Company Network Security Policy for Financial Firms

Introduction and Overview

This paper addresses the importance of having a written and enforceable computer network security policy for The Financial Group, an accounting corporation. The company's accounting systems comprise three major elements: a web-based front-end server, a back-end database, and business-logic applications. OS-level console access is used for system administration. Accountants access the system with web browsers using HTTP only and are authenticated via the HTTP basic authentication mechanism.

Network security is the most critical element of The Financial Group's IT security program. This security policy identifies the rules and procedures that all persons accessing computer resources must adhere to in order to ensure the confidentiality, integrity, and availability of data and resources.

Network Security Policy Components

Security Definition: This security policy is intended to ensure the confidentiality, integrity, and availability of data and resources through the use of effective and established IT security processes and procedures.

Enforcement: The Chief Information Officer (CIO) and the Information Systems Security Officer (ISSO) will hold primary responsibility for implementing the policy and ensuring compliance. Members of senior management will be represented as well. All exceptions to the policy should be reviewed and either approved or denied by the Security Officer. Senior management, however, should not be given the flexibility to overrule decisions; otherwise, the security program will be full of exceptions that lend themselves toward failure.

User Access to Computer Resources: The roles and responsibilities of users accessing resources on the company's computer network should be strictly defined and implemented. This includes: procedures for obtaining network access and resource-level permissions; policies prohibiting personal use of organizational computer systems; procedures for using portable media devices; procedures for identifying applicable email standards of conduct; specifications for both acceptable and prohibited Internet usage; guidelines for using software applications; restrictions on installing applications and hardware; procedures for remote access; guidelines for using personal machines to access resources; procedures for account termination; procedures for routine auditing; procedures for threat notification; and security awareness training.

In addition, external companies with which The Financial Group conducts business via LAN, WAN, or VPN will be required to meet the terms and conditions identified in the organization's security policy before they are granted access. This is done for the simple reason that the security policy is only as good as its weakest link (Frye 349–382).

Security Profiles: Security profiles will be applied uniformly across common devices used by the company — for example, servers, workstations, routers, switches, firewalls, and proxy servers. Applicable standards and procedures will be followed for locking down devices. An assessment must also be completed to determine what services are necessary on which devices to meet the company's organizational needs and requirements. All other services should be turned off and/or removed and documented in the corresponding standard operating procedure.

Passwords: Passwords are a critical element in protecting the company's infrastructure. The security policy is only as good as its weakest link: if users have weak passwords, the company faces a higher risk of compromise not only from external threats but also from insiders. If a password is compromised through social engineering or password-cracking techniques, an intruder gains access to the company's resources, resulting in the loss of confidentiality and possibly the integrity of company data.

Data Protection and Email Controls

Users will be required to use a minimum of eight characters for passwords, combining symbols, alphabetic characters, and numerals in a mixture of uppercase and lowercase letters. Users will be required to change their passwords at least quarterly, and previous passwords may not be reused. An account lockout policy will be implemented after a predetermined number of unsuccessful logon attempts.

Email: A strict email usage policy is essential. Several viruses, Trojans, and malware use email as the vehicle to propagate themselves across the Internet. Notable recent examples include the worms Code Red, Nimda, and Gonner (Ogletree 48). These exploits rely on unsuspecting users double-clicking on an attachment, thereby infecting the machine and launching propagation throughout the entire network — potentially causing hours or days of downtime while remedial efforts are undertaken.

To address this risk, content filtering of email messages will be required. Attachments with extensions such as .exe, .scr, .bat, .com, and .inf will be filtered. Personal use of the email system should also be prohibited, as email messages can be and have been used in litigation — for example, in U.S. v. Microsoft (Erlanger 23).

Back-up and Recovery: A comprehensive backup and recovery plan is critical to mitigating incidents. The company should be prepared to deal with natural disasters or other disruptive events, and off-site storage locations are essential in this regard. The company should be able to restore data from a tape backup if the system crashes, is compromised, or if files are inadvertently deleted. At a minimum, the backup recovery plan should include: backup schedules; identification of the type of tape backup (full, differential, etc.); tape storage locations (on-site and off-site); tape labeling conventions and rotation procedures; and review of log files (Erlanger 25).