other devices.
Equipment Purchasing Policy
Commercial grade hardware products are designed for use in more demanding business environments and are typically more secure, durable and reliable than consumer grade products. These products may be more expensive than consumer grade products, but they are often worth the investment because they are less likely to fail or experience downtime. Please contact us for purchasing assistance before procuring equipment or if you wish to have a list of recommended commercial grade products.
Duty to not Deliberately Waste Resources
Employees must not deliberately perform acts that waste computer resources or unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, spending excessive amounts of time on the Internet, playing games, engaging in online chat groups, printing multiple copies of documents, or otherwise creating unnecessary network traffic.
Because audio, video and picture files require significant resources, they may not be transferred, copied or downloaded using business resources unless they are for business-related purposes. Internet surfing should be limited to work related Web sites.
Please do not contact the help desk over matters not related to solving business productivity issues. This includes assistance in troubleshooting non-business PCs, personal e-mail addresses or personal smart devices.
It is recommended that organizations have a Windows login message that users must view before they log in to their computers. Use a generic message such as the one described below or contact your legal team if you have specific requirements.
*** NOTICE *****
This device is a private computer system owned by COMPANY NAME and is intended solely for official company use by authorized personnel. Unauthorized access or use of this system may subject violators to criminal, civil and/or administrative penalties. By logging in to this computer you agree to abide by both the COMPANY NAME acceptable use policy, as well as the best practices and baseline security policies outlined in the support section of www.falconitservices.com. COMPANY NAME reserves the right to monitor all activity on all company provided equipment and services.
File Storage & Transfer Policies
Define what channels are approved for storing and transferring files and disallow the transfer of files outside the specified secure channels.
Email Attachment Blocking Policy
File attachments that may contain malicious code (executable files, compressed files, macros, etc.) should be blocked at the email gateway.
Personal Email Policy
Personal email access should be blocked in order to prevent employees from using public email as a means of circumventing security policies or to conduct official business.
Disallow installation and usage of unsanctioned remote access connections. Provision remote access over an encrypted VPN tunnel and utilizing multi-factor authentication. If utilizing public cloud remote control software, it should be centrally managed and secured by the organization and all freeware or end user managed remote access programs should be blocked.
Cyber Training: Have all your new hires take our cyber crime awareness training and require existing staff to attend the course at least once per year. We track attendees via a database and can certify attendees for organizations that have insurance, regulatory or organizational requirements. Attendees who complete the course also receive a certificate of completion and gift.
Security awareness training is a type of training that is designed to educate employees about the importance of cybersecurity and how to protect their organization’s data and systems from threats such as malware, phishing attacks, and other cyber threats.
Security awareness training typically covers topics such as:
- Types of cyber threats: Employees are educated about the different types of cyber threats that they may encounter, including malware, phishing attacks, and other threats.
- Best practices for security: Employees are taught best practices for security, such as using strong passwords, avoiding suspicious links or attachments, and reporting any suspicious activity.
- Company policies: Employees are made aware of the organization’s security policies and procedures, and are taught how to follow these policies to help protect the company’s data and systems.
- Reporting procedures: Employees are taught how to report any security incidents or suspicious activity to the appropriate authorities within the organization.
Overall, security awareness training helps to educate employees about the importance of cybersecurity and how to protect the organization’s data and systems from threats. This can help to reduce the risk of security breaches and improve the overall security posture of the organization.
Create policies for users who use BYOD (bring your own device) devices or smartphones to conduct company business.
Here are some examples of smartphone corporate policies:
- Use of corporate-owned devices whenever possible: Employees should be required to use corporate-owned devices for work purposes if possible, and be made aware of the caveats of BYOD. For example: When employees use their personal devices for work purposes, the organization’s data may be stored on devices that are not under the control of the organization. This can potentially expose sensitive data to unauthorized access or theft. If the device if subpoenaed for discovery, the user’s personal information will be at risk of being viewed and the organization may be at risk for legal action as a result of this.
- Device security: Employees should be required to enable security features such as passwords or biometric authentication on their devices, and may be prohibited from rooting or jailbreaking their devices.
- Data protection: Employees may be required to take steps to protect the data on their devices, such as encrypting sensitive data or installing security software.
- Internet usage: Employees may be required to follow internet usage policies, such as only accessing approved websites or avoiding the download of unauthorized software.
- Device usage: Employees may be required to follow usage policies, such as not using their devices while driving or only using them for work purposes during work hours.
- Device loss or theft: Employees may be required to report the loss or theft of their devices to the appropriate authorities within the organization.
- Device repair and maintenance: Employees may be required to take steps to ensure that organizational data is removed before disposing of the device or sending it out for repair.
Overall, smartphone corporate policies help to ensure that employees use their devices responsibly and protect the organization’s data and systems from potential security risks.
Do not allow jail broken devices (tablets or smartphones) to operate within the trusted network, used to conduct business or connect to organizational resources. Jail broken devices or devices with hacked operating systems often have a malicious component that may be hard or impossible to detect.
New employees should be provided with a written acceptable use and cyber security policy. New hires should take our cyber security on-line course as part of their training program. You can find the Cybersecurity training course schedule by visiting our events calendar.
Network Segmentation Policy
Separate parts of your network (known as network segmentation) into trusted and untrusted zones. NVRs, IP phones, IoT devices and WiFi guests should be in the untrusted network segment, separated from PCs, servers, storage, backup devices and other sensitive data. Use MAC address filtering to prevent non-managed devices or untrusted devices from connecting to the trusted network segments.
Internet surfing from organizational devices should be limited to work related Web sites. Create groups that provide role-based Internet access using URL filtering. Sites that are conducive to malware such as pornography, gambling, P2P, hacker, anonymizers, URL redirects and known malware/phishing/infected sites should be blocked for all users, no exceptions.
Implement a UTM/WAF firewall to provides additional security features such as filtering malicious traffic at the gateway as well as blocking traffic to/from countries that are not necessary to access for day-to-day business operations (Geo-filtering). Recommended UTM settings are gateway malware filtering, gateway IPS/IDS and geo-filtering.
Disallow the use of key generators or cracked software programs. These programs typically carry malicious code in the form of Trojan horses. Do not unblock or whitelist piracy sites or cracked software sites (warez) due to the security risks involved.
Network and On-Line Storage Folder Creation Policy
When creating folders to store data, please contact our help desk to have us set access controls for the newly created folders if the information contains sensitive data. By default, newly created folders take their permissions from the parent folder, which may not be suitable for storing sensitive data. Setting the access controls for the newly created folder ensures that the permissions are properly configured to protect sensitive data. This can help to reduce the risk of unauthorized access to sensitive data and can also help to ensure compliance with data privacy and security regulations.
It is important for employees to follow this policy and to contact the help desk whenever they create a new network shared folder to store data. This can help to ensure the security and integrity of the organization’s data.
Do not log in to Webmail, Intranet Web sites, VPNs, or any other organizational servers & services from any device other than your secured, work-issued computer. Use only managed devices to connect to organizational assets and conduct business.
This policy is designed to help protect the organization’s data and systems from potential security risks by limiting access to organizational assets to only work-issued computers that are managed by the organization. By requiring employees to use only work-issued computers to access Webmail, intranet sites, VPNs, and other organizational servers and services, the organization can ensure that these assets are accessed from devices that have been configured and secured according to the organization’s security policies.
This policy can help to reduce the risk of unauthorized access to organizational assets and can also help to prevent the accidental or intentional leakage of sensitive data. It is important to enforce this policy and to ensure that employees are aware of the importance of using only work-issued computers to access organizational assets.
Single Sign On Policy
Do not use the organizational e-mail and credential as single sign-on conduits for non-organizational on-line services such as Instagram, Facebook, Google and others, unless specifically approved. Do not log in to your PC using SSO or personal cloud accounts. Doing so may break regulatory compliance and introduce risk into the organization and its data security policies.
Assignment of Rights
All data that is composed, transmitted and/or received by, or through the organization’s computer systems is considered to belong to the organization and is recognized as part of its official data. It is therefore subject to disclosure for legal reasons or to other appropriate third parties. Make sure your employees are aware that any personal data stored on your organizations electronic assets may be wiped, viewed or made public in cases involving legal disputes and/or legal discovery.
Conduct a managerial review before allowing employees to make any statements, negotiations or communications via e-mail, social media or on-line postings. Communications made using these mediums can be legally binding contracts and/or be libel, infringing or in violation of third part privacy. Add an email disclaimer stating that any statement made by email cannot be construed as a binding contract.
Do not transmit PII (Personally Identifiable Information), PHI (Personal Health Information), PCI data (credit card numbers), IP (intellectual property), password or other sensitive data via unencrypted email, chat or any unauthorized means. Use only encrypted channels and authorized methods based on acceptable use policy.
Do not use simple numeric passwords or dates for voicemail PINs and do not store sensitive information in voicemail (i.e., leaving messages with PHI/PII or passwords). If you check your voicemail from outside the country, make sure to delete your messages each time you log in, and change your voicemail PIN when you return.
Unacceptable Use of Systems:
- Sending or posting discriminatory, harassing, or threatening messages or images on the Internet or via the organization’s email service.
- Using computers to perpetrate any form of fraud, and/or software, film or music piracy.
- Stealing, using, or disclosing someone else’s password without authorization.
- Downloading, copying or pirating software and electronic files that are copyrighted or without authorization.
- Sharing confidential material, trade secrets, or proprietary information outside of the organization.
- Hacking into unauthorized websites.
- Sending or posting information that is defamatory to the organization, its products/services, colleagues and/or customers.
- Introducing malicious software onto the company network and/or jeopardizing the security of the organization’s electronic communications systems.
- Sending or posting chain letters, solicitations, or advertisements not related to business purposes or activities.
- Passing off personal views as representing those of the organization.
Disallow phones and computers from automatically connecting to open networks. When connecting to semi-open network (coffee shop/airport) where you connect to an open network, then go through an authentication page, always connect to the VPN before accessing organizational resources. Avoid public hot spots when conducting sensitive business such as banking or the transferring or access of sensitive information.
Asset Disposal Policy
Create a policy to securely dispose of assets is a responsible manner. Smartphones, computers, IoT devices, printers & copy machines, USB storage devices, CD/DVDs and paper documents can all contain sensitive information. Make sure to wiped or encrypted the data before discarding the device or sending the device out for repair.
Do not scan documents with sensitive information to your email address or send scanned documents with sensitive information directly to mailboxes outside the organization. All documents with PII/PHI/PCI should be scanned to the scan folder and then immediately moved to a folder with the proper security controls based on the sensitivity of the information that was scanned.
Portable devices which contain sensitive information should be encrypted. Do not store sensitive information on non-encrypted portable devices such as laptops, tables or smartphones which may become lost or stolen. Sensitive information should be stored only on authorized devices (such as server file shares), and in their appropriate storage folder, based on the sensitivity level of the information. The servers that store information should be in a locked IT room with limited access.
Categorize Data Sensitivity
Categorize data based on the level of sensitivity and create a written policy that dictates where data of various levels of sensitivity can be stored. Limit access to sensitive data using access of least privilege which is loosely translated to access on a need-to-know basis.
There are different type of auditing that can be done to ensure that rules are being followed and that people, processes and technologies are in accordance to organizational guidelines. Audits can be performed by an internal compliance manager, an outside source or a combination of both.
People can be audited to find insiders who may be negligent or malicious. DLP technology can be used to audit people as well as other non-technical methods.
Processes are audited to ensure that they are running within defined limits. temperature, response times and other factors are examples of process audits.
Technologies are audited to ensure that best practices are followed. When obtaining cyber-insurance, you usually have to fill out a self-certified affidavit that asks you to audit an certify certain technology standards such as having backups, anti-virus and up-to-date software patches.
Some audits are complex, follow specific rules and are used to certify entities (i.e. ISO 9000, CE, etc.) but you don’t have to be a huge organization to do auditing. Figure out what part of your organization you want to protect and create an auditing policy and guidelines according to your organization’s size, budget, regulatory requirements and other available resources.
Create a backup policy that defines the minimum requirements: retention periods of backed up data, frequency (grandfather, father, son) and assets used to back up. Define whether backups are on-site, off-site or both. Additional requirements may be necessary for compliance or safety measures. Define the RTO (recovery time objective) and how backups should be tested (manual/automatic/frequency). By default, Falcon IT Services configures backups as follows: daily backups for 7 days, weekly backups for 4 weeks, yearly backups for 5 years. These settings may be higher where compliance dictates or lower based on available storage and resources.