CCPB Security Policy

Cobb County Public Broadcasting

Information Security Policy and

Contingency Planning

Table of Contents

1. Physical Security Policies 4-7

a. Incident Management Policy 4-5

b. Disaster Recovery Policy 6

c. Physical Security Policy 7

2. Personnel Security Policies 8-14

a. Security Awareness Training Policy 8-10

b. Privacy Policy 11-12

c. Vendor Access Policy 13-14

3. Operations Security Policies 15-18

a. Account Management Policy 15-16

b. Administration/Special Access Policy 17

c. Server Hardening Policy 18

4. Communications Security Policies 19-26

a. Change Management Policy 19-21

b. Software Licensing Policy 22-23

c. Security Monitoring Policy 24-26

5. Network Security Policies 27-36

a. Acceptable Use Policy 27-31

b. Network Configuration Policy 32-33

c. Network Access Policy 34-36

6. Information Security Policies 37-44

a. Virus Protection Policy 37-38

b. Password Policy 39-41

c. Intrusion Detection Policy 42-44

Incident Management Policy1. Purpose

The Cobb County Public Broadcasting (CCPB) Incident Management Policy establishes the guidelines for handling and prevention of all incidents.

2. Scope

This policy applies to all CCPB employees and contractors.

3. Incident Management PolicyIncident Detection and Reporting

Report any out-of-the-ordinary occurrences with hardware or software to the help desk. If the help desk cannot resolve the issue it must be reported up to Management. Use the attached Incident Reporting Form.

Incident Report Form

Employee Name:

Date of Incident:

Time of Incident:

Type of Incident:

Incident Details:

Signature__________________________________________________________________________________

1.1.1. Report any suspicious occurrences involving any physical threats or suspicious characters to the Chief Information Security Officer (CISO).

1.1.2. Notify a member of the Incident Response Team immediately if an emergency occurs and check Disaster Recovery Policy or Intrusion Detection Policy for more information.

3.1. Incident Handling

3.1.1. Creating an Incident Response Team. See Intrusion Detection Policy for more information.

3.1.1.1. The Incident Response Team consists of one valuable member from each department.

3.1.1.2. The Incident Response Team will create and alter the incident response plan.

3.1.1.3. Every two years the Incident Response Plan should be put to test to verify that is sufficient. If not, alter the Incident Response Plan to make it sufficient.

3.1.1.4. The Incident Response Team will have a quarterly meeting to make sure that the Incident Response Plan stays fresh in their memory in case an incident occurs.

3.1.2. When an incident has occurred, document as much information that is available.

3.1.3. Notify the Incident Response Team.

3.1.4. If incident is still active contain the incident immediately.

3.2. Incident Investigation

3.2.1. Investigate how the incident occurred.

3.2.2. Damage Assessment - Make a list of all systems that need to be recovered and hardware that needs to be replaced.

3.2.3. Recovery

3.2.3.1. Begin the recovery to get the systems back up and running using the Damage Assessment List

3.2.3.2. What controls can be implemented to prevent this from occurring again? Analyze suggested controls to see if they are cost effective. If so, report to management with a change management form.

4. References

4.1 Whitman, Michael E., and Herbert J. Mattord. Principles of Information Security. Boston, MA: Course Technology, 2012. 221-27. Print.

4.2 http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf

Disaster Recovery Policy1. Purpose

The Cobb County Public Broadcasting (CCPB) Disaster Recovery Policy establishes the guidelines for handling of disasters including business continuity planning.

2. Scope

This policy applies to all CCPB employees, specifically the disaster recovery team and management.

3. Disaster Recovery Policy

3.1 CCPB must take an inventory of all information systems assets.

3.2 CCPB must run a cost benefit analysis to determine which assets are critical to operation of the business.

3.3 CCPB must perform risk assessment to determine current Information Security (IS) vulnerabilities.

3.4 CCPB must identify any single points of failure within the CCPB network infrastructure.

3.5 CCPB must identify critical applications, systems and data.

3.6 CCPB must prioritize key business functions.

3.7 CCPB will perform nightly disk backups on site. CCPB will keep the most current seven days of backup on site. All other data will be stored offsite.

3.8 CCPB will employ the services of a vendor for secure real-time data replication that can be accessed 24/7.

3.9 In the event of power loss, CCPB will use UPS and generators to prevent the loss of data and provide time to safely power down the system.

3.10 If a natural disaster occurs, initiate the disaster recovery plan and power up the CCPB hot site. It is critical that CCPB is able to continue sending out the signal so it is imperative to have a hot site waiting at all times.

3.11 CCPB will practice bringing up the hot site once a year to test the hardware and the plan’s effectiveness.

4. References

4.1 “Disaster Recovery Policy”. Template Zone. http://www.templatezone.com/pdfs/Disaster-Recovery-

policy.pdf.

4.2 “Disaster Recovery Policy”. Wikipedia. http://en.wikipedia.org/wiki/Disaster_recovery.html.

Physical Security Policy1. Purpose

The Cobb County Public Broadcasting (CCPB) Physical Security Policy establishes the rules for the physical security controls and equipment.

2. Scope

This policy applies to all CCPB employees and contractors.

3. Physical Security Policy

3.1 Physical security and entry controls

CCPB will have security badges for each employee in order to gain access into the building. At each floor, CCPB employees will be required to present their security badge in order to access that floor. Any vendors will be required to sign in and will be issued a temporary access badge.

3.2 Video Surveillance

The premises will be under video surveillance to ensure safety of the employees and to help keep critical data secure.

3.3 Inventory

All equipment will be locked to the desk and added to an asset list.

3.4 Cabling and communications equipment

CCPB will use 12-inch raised floors to store all cabling which will allow easy access to all the cabling while keeping it protected.

The communications equipment will be stored in a temperature-controlled communications room.

3.5 Equipment maintenance

CCPB equipment is to be maintained only by qualified employees.

3.6 Off-site equipment

All off-site equipment must be checked out so CCPB can keep an accurate inventory.

3.7 Disposal and re-use of equipment

All equipment must be removed from the asset list and any data must be scrubbed. CCPB will donate any usable computer equipment. If it cannot be donated, then CCPB will research recycling as throwing away is a last resort.

3.8 Non-compliance

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of CCPB Information Resources access privileges, civil, and criminal prosecution.

4. References

4.1 “Physical Security Policy.” Queensland Government Information Standards”. www.queenslandgovernment.com/information_standards/physical_security_policy_template.doc.

Security Awareness Training Policy

1. Purpose

Security awareness training ensures that all users of Cobb County Public Broadcasting’s information systems understand the security consequences of their actions and increases the likelihood that information system security will not be breached, either intentionally or unintentionally, through hacking or social engineering. Without this training, information systems users have an increased chance of breaching security. This program is to train and educate employees for the purpose of providing employees with the tools needed for a successful security program.

2. Scope

This Security Awareness Training Policy applies to all users of all information systems that are the property of Cobb County Public Broadcasting (CCPB). It includes:

1.1. All contractors and third parties that work on behalf of and are paid directly by CCPB.

1.2. All contractors and third parties that work on behalf of CCPB but are paid directly by an alternate employer.

1.3. All volunteers that work at will on behalf of CCPB.

1.4. All employees of partners and clients of CCPB that access CCPB’s non-public information systems.

3. Security Awareness Training Policy All employees of CCPB are required to participate in the Security Awareness Training Program within first 7 days of starting work and thereafter on a quarterly basis. Upon completion of security awareness training, all employees will be required to sign a declaration that they have completed training, understand the purpose of the training and the specific procedures taught, and that they intend to abide by CCPB’s security policies.

1.5. All employees of CCPB that work as administrators or hold positions with significant security operations responsibilities are required to participate in the Security Operations Training Program within 30 days of starting work or the deployment of a new or significantly updated/revised information system and thereafter on an as needed basis. After completion of security operations training, all employees will be required to sign a declaration that they have completed the training, understand the purpose of the training and the specific procedures taught, and that they intend to abide by CCPB’s security policies.

The CCPB Security Awareness Training Program will be broken into two phases:

4. Procedure 1

Phase 1

This phase takes place during New Employee Orientation on the first week of employment, before the new employee has access to CCPB systems, network, and accounts, and will improve awareness of the need to protect system resources.

1.6. Address the following:

1.1.1. The creation and maintenance of appropriate passwords, including the need to maintain password confidentiality. See Password Policy for more information.

1.1.2. Detecting, avoiding and responding to viruses and other malware. See Virus Protection

Policy for more information.

1.1.3. Detecting, avoiding and responding to identity theft.

1.1.4. Detecting, avoiding and responding to social engineering.

1.1.5. Appropriate usage of network resources including the Internet and e-mail. See Acceptable

Use Policy for more information.

1.1.6. Appropriate usage of systems including the servers, personal and portable computers and external media devices.

1.1.7. Appropriate usage of software including copyright and file sharing restrictions. See Software Licensing Policy for more information.

1.1.8. Appropriate usage of data including entry, editing and distribution restrictions and the use of encryption capabilities, where deployed.

1.1.9. Appropriate physical security measures to ensure the protection of facilities, assets and personnel. See Physical Security Policy for more information.

1.1.10. Appropriate reporting, including the reporting of abuse, policy violations and suspicious activities.

Phase 2

This phase is to provide continuous security training for all employees quarterly through the following:

1.7. Address any changes to CCPB security policy.Up-to-date social engineering practices, physical security updates, and any Information Resource policy changes.

1.1.1. Get feedback from employees through Q & A session, to address concerns.

5. Procedure 2 Security Operations Training Program. Address the following:

Implementation and appropriate configuration of security controls integral to the information system.

1.1.1. Implementation and appropriate configuration of security controls external to the information system (i.e., anti-malware, firewalls and other third-party solutions).

1.1.2. Operations of the security controls integral and external to the information system.

6. Non-Compliance

Violation of any of these policies or procedures will be considered a security breach and depending on the nature of the violation, various actions will and can be taken:

1.8. A minor breach will result in written reprimand.

1.9. Multiple minor breaches or a major breach will result in suspension.

1.10. Multiple major breaches will result in termination.

_______________________ __________ _____________________Employee Signature Date Employee Printed Name

_______________________Manager Signature

7. Reference “Security Awareness Training Policy”. Info-Tech Research Group. http://www.infotech.com/research/security-awareness-training-policy-template.doc.

Privacy Policy

1. Purpose

The Cobb County Public Broadcasting (CCPB) policy is to protect the privacy of individuals who have sensitive information stored (either in electronic or paper form) on assets owned by CCPB, while at the same time providing CCPB the ability to share this information with authorized entities as required by policy or law. All employees must fully understand that CCPB equipment and all digital information on it or accessed through it belong solely to CCPB. The systems and network resources are the property of CCPB.

2. Scope

The CCPB Privacy Policy applies to all employees, volunteers, affiliates, contractors and sub-contractors who interact with CCPB systems and processes, electronic or otherwise.

3. Privacy Policy

The responsible use of sensitive information requires that CCPB respect individual privacy, protect against identity theft and other unauthorized uses, and comply fully with all laws and government regulations in the collection, use, storage, display, distribution and disposal of such information. Authorized uses of sensitive information within CCPB are limited to uses which:

are necessary to meet legal and regulatory requirements;

facilitate access to services, transactions, facilities and information; or

support efficient broadcasting and administrative processes.

Access to sensitive information is limited to:

The individual whose information is produced or displayed;

An organization or person authorized by the individual to receive the information;

A legally authorized government entity or representative;

Other circumstances in which the CCPB is legally required to provide access to information, such as the Georgia Open Records Act; or other individuals or entities, as allowed by law, for purposes judged to be appropriate or necessary for the reasonable conduct of CCPB business for which there is no reasonable substitute.

Customer information sent via the Internet should be protected by isolating the information from the internet to prevent attackers from accessing the information. In order to minimize the risk of attackers accessing critical customer data, CCPB must use the following measures to protect information:

Critical customer information must be moved to a computer that is physically isolated from the Internet

Backup software must be configured to save critical files in isolated locations on a nightly basis.

The information should be protected through encryption, message filtering, data encapsulation, redundancy, and backups

Customer databases should be kept separate from Web servers by using hardware/software to keep data flowing securely between the external Web server and internal database servers.

4. Enforcement

Enforcement of this policy is the responsibility of the Office of the Chief Information Security Officer (CISO).

5. Violation

Employees are responsible for forfeiting any company-owned or leased asset upon their separation of employment, or upon the request of the company. Violating this policy can lead to disciplinary action, criminal charges, and/or fines for replacement of the asset.

Any staff member found to have violated this policy shall be subject to disciplinary action, up to and including termination of employment. Violation of this policy may result in termination of contracts or commitments to vendors and other affiliates. Legal action may be pursued where appropriate.

6. Changes in This Privacy Statement

CCPB reserve the right to modify this Privacy Policy at any time, so please review it frequently. If material changes are made to this policy, all CCPB employees will be notified, either by e-mail, or by means of a notice on the CCPB home page.

If CCPB decides to change the Privacy Policy, these changes to this Privacy Policy will be posted on the CCPB homepage, and other places deemed appropriate so that all CCPB employees are aware of what information is collected, how it is used, and under what circumstances, if any, it will be disclosed.

7. References

1.1 “Open Records Act”. Georgia Secretary of State. 01 Mar 2011. http://www.sos.ga.gov/archives/who_are_we/rims/best_practices_resources/open_records_act.htm .

Vendor Access Policy

1. Introduction

Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors can remotely view, copy and modify data and audit logs, they correct software and operating systems problems, they can monitor and manipulate system performance, and they can monitor hardware performance and errors, and reset alarms. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to Cobb County Public Broadcasting (CCPB).

2. Purpose

The CCPB Vendor Access Policy establishes the rules for vendor access to CCPB Information Resources and support services, vendor responsibilities, and protection of CCPB Information Resources.

3. Scope

This policy applies to all individuals that are responsible for the installation of new Information Resources assets, and the operations and maintenance of existing Information Resources and who do or may allow vendor access for maintenance, monitoring and troubleshooting purposes.

4. Vendor Access Policy

Vendors must comply with all applicable CCPB policies, practice standards and agreements, including:

• Acceptable Use Policies (see Acceptable Use Policy for more information)

• Auditing Policies (see Security Monitoring Policy for more information)

• Privacy Policies (see Privacy Policy for more information)

• Safety Policies • Special Access Policies (see Administration/Special Access Policy for more information)

• Security Policies

• Software Licensing Policies (see Software Licensing Policy for more information)

Vendor agreements and contracts must specify:

• The CCPB information the vendor should have access to.

• How CCPB information is to be protected by the vendor.

• Acceptable methods for the return, destruction or disposal of CCPB information in the vendor's possession at the end of the contract

5. Disciplinary Actions

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of CCPB Information Resources access privileges, civil, and criminal prosecution.

6. References

6.1. “Vendor Access Policy”. University of Texas at San Antonio, Office of Information Technology. 9 May 2011. http://utsa.edu/oit/std/sec_vendor_std.html.

Account Management Policy1. Purpose

The Cobb County Public Broadcasting (CCPB) Account Management Policy establishes the rules for the creation, distribution, maintenance, and revocation of all accounts.

2. Scope

This policy applies to all CCPB employees and contractors.

3. Account management Policy:All CCPB accounts will be managed by the administrators. The administrator’s duties include establishing, activating, modifying, disabling and removing accounts.

1.1 Accounts should be created with no privileges and then privileges should only be added based on the CCPB employee's responsibilities.

1.2 All CCPB accounts should be reviewed every quarter to verify each account has appropriate privileges. If an account has inaccurate privileges then it should be set to the appropriate level.

1.2.1 Validate each user's roles within CCPB.

1.2.2 Review each user's account permissions.

1.2.3 Validate that each user has his/her permissions required for that the position requires.

1.3 CCPB accounts will be reviewed every 30 days for inactive accounts. If the accounts are inactive then the employee will be notified. If the account remains inactive for a combined 60 days the account will be disabled.

1.4 All accounts will have a restriction of five failed login attempts within 20 minutes. After five attempts, the account will be locked for 30 minutes. For immediate assistance, contact the help desk to verify identity and reset the account.

1.5 Creating secure accounts

1.5.1 Accounts must be created with minimum privileges required by the job role.

1.5.2 Accounts should be defined as one of the following:

1.5.3 System Administrator - The ability to install, configure, modify and patch system software

1.5.4 Account Administrator - The ability to create, delete, modify accounts and permissions

1.5.5 Review Administrator - The ability to review activities of other administrators

1.5.6 Full content access - The ability to read, write, edit and delete data

1.5.7 Limited content access - The ability to read, write and edit data

1.5.8 Restricted content access – The ability to read and write data

1.5.9 Minimal content access – The ability to read data

1.6 Non-Compliance procedures are as follows:

1.6.1 A minor violation will result in a written warning.

1.6.2 Multiple minor violations will result in suspension.

1.6.3 Multiple major violations will result in termination.

2. References

2.1 “Account Management Policy”. Info-Tech Research Group. http://www.infotech.com/research/account-management-policy-template.doc.

Administration/Special Access Policy1. Purpose

The Cobb County Public Broadcasting (CCPB) Administration/Special Access Policy establishes guidelines for use and creation of Special Access Accounts.

2. Scope

The CCPB Administration/Special Access Policy applies to all CCPB employees and contractors.

3. Administration/Special Access PolicyCCPB must submit a list of administrative contacts for their systems.

1.1 All users must sign the CCPB Information Resources Security Acknowledgement and Nondisclosure Agreement before access is given to an account.

1.2 All users of Administrative/Special access accounts must have account management instructions, documentation, training, and authorization.

1.3 Administrative/Special access account users must not abuse privileges.

1.4 Each individual that uses Administrative/Special access accounts must use the account privilege most appropriate with work being.

1.5 Each administrative/special access request must meet the CCPB Password Policy criteria.

1.6 The password for a shared administrator/special access account must change when an individual leaves the department or upon a change in the vendor personnel assigned to the CCPB contract.

1.7 In the case where a system has only one administrator there must be a password escrow procedure in place so that someone other than the administrator can gain access to the administrator account in an emergency situation.

1.8 When Special Access accounts are needed, they must be created under the following criteria:

1.8.1 The special access account must be authorized by management.

1.8.2 The special account must be created with a specific expiration date.

1.8.3 The account must be decommissioned when work is complete.

2. References

2.1 “Administration/Special Access Policy”. State of Minnesota. www.security.state.mn.us/admin_special_access_policy.doc

Server Hardening Policy1. Purpose

The Cobb County Public Broadcasting (CCPB) Server Hardening Policy establishes guidelines for securing CCPB servers.

2. Scope

The CCPB Server Hardening Policy applies to all CCPB employees and contractors.

3. Server Hardening Policy:

1.1 A server must not be connected to the CCPB network infrastructure without being approved by management.

1.2 A server must be secured before being implemented in the network.

1.3 The following steps should be performed on every server before implementation:

1.3.1 Install the operating system which has been approved by CCPB management only.

1.3.2 Install all patches and updates to bring the operating system up-to-date.

1.3.3 Remove any software, services and drivers that are not necessary.

1.3.4 Set defined security parameters and logging.

1.3.5 Disable factory passwords.

1.4 CCPB will monitor security issues and will manage the release of patches to fix security issues based on priority of device.

1.5 CCPB will test all patches to verify that they fix the security issues and that they do not present any new vulnerabilities.

1.6 All hardware and software patches must be implemented within a specific time frame decided by CCPB management.

1.7 Logs must be reviewed to look for failures and faults

1.8 Logs will be stored up to three months

1.9 CCPB will perform nightly server backups during slow business hours

1.10 CCPB will keep a test server to test current patches on configuration to make sure there are no compatibility issues before going live to ensure no network downtime.

1.11 Failure to follow these guidelines can result in a written reprimand, suspension, or termination.

2. References

2.1 “Server Hardening Policy”. State of Texas. www.state.tx.us/SiteCollectionDocuments/Security Policies Standards/server_hardening_policy.doc.

Change Management Policy

This policy applies to CCPB personnel who install, operate or maintain the Information Resources

where any department relies in order to perform its normal business activities.

1. Purpose

The intent of Change Management Policy and Procedures is to ensure the effective management of

changes while reducing risk. The CCPB’s policy communicates CCPB management’s intent that

changes to CCPB -supported Information Resources is managed and implemented in a way that

minimizes risk and outcome. For purposes of this policy, a change is defined as anything that alters or

modifies standard operating procedures that have potential to affect the stability and reliability of CCPB

-supported Information Resources infrastructure and disrupt the business of the network. A change, as

defined by this policy, can be planned or unplanned.

2. Policy Statement

All changes to CCPB -supported systems are required to follow the established CCPB Change

Management Process. CCPB Management requires that changes to CCPB -supported Information

Resources be subject to a formal change management process that provides for a managed and orderly

method by which such changes are requested, approved, communicated prior to implementation and

logged and tested.

3. Scope

This policy covers changes to CCPB -supported systems (hardware, software, applications, and network

environment where the network relies in order to perform its business activities.

There are many reasons that would require a change to be made,

3.1 Vendor recommended/required changes

3.2 Changes in regulations

3.3 User requests

3.4 Hardware and/or software upgrades

3.5 Acquisition/implementation of new hardware or software

3.6 Hardware or software failures

3.7 Changes or modifications to the infrastructure

3.8 Environmental changes (electrical, air conditioning, data center remodels, etc)

3.9 Unforeseen events

3.10 Periodic Maintenance

4. The following criteria will be considered while reviewing any change:

• Evaluate the change plans to gauge the impact and effect of the change during and immediately

following the change implementation.

• Review the technical completeness of the change plan, including anticipated assets changed,

impact on start-up or shut down of systems, impact on disaster recovery plans, back-up

requirements, storage requirements, and operating system requirements.

• Evaluate the technical feasibility of the change and the whole impact of the change in terms of:

- Performance

- Capacity

- Security

- Operability

- Validate technical aspects, feasibility, and plan.

- Evaluate the impact of both doing and not doing the change.

- Analyze the change scheduling so conflicts may be resolved to minimize impact.

- Ensure the Communications Plan is sufficient to notify all affected parties of the impending

change and that they understand the potential impacts.

5. Key objectives

5.1 Establish clearly defined best practice processes for technology change implementations

5.2 Improve the efficiency and success rate of change implementations

5.3 Improve communications throughout the organization of proposed and implemented change

5.4 Ensure proper levels of approval

5.5 Reduce risk associated with implementing changes

5.6 Reduce the impact of changes on the organization

6. Roles and Responsibilities

Everyone at CCPB has a role and responsibility with regards to the change management process.

•End-User – has responsibility for

1) Submitting a change request2) Participating in testing3) Sign off for the change.

•End User/Management – has responsibility for

1) Verifying that change requests are valid 2) Timely signing off of changes.

• CCPB Staff as End-User, Management–has responsibility for following the policy.

• CCPB Staff Technical Role – has responsibility for following the prescribed change management processes and procedures.

• CCPB Management – has overall responsibility for overseeing the change management policy and

process. This includes ensuring the policy dissemination, oversight, and final approval of

implementation of any change.

7. Change Categories

This policy categorizes changes as: Planned Major Changes; Maintenance and Minor Changes; and

Emergency and Unplanned Outage Changes. Of the three change categories, Planned Major Changes

require the most rigorous and extensive change process and subsequent procedures.

Planned Major Changes

Examples of Planned Major Changes are:

1. Change that result in business interruption during regular business hours

2. Change that result in business or operational practice change

3. Changes in any system that affect disaster recovery or business continuity

4. Introduction or discontinuance of a new Information Resource service

Maintenance and Minor Changes

Examples of this type of change are:

1. Application-based security or business needs patches

2. Operating system patches (critical, hot fixes, and service packs)

3. Regularly scheduled maintenance

4. Changes that’s not likely to cause a service outage

Emergency and Unplanned Outage Changes

Examples of this type of change are:

1. A building is without service

2. A severe degradation of service needing immediate action

3. A system/application/component failure causing a negative impact on business operations

4. A response to a natural disaster

5. A response to an emergency business need

6. A change requested by emergency responder personnel

8. Disciplinary Actions

Violation of any of these policies or procedures will be considered a security breach and depending on

the nature of the violation, various actions will and can be taken:

8.1 A minor breach will result in written reprimand.

8.2 Multiple minor breaches or a major breach will result in suspension.

8.3 Multiple major breaches will result in termination.

9. References

9.1 "Technology Change Management Policy and Procedures." http://www.jupiter.fl.us/. N.p., n.d. Web. 13 Jul 2012. http://www.jupiter.fl.us/InformationSystems/upload/IS13-12_ChangeMgmtPolicy.pdf.

9.2 “ICT Change Management Policy”. New Mexico State University. 17 August 2007. http://ict.nmsu.edu/ict/Guidelines/ICTChangeManagementPolicy08-17-07-web.pdf.

Software Licensing Policy

1. Introduction

End-user license agreements are used by software and other information technology companies to protect their valuable intellectual assets and to advise technology users of their rights and responsibilities under intellectual property and other applicable laws.

2. Purpose

The Copyright, Designs & Patents Act 1988 covers computer software, and protects the writers of computer software. Copying software or instruction manuals without the permission of the copyright owner may lead to prosecution of the individual or the Cobb County Public Broadcasting (CCPB). In particular regard to the licensing of computer software, the CCPB will not tolerate the illegal copying or use of unlicensed or non-work related software on CCPB computer systems or communications services and a breach of the above act will constitute a breach of disciplinary rules.

This Software Licensing Policy covers how the CCPB will ensure compliance with the Information Security Policy for all software purchases.

3. Scope

All employees should be aware that all proprietary software is protected under Federal law. CCPB is not responsible for any software illegally downloaded by any employee. No unauthorized software will be installed or used on CCPB systems or network resources unless it is in compliance with the CCPB Software Licensing Policy and Federal law and installed by authorized CCPB or contract personnel.

4. Definitions

For the purposes of this policy, unless otherwise stated, the following shall apply:

4.1 All software has licenses which may be full commercial licenses, a ‘free’ license, a license to

‘trial’ or a license to trial and then purchase.

4.2 A software license is a legal agreement that is entered into between two parties

4.3 CCPB licensed software grants the CCPB the right to load the software on any computer owned

or leased by CCPB.

4.4 Some site licensed software has specific home use rights. Home use often requires users to sign a

software license agreement. The agreement outlines the Users’ responsibilities and provides the

Terms of Use for the software

4.5 Nested Agreement a license Agreement that includes acceptance of further license agreements

related to additional software. This additional software may be installed optionally or automati-

cally with the core software package.

5. Software Licensing Policy

1. Users are required to conform to all CCPB policy and regulations on software licensing.

2. Users are required to conform with the Copyright Act 1994 and amendments, including but not limited to the copying, duplication, loading and use of licensed software.

3. Users are required to conform to the terms and conditions of all license agreements for software loaded on to any Information Resource owned or administered by the CCPB.

4. Users of CCPB licensed software are required to conform with the terms of all license agreements between CCPB and any third party, including CCPB-licensed software installed or used on any system, computer, or device.

5. Software must not be installed or used on CCPB-owned Information Resources in any way that is in violation of the license agreement.

6. CCPB-licensed software must not be installed or used on any system, computer, or device in any way that is in violation of the license agreement.

7. Software installed or used on CCPB-owned Information Resources in violation of its license must be uninstalled.

8. CCPB-licensed software installed or used on any system, computer, or device in violation of its license must be uninstalled.

9. The party responsible for the software and the party responsible for the license must ensure that they fully understand the implications of any licensing agreement before acquiring or purchasing the software. For example:

a. Do not commit to license agreements that prevents CCPB from removing any software; and

b. Records must be kept by those responsible for management of any software, to ensure licensing information is available at all times.

10. Adequate records must be kept by those responsible for management of any software, to ensure licensing information is available at all times.

6. Software License Records

CCPB has a legal responsibility to ensure that the software which it is using is legally licensed, and being used only in accordance with the manufacturer’s license terms and conditions.

To ensure software legality can be quickly proven, detailed records of all software licenses within the CCPB are maintained. These should include the type of license, purchase date, expiration date, etc. Once populated and brought into use, the IT Manager will be maintaining these records into the future.

7. Reference

1. “Software Licensing Policy”. The Copyright, Designs & Patents Act 1988. www.policy.vuw.ac.nz~POLICY~000000001995.

Security Monitoring Policy

1. Introduction

Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Monitoring consists of activities such as the review of:

• Automated intrusion detection system logs

• Firewall logs

• User account logs

• Network scanning logs

• Application logs

• Data backup recovery logs

• Help desk logs

• Other log and error files.

• Vulnerability Scanning

2. Purpose

The Cobb County Public Broadcasting (CCPB) Security Monitoring Policy ensures that Information Resource (IR) security controls are in place, are effective, and are not being overlooked. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities. This early identification can help to block the wrongdoing or vulnerability before harm can be done, or

at least to minimize the potential impact. Other benefits include Audit Compliance, Service Level Monitoring, Performance Measuring, and Capacity Planning.

3. Scope

This policy applies to all users of CCPB information resources over networks that cause traffic to traverse the campus network infrastructure. The policy extends from the point of network access to the end‐user machine.

CCPB considers all electronic information transported over the its network to be private and confidential. Network and system administrators are expected to treat the contents of electronic packets as private and confidential. Any inspection of electronic files, and any action performed following such inspection, will be governed by all applicable federal and state statutes and by CCPB policies.

Employees should be aware that logs are generated by the various Internet services used, including email and web access and network flows. While it is not the policy of CCPB to actively monitor Internet activity on the network, it is sometimes necessary to examine such activity when a problem has occurred or when optimizing traffic on the CCPB’s Internet links

4. Definitions

4.1. Information Resources – Any information in electronic, audio‐visual or physical form, or any hardware or software that makes possible the storage and use of information.

4.2. Institutional Data – Data that is generated, acquired, or maintained by CCPB employees in performance of

official administrative job duties. 4.3. Packet – Electronic unit of data that is routed between an origin and a destination on a network. 4.4. Packet Data – The part of the packet containing user data and other data or information used by

applications. 4.5. Packet Header ‐The first part of the packet, which contains protocol, source address, destination address,

and other controlling information.

4.6. Information Security Officer: Individual responsible to executive management for administering the information security functions within the CCPB. The ISO is the agency’s internal and external point of contact for all information security matters. The ISO shall be the Chief Information Officer or their designated representative.

5. Security Monitoring Policy

Information Technology resource security.

5.1. Ownership and Responsibilities

The Department of Information Technology is responsible for the safety and security of data on its network and the equipment used to run the network infrastructure.

This policy applies to all individuals that are responsible for the installation of new information resources, the operations of existing Information Technology resources, and individuals charged with Information Technology resource security.

5.2. Required Monitoring Activities

Automated tools will provide real time notification of detected wrongdoing and vulnerability exploitation. Where possible a security baseline will be developed and the tools will report exceptions. These tools will be deployed to monitor:

- Internet traffic - Electronic mail traffic - LAN traffic, protocols, and device inventory - Operating system security parameters

The following files will be checked for signs of wrongdoing and vulnerability exploitation at a frequency determined by risk:

- Automated intrusion detection system logs - Firewall logs - User account logs - Network scanning logs - System error logs - Application logs - Data backup and recovery logs - Help desk trouble tickets - Telephone activity – Call Detail Reports

The following checks will be performed at least annually by assigned individuals:

- Unauthorized network devices - Unauthorized personal web servers - Unsecured sharing of devices - Operating System and Software Licenses - Password strength - Unauthorized modem use

Any security issues discovered will be reported to the ISO for follow‐up investigation.

5.3. Authorized Personnel

The Information Security Officer and their designated representatives are the only individuals authorized to routinely monitor network traffic, system security logs, or other computer and network security related information.

5.4. Required Monitoring Retention

Electronic logs that are created as a result of the monitoring of network traffic need only be retained until the administrative need for them ends, at which time they should be destroyed. Electronic logs will be retained when required as part of a campus investigation or when required by as part of law enforcement or legal proceedings.

The following checks will be performed at least annually by assigned individuals:

Password strength – see Password Policy for more information.

Unauthorized network devices – see Network Access Policy for more information.

Unauthorized personal web servers – see Acceptable Use Policy for more information.

Unsecured sharing of devices – see Acceptable Use Policy for more information.

Operating System and Software Licenses – see Software Licensing Policy for more information.

Any security issues discovered will be reported to the CISO for follow-up investigation.

5.5. Disciplinary Actions

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers; or suspension. Individuals are subject to loss of CCPB Information Resources access privileges, civil, and criminal prosecution.

5.6. Reference

1. “Information Resource Security Policies - Security Monitoring Policy”. Texas A&M University-Kingsville. 25 April 2011. http://www.tamuk.edu/itech/it_policies/docs/1_160_Security%20Monitoring%20Policy.pdf

2. Security Monitoring Policy. Web. 12 July 2012. www.augsburg.edu/it/documents/NetworkandSecurityMo.pdf.

.

Acceptable Use Policy1. Overview

The Cobb County Public Broadcasting (CCPB) Acceptable Use Policy establishes acceptable and unacceptable use of electronic devices and network resources (including but not limited to computers, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP) at CCPB in connection with CCPB’s established culture of openness, trust and integrity.

CCPB provides computer devices, networks, and other electronic information systems to meet its mission, goals, and initiatives, and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets, which are the property of CCPB.

Effective security is a team effort involving the participation and support of every CCPB employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2. Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at CCPB. These rules are in place to protect the employee and CCPB. Inappropriate use exposes CCPB to risks including virus attacks, compromise of network systems and services, and legal issues.

3. Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at CCPB, included all personnel affiliated with third parties. This policy applies to all equipment that is owned and leased by CCPB.

4. Acceptable Use Policy

4.1. General Use and Ownership

4.1.1. CCPB users should be aware that the data they create on the company systems remain the property of CCPB. Because of the need to protect CCPB’s network, management cannot guarantee the confidentiality of information stored on any network device belonging to CCPB.

4.1.2. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet, Intranet, and Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.

4.1.3. For security and network maintenance purposes, authorized individuals within CCPB may monitor equipment, systems, and network traffic at any time, per CCPB’s Audit Policy. CCPB reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

4.2. Security and Proprietary Information

4.2.1. Information contained on Internet, Intranet, and Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information.

4.2.2. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly; user level passwords should be changed every six months. See the Password Policy for more information.

4.2.3. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete) when the host will be unattended.

4.2.4. All hosts used by the employee that are connected to the CCPB Internet/Intranet/Extranet, whether owned by the employee or CCPB, shall be continually executing approved virus-scanning software with a current virus database unless overridden by departmental or group policy. See the Virus Protection Policy for more information.

4.3. Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (i.e., system administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of CCPB authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing CCPB-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

4.3.1. System and Network Activities

The following activities are strictly prohibited, with no exceptions:

4.3.1.1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by CCPB. See the Software Licensing Policy for more information.

4.3.1.2. Unauthorized copying of copyrighted material including, but not limited to, the installation of any copyrighted software for which CCPB does not have an active license is strictly prohibited. See Software Licensing Policy for more information.

4.3.1.3. Introduction of malicious programs into the network or server (i.e., viruses, worms, Trojan horses, e-mail bombs, etc.). See Virus Protection Policy for more information.

4.3.1.4. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. See Password Policy for more information.

4.3.1.5. Using a CCPB computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction. See Acceptable Use Policy for more information.

4.3.1.6. Providing information about, or lists of, CCPB employees to parties outside CCPB.

4.3.1.7. Effecting security breaches or disruptions of network communication.

4.3.2. Email and communication Activities

4.3.2.1. Do not send unnecessary messages such as festive greetings or other non-work items by email, particularly to several people unrequested (email spam). Do not participate in chain or pyramid messages or similar schemes.

4.3.2.2. Do not use email, phone or voicemail to send or forward material that could be construed as confidential, political, obscene, threatening, offensive or libelous.

4.3.2.3. Do not represent yourself as another person (“spoofing, forging email header information, etc.).

4.3.3. Remote Access Use – See Network Access Policy for more information.

4.3.3.1. CCPB employees and contractors with remote access privileges must ensure that their CCPB-owned or personal computer or workstation, which is remotely connected to CCPB's corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

4.3.3.2. CCPB employees and contractors with remote access privileges to CCPB's corporate network must not use non-CCPB email accounts, or other external resources to conduct CCPB business, thereby ensuring that official business is never confused with personal business.

4.3.3.3. Personal equipment that is used to connect to CCPB's networks must meet the requirements of CCPB-owned equipment for remote access.

4.4. Expectation of Privacy

Employees of CCPB should expect NO privacy concerning e-mail, phone, IM, text messaging, web browsing, or data when using company resources (see Privacy Policy for more information). That includes, but is not limited to:

4.4.1. Company email

4.4.2. Company internet connection

4.4.3. Company computers (notebook and desktop)

4.4.4. Company phone services (including voicemail)

4.4.5. Company data network

4.4.6. Company server

5. Violations

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. If necessary, CCPB also reserves the right to advise appropriate legal officials of any illegal violations.

6. References

6.1. “InfoSec Acceptable Use Policy”. SANS Institute. 2006. http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf.

6.2. “Electronic Mail Acceptable Use Policy”. TruePersona Ltd. 10 Jan 2010. http://www.ruskwig.com/docs/email_policy.pdf.

6.3. “Remote Access Policy”. SANS Institute. 2006. http://www.sans.org/security-resources/policies/Remote_Access_Policy.pdf.

Network Configuration Policy

1. Overview

The Cobb County Public Broadcasting (CCPB) network infrastructure is provided as a central utility for all users of CCPB Information Resources. It is important that the infrastructure, which includes cabling and the associated equipment such as routers and switches, continues to develop with sufficient flexibility to meet user demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services.

2. Purpose

The CCPB Network Configuration Security Policy establishes the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the integrity, availability, and confidentiality of CCPB information.

CCPB Network Configuration Policy applies equally to all individuals with access to any of its Information Resource.

3. Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at CCPB, included all personnel affiliated with third parties. This policy applies to all equipment that is owned and leased by CCPB.

4. Network Configuration Policy

4.1. General Use and Ownership – see Acceptable Use Policy for more information

4.1.1. CCPB Information Services owns and is responsible for the CCPB network infrastructure and will continue to manage further developments and enhancements to this infrastructure.

4.1.2. To provide a consistent CCPB network infrastructure capable of exploiting new networking developments, all cabling must be installed by CCPB IS or an approved contractor.

4.1.3. All network connected equipment must be configured to a specification approved by CCPB IS.

4.1.4. All hardware connected to the CCPB network is subject to CCPB IS management and monitoring standards.

4.1.5. Changes to the configuration of active network management devices must not be made without the approval of CCPB IS.

4.1.6. The CCPB network infrastructure supports a well-defined set of approved networking protocols. Any use of non-sanctioned protocols must be approved by CCPB IS.

4.1.7. The networking addresses for the supported protocols are allocated, registered and managed centrally by CCPB IS.

4.1.8. All connections of the network infrastructure to external third party networks is the responsibility of CCPB IS. This includes connections to external telephone networks.

4.1.9. CCPB IS Firewalls must be installed and configured following the CCPB Firewall Implementation Standard documentation.

4.1.10. Users must not extend or re-transmit network services in any way. This means you must not install a router, switch, hub, or wireless access point to the CCPB network without CCPB IS approval.

4.1.11. Users must not install network hardware or software that provides network services without CCPB IS approval.

4.1.12. Users are not permitted to alter network hardware in any way.

5. Violations

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries and a termination of employment relations in the case of contractors or consultants. Additionally, individuals are subject to civil and criminal prosecution.

6. References

6.1. “Information Resource Policies - Network Configuration Policy”. University of Texas at Tyler. http://www.uttyler.edu/it/InfoResFiles/tac202policies.pdf.

6.2. “Information Resource Security Policies – Network Configuration Policy”. Texas A&M - Kingsville. 24 April 2011. http://www.tamuk.edu/itech/it_policies/docs/1_090_Network

%20Configuration%20Policy.pdf.

Network Access Policy

1. Overview

The Cobb County Public Broadcasting (CCPB) policy describes the security requirements for connections to CCPB internal computers and networks. It covers a wide range of technologies including cellular phone connections, dial-up modem links, and virtual private networks or VPN. Every CCPB employee must abide by the rules described here.

2. Purpose

The purpose of this policy is to ensure security in day-to-day use of the CCPB network.

3. Scope

The CCPB Network Access Policy applies equally to all individuals with access to any CCPB Information Resource.

4. Network Access Policy

4.1. General Guidelines

4.1.1. Users are permitted to use only those network addresses issued to them by CCPB IS.

4.1.2. All remote access (dial in services) to CCPB will be either through an approved modem pool or via an Internet Service Provider (ISP). See Acceptable Use Policy for more information.

4.1.3. Remote users may connect to CCPB Information Resources only through an ISP and using protocols approved by CCPB.

4.1.4. Users inside the CCPB firewall may not be connected to the CCPB network at the same time a modem is being used to connect to an external network.

4.1.5. Users must not extend or re-transmit network services in any way. This means you must not install a router, switch, hub, or wireless access point to the CCPB network without CCPB IS approval. Users must not install network hardware or software that provides network services without CCPB IS approval, or to alter network hardware in any way.

4.1.6. Non-CCPB computer systems that require network connectivity must conform to CCPB IS Standards.

4.1.7. Users must not download, install or run security programs or utilities that reveal weaknesses in the security of a system. For example, CCPB users must not run password cracking pro-grams, packet sniffers, network mapping tools, or port scanners while connected in any manner to the CCPB network infrastructure.

4.1.8. Users must not download, install or run security programs or utilities that reveal weaknesses in the security of a system. For example, CCPB users must not run password cracking programs, packet sniffers, network mapping tools, or port scanners while connected in any manner to the CCPB network infrastructure.

4.2. Virus Protection Policy – see Virus Protection Policy

4.3. Remote Access

Each user who desires dial-in access to CCPB networks should apply for access to the Chief Information Security Officer (CISO).

The CISO should grant authorization if there is a demonstrated business need for it and the approved request should remain on file with the system administrator.

System administrators should configure the network to require all users to identify and authenticate themselves prior to gaining dial-in access to the network.

Network and networked device access should be granted on a need-to-know basis with proper authorization.

4.3.1. Secure remote access should be strictly controlled. Control should be enforced via one-time password authentication or public/private keys with strong pass-phrases. See Password Policy for more information.

4.3.2. At no time should any CCPB employee provide the login or email password to anyone, not even family members. See Password Policy for more information.

4.3.3. CCPB employees and contractors with remote access privileges should ensure that their CCPB-owned or personal computer or workstation, which is remotely connected to CCPB network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

4.3.4. CCPB employees and contractors with remote access privileges to CCPB network should not use non-CCPB email accounts (that is, Hotmail, Yahoo), or other external resources to conduct

CCPB business, thereby ensuring that official business is never confused with personal business.

4.3.5. All hosts that are connected to CCPB internal networks via remote access technologies should use the most up-to-date anti-virus software. See Virus Protection Policy for more information.

4.3.6. Personal equipment that is used to connect to CCPB networks should meet the requirements of CCPB -owned equipment for remote access.

4.4. VPN usage procedures

4.4.1. Approved CCPB employees and authorized third parties (customers, vendors, and so on.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.

4.4.2. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to CCPB internal networks.

4.4.3. All computers connected to CCPB internal networks via VPN or any other technology should use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers.

4.4.4. CCPB users should be automatically disconnected from CCPB network after fifteen minutes of inactivity. The user should then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.

4.4.5. Users of computers that are not CCPB-owned equipment should configure the equipment to comply with CCPB's VPN and Network policies.

4.4.6. By using VPN technology with personal equipment, users should understand that their machines are a de facto extension of CCPB network, and as such are subject to the same rules

and regulations that apply to CCPB-owned equipment, that is, their machines should be configured to comply with CCPB Security Policies.

5. Violations

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of CCPB Information Resources access privileges, civil, and criminal prosecution.

6. References

6.1.1. “Information Resource Security Policies – Network Access Policy”. Texas A&M – Kingsville. 25 April 2011. http://www.tamuk.edu/itech/it_policies/docs/1_100_Network%20Access%20Policy.pdf

6.1.2. “State of Utah Network Access Policy”. Chief Information Officer’s Section – Office of the Governor – State of Utah. 28 March 2002. http://cio.utah.gov/docs/NWAccPolicy3.28.02.pdf

6.1.3. "Network Configuration Security Policy." www.dir.texas.gov. N.p., n.d. Web. 13 Jul 2012. http://www.dir.texas.gov/sitecollectiondocuments/security/policies and standards/network_configuration_security_policy.doc

Virus Protection Policy

1. Overview

Frequency of computer security incidents and resulting cost of business disruption and service restoration continues to escalate. Solid security policies, blocking unnecessary access, improving user security awareness, & early detection of security incidents are some of the actions to reduce the risk and drive down the cost of security incidents.

2. Purpose

The Cobb County Public Broadcasting (CCPB) Virus Detection Policy describes the requirements for dealing with computer virus, worm and Trojan horse prevention, detection and cleanup. This policy is intended to ensure:The integrity, reliability, and good performance of CCPB Information Resources;

1.1. That CCPB users operate according to safe computing practices;

1.2. That CCPB-licensed virus software is used for its intended purposes; and

1.3. That appropriate measures are in place to assure that this policy is honored.

3. Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at CCPB, included all personnel affiliated with third parties. This policy applies to all equipment that is owned and leased by CCPB.

4. Virus Protection PolicyThe goals of the Virus Protection Policy are:

1.1.1. Prevent all infections. When that is not possible, create an outlet for notification and annotation of virus outbreaks for CCPB service providers and end-users so that future breaches can be prevented.

1.1.2. Prevent the loss of information/data on CCPB-owned computers & minimize the cost of computing maintenance & network downtime by virus outbreaks.

1.1.3. Distribute updates of virus protection software and other important campus-supported software to all CCPB-affiliated computer users. Virus protection software that is not used cannot prevent infections

1.1.4. Create a system for, immediate notification of the VPT and the AU user community once an outbreak has been detected.

1.1.5. Annually evaluate the number of virus outbreaks to determine whether this policy and CCPB-provided virus protection software are still valid and appropriate.

1.1.6. Provide and continue to support the best virus protection solution that CCPB can support.

1.1.7. Require a minimum of end-user responsibilities in regard to computer virus protection practices.

5. Compliance

Virus protection is most effective if every computer on the CCPB network has anti-virus software installed and is actively monitoring network activities. IT staff will

1. Provide the initial setup for CCPB computers;

2. Distribute virus protection updates. The anti-virus software will be available for CCPB-affiliated users to install on their computers IT staff will provide assistance in removing existing anti-virus programs from campus computers.

IT will monitor network activity and initiate appropriate action to control infection. We reserve the right to disconnect any server or client known to be an infecting agent. Such a disconnection is an emergency action.

The user will be contacted immediately, and IT will work with the user to solve the problem.

6. End-Users

Computer systems owned by CCPB will run anti-virus software, and it should be active at all times. The primary user of a computer system is responsible for keeping the computer system compliant with this virus protection policy.

6.1. Responsibilities

- Install and maintain current virus protection software

- Be certain that the software is running correctly. If these responsibilities appear beyond the end user’s technical skills, the end-user is responsible for seeking assistance from IT.

- Perform regular backups. Virus infections often destroy data on an individual's computer. Without proper backups, recovery of destroyed files may be impossible.

6.2. Noncompliance

CCPB faculty, staff, and students not complying with this computer security policy leave themselves and others at risk of virus infections, which could result in:

- Damaged or lost files

- Inoperable computer resulting in loss of productivity

- Risk of spread of infection to others

- Confidential data being revealed to unauthorized persons

- An individual's non-compliant computer can have significant, adverse affects on other individuals, groups, departments, or even whole colleges. Hence it is critical to bring all computers into compliance as soon as they are recognized not to be.

7. Distribution

IT is responsible for distributing the software for initial installation and subsequent updates. Although the distribution mechanism depends in part on the specific virus protection software acquired by the CCPB, most include the following distribution methods:

Scheduled, unattended updates by the client via FTP, Web, or propriety agent.

Attended updates initiated by the user of the client via FTP, Web, or propriety agent.

Scheduled, unattended updates initiated by the server via FTP, Web, or propriety agent.

Unless there is a compelling rationale otherwise, all updates will be scheduled. Further, if distribution mechanisms allow, the server providing the highest level of protection will initiate updates.

Server-initiated updates will normally be timed; however, in the event of a virus outbreak, updates can be pushed to client computers without intervention by the user.

8. Enforcement

CCPB users not complying with this computer security policy leave themselves and others at risk of virus infections which could result in: damaged or lost files, inoperable computer resulting in loss of productivity, risk of infection to others, and confidential data being revealed to unauthorized persons. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

9. References“IT Security Policies – Virus Detection”. Texas Tech. 29 Oct 2011. http://ram.tosm.ttu.edu/infotech/security/docs/virus_detection.php .

1.1. “IT Policies – Security Policies – Virus Protection Policy”. Auburn University – Office of Information Technology. https://sites.auburn.edu/admin/universitypolicies/Policies/VirusProtectionPolicy.pdf.

1.2. "Virus Protection Policy." smcvt.edu. N.p., n.d. Web. 13 Jul 2012. http://www2.smcvt.edu/itweb/pdf/virusProtect.pdf.

Password Policy

1. Overview

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of the resources of Cobb County Public Broadcasting (CCPB) resources. All users, including contractors and vendors with access to CCPB systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2. Purpose

The CCPB Password Policy establishes a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3. Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any CCPB facility, has access to the CCPB network, or stores any non-public CCPB information.

4. Password Policy

4.1. General Rules

4.1.1. All system-level passwords (e.g., Windows Administrator, application administration accounts, etc.) must be changed on at least a quarterly basis.

4.1.2. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every sixty days.

4.1.3. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.

4.1.4. Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

4.1.5. All user-level and system-level passwords must conform to the guidelines below.

4.2. Password Guidelines

4.2.1. General Password Construction Guidelines

All users at CCPB should be aware of how to select strong passwords.

Strong passwords have the following characteristics:

4.2.1.1. Contain at least three of the five following character classes:

4.2.1.1.1. Lower case characters

4.2.1.1.2. Upper case characters

4.2.1.1.3. Numbers

4.2.1.1.4. “Special” characters (e.g. @#$%^&*()_+|~-=\`[]:";'<>/).

4.2.1.2. Contain at least eight and no more than fourteen alphanumeric characters.

Weak passwords have the following characteristics:

The password contains less than seven characters.

The password is a word found in a dictionary (English or foreign).

The password is a common usage word such as:

o Names of family, pets, friends, co-workers, etc. Birthdays and other

personal information such as addresses and phone numbers.

o The words "CCPB", or familiar terms associated with CCPB.

o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc., or

any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way to Remember"

and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

4.2.2. Password Protection Standards

4.2.2.1. Never write passwords down. Never send a password through email, chat, or other electronic communication. Never include a password in a non-encrypted stored document.

4.2.2.2. Never tell anyone your password. Never reveal your password over the telephone or on questionnaires/security forms.

4.2.2.3. Never use the "Remember Password" feature of application programs such as Internet Explorer, your email program, or any other program.

4.2.2.4.

4.2.2.5. If anyone asks for your password, refer them to the CCPB IT computer security office. Report any suspicion of your password being broken to the CCPB IS computer security office.

4.2.3. Application Development Standards

4.2.3.1. Application developers must ensure their programs contain the following security precautions.

Applications shall support authentication of individual users, not groups.

Applications shall not store passwords in clear text or in any easily reversible form.

Applications shall provide for some sort of role management, such that one user can take over the functions of another without having to know the other's pass-word.

Applications shall support TACACS+, RADIUS and/or X.509 with LDAP secu-rity retrieval wherever possible.

4.2.4. Use of Passwords and Passphrases for Remote Access Users

Access to the CCPB Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

4.2.5. Passphrases

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access.

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks”.

A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase:

"The*?#>*@TrafficOnThe101Was*&#!#ThisMorning”

All of the rules above that apply to passwords apply to passphrases.

5. Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Password cracking or guessing may be performed on a periodic or random basis by the CCPB Information Security Department or its delegates. If a password is guessed or cracked during these exercises, the user/owner will be required to change it.

6. References

6.1. “Password Policy”. The SANS Institute. 2006. http://www.sans.org/security-resources/policies/Password_Policy.pdf.

6.2. “Massey University Policy Guide – Electronic Password Policy”. Massey University. February 2010. http://www.massey.ac.nz/massey/fms/PolicyGuide/Documents/ITS/Electronic%20Password%20Policy.pdf.

Intrusion Detection Policy

1. Overview

The Cobb County Public Broadcasting (CCPB) Intrusion Detection Policy provides policies to establish intrusion detection and security monitoring to protect resources and data on the organizational network. It provides guidelines about intrusion detection implementation of the organizational networks and hosts along with associated roles and responsibilities. Intrusion detection provides two important functions in protecting information resources:

1.1 Feedback: information as to the effectiveness of other components of the security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.

1.2 Trigger: a mechanism that determines when to activate planned responses to an intrusion incident.

2. Purpose

The purpose of the CCPB Intrusion Detection policy is designed both to protect the confidentiality of any data that may be stored on the mobile computer and to protect the organizational network from being infected by any hostile software when the mobile computer returns. This policy also considers wireless access.

3. Scope

The CCPB Intrusion Detection Policy covers every host on the organizational network and the entire data network including every path that organizational data may travel that is not on the internet. Paths covered by this policy even include organizational wireless networks. Other policies cover additional security needs of the organizational network and systems.

4. Intrusion Detection Objectives

4.1 Increase the level of security by actively searching for signs of unauthorized intrusion.

4.2 Prevent or detect the confidentiality of organizational data on the network.

4.3 Preserve the integrity of organizational data on the network.

4.4 Prevent unauthorized use of organizational systems.

4.5 Keep hosts and network resources available to authorized users.

4.6 Increase security by detecting weaknesses in systems and network design early.

5 Requirements

5.1 All systems accessible from the internet or by the public must operate Information Security (IS) - approved active intrusion detection software during anytime the public may be able to access the system.

5.2 All systems in the DMZ must operate IS-approved active intrusion detection software.

5.3 All host-based and network-based intrusion detection systems must be checked on a daily basis and their logs reviewed.

5.4 All intrusion detection logs must be kept for a minimum or 30 day.

6 Notification

6.1 Any suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to the CPPB IS Office within 30 minutes.

7 Roles

7.1 The CCPB Intrusion Detection Team shall:

7.1.1 Monitor intrusion detection systems both host-based and network- based.

7.1.2 Check intrusion detection logs daily.

7.1.3 Determine approved intrusion detection systems and software.

7.1.4 Report suspicious activity or suspected intrusions to the Incident Response Team.

7.2 The CCPB Incident Response Team shall:

7.2.1 Act on reported incidents and take action to minimize damage, remove any hostile or unapproved software, and recommend changes to prevent future incidents. Action shall be based on the approved incident response plan. See Incident

Management Policy for more information.

8 Disciplinary Actions

8.1 Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of CCPB Information Resources access privileges, civil, and criminal prosecution.

9 References

9.1 “Intrusion Detection Policy”. The Computer Technology Documentation Project. http://www.comptechdoc.org/independent/security/policies/intrusion-detection-policy.html.

9.2 “Information Resource Security Policies – Intrusion Detection Policy”. Texas A&M - Kingsville. http://www.tamuk.edu/itech/it_policies/docs/1_090_Intrusion_Detection_Policy.pdf.

Portable Computing1. Introduction

Portable computing devices are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure to groups using the devices.

Portable Computing Devices: Any easily portable device that is capable of receiving and/or transmitting data to and from IR. These include, but are not limited to, notebook computers, handheld computers, PDAs, pagers, and cell phones.

2. Purpose

The purpose of the CCPB Portable Computing Security Policy is to establish the rules for the use of mobile computing devices and their connection to the network. These rules are necessary to preserve the integrity, availability, and confidentiality of CCPB information.

3. Audience

The CCPB Portable Computing Security Policy applies equally to all individuals that utilize Portable Computing devices and access CCPB Information Resources.

4. Policy

4.1 Only CCPB approved portable computing devices may be used to access CCPB Information Resources.

4.2 Portable computing devices must be password protected.

4.3 CCPB data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all sensitive CCPB data must be encrypted using approved encryption techniques.

4.4 CCPB data must not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols along with approved encryption techniques are utilized.

4.5 All remote access (dial in services) to CCPB must be either through an approved modem pool or via an Internet Service Provider (ISP).

4.6 Non CCPB computer systems that require network connectivity must conform to CCPB IS Standards and must be approved in writing by the CCPB ISO.

4.7 Unattended portable computing devices must be physically secure. This means they must be locked in an office, locked in a desk drawer or filing cabinet, or attached to a desk or cabinet via a cable lock system.

5. Disciplinary Actions

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of CCPB Information Resources access privileges, civil, and criminal prosecution.

This document has been prepared for your information and understanding of the policies, philosophies and practices of CCPB. Please read it carefully. Upon completion of your review of this document, sign the statement below, and return it to your supervisor by the due date.

I, ____________________, have received and read a copy of the CCPB Security Policy which outlines the goals, policies, and expectations of CCPB, as well as my responsibilities as an employee.

I have familiarized myself with the contents of this document. By my signature below, I acknowledge, understand, accept and agree to comply with the information contained in the CCPB Security Policy provided to me by CCPB. I understand this document is not intended to cover every situation which may arise during my employment, but is simply a general guide to the goals, policies, practices, and expectations of CCPB.

______________________________________

(Employee Signature)

______________________________________

(Employee Name)

Please return by: ______________________

(put date here)