Cyber Security Policies
IT policies and procedures are intended to keep companies, their employees, and their customers safe. Employers should have acceptable use and cyber policies included in the IT section of their employee training manual and onboarding documentation. Below you will find our own set of recommended policies which are partially derived from NIST (National Institute of Standards). If you wish to receive a copy/paste version of these policies feel free to contact us.
Depending on your industry and the type of data that you work with, there may be additional policies that you may need to implement. Additional security may be required to be compliant with HIPAA, FISMA, GBLA and other regulatory mandates as well as with CTPAT, PCI and other industry-specific security frameworks.
Companies and the individuals within them have unique needs, therefore policies should not be absolute. Implement a review process for policy exception requests. The objective should be not to define precisely how hardware, software, processes and procedures are implemented, but rather to make sure that implementations are compliant with current IT security best practices while balancing useability and user satisfaction.
Sample Baseline Cyber Security Policies and Best Practices
Behavior Analysis/DLP: File auditing systems should be implemented to prevent sensitive information from leaving the network perimeter via unauthorized channels such as email, file uploads or copy/paste to portable media.
Change Requests: When users request changes to access control ACLs (changes in permissions or access) from our helpdesk, it must be approved by the company’s designated authorized contact. We will make no access control changes based on user requests without proper authorization. Make sure you assign a knowledgeable and trustworthy person as the authorized contact who will approve ACL changes for your organization.
Contractor Requirements: Contractors (ISP’s, telephony vendors, DVR/NVR installers) that need access to network resources should be required to adhere to the same security practices as organizational personnel. Contractors that require access to physical resources such as computer rooms and server cabinets, should submit a work plan ahead of time and be supervised during the installation process.
Password Policies: Passwords should be at least 12 characters long (preferably phrases) that are easy to memorize but hard to guess. They should not contain information that can be extrapolated from social media or from casual conversation such as family & pet names, birth dates, schools attended or hobbies.
Disallow keeping passwords on sticky notes or stored electronically on PCs. Do not allow saving/storing passwords within browsers.
Write passwords on paper and keep them in a combination safe or locked drawer. A secure, organization-approved password wallet or keyring may also be used. Do not share passwords with anybody, not even our helpdesk. If a technician resets your password, make sure to change it immediately afterwards.
Do not reuse the same password or numerical variations of the same password for multiple services. Do not transmit passwords by email, text or smartphone apps (even if encrypted).
A good strategy to memorize secure passwords is to use a mix of numbers and words in the form of a phrase, separated by special characters.
For example: Chocolate=My.Favorite.Ice.Cream
The passwords used for work devices should be unique. Do not use the same passwords, or variations used in social media, public email, etc.
Portable Media: Portable media such as USB sticks, external hard drives, etc. should be blocked. Moving data to/from untrusted devices to trusted devices via portable media is inherently risky and a conduit for malware.
Contact our helpdesk for assistance transferring files securely without having to use portable media. We have a variety of tools that are available for this task.
Data Sharing: Define what channels are approved for transferring what types of files (files that contain PII/PHI or IP), with whom these files can be shared, and disallow the exchange of sensitive files outside the specified secure channels. Add these file types, approved users and channels to your internal acceptable use policy and enforce using DLP (data loss prevention).
Device Admin: Administrative access to IT infrastructure is a function solely of Falcon IT Services and our staff. No company personnel should have administrative access to any devices, including the ability to install programs and make configuration changes to their PCs or other devices.
Equipment requirements: Use commercial grade hardware products. Consumer grade printers, routers, switches and PC’s (often purchased from office supply and box stores) are not recommended for use in more secure and demanding business environments. Please contact us for pre-purchasing assistance before procuring equipment if you are in doubt or have questions.
Duty to not Deliberately Waste Resources: Employees must not deliberately perform acts that waste computer resources or unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, spending excessive amounts of time on the Internet, playing games, engaging in online chat groups, printing multiple copies of documents, or otherwise creating unnecessary network traffic.
Because audio, video and picture files require significant resources, they may not be transferred, copied or downloaded using business resources unless they are for business-related purposes.
Internet surfing should be limited to work related Web sites.
Please do not contact the helpdesk over matters not related to resolving business productivity issues. This includes assistance in troubleshooting personal e-mail and devices.
Login Policy: It is recommended that organizations have a Windows login message that users must view before they log in to their computers. Use a generic message such as the one described below or contact your legal team if you have specific requirements.
*** NOTICE *****
This device is a private computer system owned by COMPANY NAME and is intended solely for official company use by authorized personnel. Unauthorized access or use of this system may subject violators to criminal, civil and/or administrative penalties. By logging in to this computer you agree to abide by both the COMPANY NAME acceptable use policy, as well as the best practices and baseline security policies outlined in the support section of www.falconitservices.com. COMPANY NAME reserves the right to monitor all activity on all company provided equipment and services.
File Attachments: Define what channels are approved for transferring files and disallow the transfer of files outside the specified secure channels.
Email Attachments: File attachments that may contain executable code (EXE, ZIP, RAR) or macro-enabled MS Office files, should be blocked at the email gateway level.
Personal Email: Personal email access should be blocked in order to prevent users from using public email systems as a means of circumventing corporate email security policies.
Remote Access: Disallow installation and usage of unsanctioned remote access connections. We recommend remote access only when provisioned over an encrypted VPN connection and utilizing multi-factor authentication.
Cyber Training: Education is key! Understanding cyber fraud and educating your employees is critical to protecting your organizational assets. Have all new staff take our cybercrime awareness training and require existing staff to attend the course at least once per year. Attendees receive a certificate of completion and a gift.
Smartphone Policy: Do not allow jail broken devices (tablets or smartphones) to operate within the trusted network, used to conduct business or connect to organizational resources.
Onboarding: New employees should be provided with a written acceptable use and cyber security policy. New hires should take our cyber security on-line course as part of their training program. You can find the Cybersecurity training course by visiting:
Create a statement defining what disciplinary actions will be taken with employees who violate security policies. Policies are in place to protect both employees and organizations, and should be strictly enforced.
Network Segmentation: Separate networks (known as a segmentation) should be provisioned to accommodate DVRs, IP telephony systems, IoT devices and guest users.
Do not allow unmanaged devices, guest devices or IoT devices to connect to the trusted network segment. Unmanaged devices should only connect to the Guest/DMZ network zone.
URL Filtering: Internet surfing should be limited to work related Web sites on the trusted network zone. Create groups that provide role-based Internet access.
Sites that are conducive to malware such as pornography, gambling, P2P, hacker, anonymizers, URL redirects and known malware/phishing/infected sites should be blocked for all users, no exceptions.
UTM Firewalls: Implement a UTM firewall to provides additional security features such as filtering malicious traffic at the gateway (intrusion prevention) as well as blocking traffic to/from countries that are not necessary to access for day-to-day business operations (geo-filtering).
Software Policy: Disallow the use of key generators or cracked software programs. These programs typically carry malicious code in the form of trojan horses. We will not unblock or whitelist piracy sites or cracked software due to the risks involved.
Network Sharing: When creating network shared folders to store data, please contact our helpdesk to have us set access controls for the newly created folders. Newly created folders take their permissions from the parent folder and they may not be suitable for sensitive data storage until the permissions are properly set.
Personal Devices: Do not log in to Webmail, Intranet Web sites, SSL VPN, or any other corporate servers & services from any device other than your secured, work-issued computer. Use only managed devices to connect to organizational assets and conduct business.
Single Sign On: Do not use the organizational e-mail and credential as single sign-on conduits for other services such as Instagram, Facebook, Spotify and others unless specifically approved. Do not log in to your PC using SSO or public cloud account. Doing so may break regulatory compliance and introduce risk into the organization and its data security policies.
Assignment of Rights: All data that is composed, transmitted and/or received by, or through the organization’s computer systems is considered to belong to the organization and is recognized as part of its official data. It is therefore subject to disclosure for legal reasons or to other appropriate third parties
Statement Review: Conduct a managerial review before making any statements, negotiations or communications via e-mail, social media or on-line postings. Communications made using these mediums can be legally binding contracts and/or be libel, infringing or in violation of third part privacy. If possible, add an email disclaimer stating that any statement made by email cannot be construed as a binding contract.
Secure Communications: Do not transmit PII (Personally Identifiable Information), PHI (Personal Health Information), PCI data (credit card numbers), IP (intellectual property), password or other sensitive data via unencrypted email, chat or any unauthorized means. Use only encrypted channels and authorized methods based on acceptable use policy.
Voicemail: Do not use simple numeric passwords or dates for voicemail PINs and do not store sensitive information in voicemail (i.e., leaving messages with PHI/PII or passwords).
If you check your voicemail from outside the country, make sure to delete your messages each time you log in, and change your voicemail PIN when you return.
Unacceptable Use of Systems:
Sending or posting discriminatory, harassing, or threatening messages or images on the Internet or via the organization’s email service.
Using computers to perpetrate any form of fraud, and/or software, film or music piracy.
Stealing, using, or disclosing someone else’s password without authorization.
Downloading, copying or pirating software and electronic files that are copyrighted or without authorization.
Sharing confidential material, trade secrets, or proprietary information outside of the organization.
Hacking into unauthorized websites.
Sending or posting information that is defamatory to the organization, its products/services, colleagues and/or customers.
Introducing malicious software onto the company network and/or jeopardizing the security of the organization’s electronic communications systems.
Sending or posting chain letters, solicitations, or advertisements not related to business purposes or activities.
Passing off personal views as representing those of the organization.
Hotspot/Wi-Fi Policy: Disallow phones and computers from automatically connecting to open networks.
When connecting to semi-open network (coffee shop/airport) where you connect to an open network then go through an authentication page, always connect to the VPN before accessing organizational resources.