Network Security Policy Recommendations - Webber International ...


18 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

62 εμφανίσεις



Security Concepts

A paper submitted to Webber International University

in partial fulfillment of the requirements of the

Masters in Business Administration degree


Dominick Bennese

Jyl Mangooni

Steve Lorson

Group 5



16, 2004


MBA 610

IS for Mgt.


Fall 2004


Dr. Wunker


Table of Contents

Table of Contents




Major Issues & Features of a Network Security Policy


II. Company Backgrounds


III. Network Security Policy Re





A. Release Letter


B. Network Security Slide Presentation

C. Wilson Greatbatch Network Security Policy



Network Security Concepts

Major Issues & Features of a Netw
ork Security Policy

A company’s security policy is very important

to the overall success of the
company. A security policy protects the many assets of the company along with the
privacy of the company’s actions. A security policy allows the company to r
each tasks
without the in
terruption of various
types of corruption that may arise through the
company’s network. Virtually every organization

but especially financial service

needs well
constructed and clearly articulated policies to prote
information against
such as

industrial espionage, sabotage, fraud and embezzlement,
errors and omissions, and system unavailability.

A security policy may be composed of
various issues that need to be approached by the company.
These i
ssues inclu
de; email
policy, privacy and access policy, remote access policy, information security policy,
password policy, and compliance. Once security policies are determined the company
must implement the policies to their employees. The network security policy

the employees with methods and guidelines for their everyday activities. The policies
will also allow the employee to get more involved in company procedures and goal
setting. A computer security policy eliminates this problem by putting the go
als of the
company in writing and offering methods that allow all employees to aid in corporate
security advancement. (Forcht; 2000/2001
, Hulme;2000


A security policy is important to the growth and expansion of any company. The
policy can state the behav
iors and practices within a company. Issues included in the
licy can describe to what extent

the company will allow or not allow actions by their
employees. Most corporate heads are starting to realize the importance of implementing a
security policy. Se
curity is the most important aspect to the basic survival of a company.
A policy can state to what extent a company should go to protect their most valuable
assets. Also the policy will state clearly the actions that can and will be taken against any
oyee who viol
ates the terms stated therein.
Employees have access to sensitive and
secure information on a daily basis. A company must protect thi
s information from
wrong hands. Stating the consequences of breaching the security policy can make an
loyee think twice before releasing important information. The internet is making life
easier for hackers and disgruntled employees. With the press of a few keys a person can
have all the information they need to bring a company down. Customers can be lost

gained by the security measures taken by a company with their important information.
This is why it is so important to implement a security policy and enforce the use by
employees. (Andress; 2001, Connolly; 2000, Dunbar; 2001, Forcht; 2000/2001, Hulme;

, Wood
; 2000

According to the
The American Heritage®

a p
olicy is “a plan or course of action,
as of a … business, intended to influence and determine decisions, actions, and other
matters.” In terms of network security, a policy determines the rules

and regulations of a
company’s network. For example, a remote access policy regulates who can access the
network remotely, under what circumstances, and how employees may go about
accessing the network.
A policy minimizes the risk of unauthorized access

to a network

thus securing its contents.
A practice is “a habitual or customary action or act … or
process of doing something.”

In relation to network security, a practice contains no
formal directions, rules or regulations. A practice could be consider
ed a routine task,
such as log
ging onto a company’s network.
A procedure is defined as
a “set of
established forms or methods for conducting the affairs of an organized body such as a
business, club, or government
A procedure contains formal directions

for performing
actions within a company, such as who can and cannot access the network. Therefore, a
procedure incorporated within a policy
make it more thorough in minimizing
unauthorized access.
(The American Heritage® Dictionary of the English L
; 2003

Email Policy

An email policy is a very important component to a company’s network security
policy. The implementation of an email policy can protect the company from various
problems that range from viruses to

fraud and other serious crimes. Email is essential to
most businesses in the modern world, so an email policy must be installed into the
network security policy.

he email policy may involve usernames and passwords to
reduce the risk of flaws through em
ail. To prevent these threats from becoming risks, e
mail users have been assigned usernames and passwords. As stated under remote access,
these authentication tools need to be kept secret by the user to ensure that unauthorized
users cannot use them to g
ain entrance into the system.

he increasing number of sexual
harassment cases in the business world has also elevated the importance of an email
security policy. By implementing passwords and
usernames the company may track

records of employees if a har
assment case arises. The email security policy is

surveillance to ensure employees aren't forwarding sexually explicit or offensive material
around the company. Those types of actions are viewed as such a threat that seven in 10

have had c
ases dealing with inappropriate material
One agency that screens
mail for offensive and other improper content, including gambling terms, is the
Corporation for National Service. James Arroyo, the information systems security officer,
enforces the agen
cy's e
He uses a product called Message Ins
pector from
Elron Software Inc,

in Burlington, Mass., to produce an overnight report of incidents.
least two dozen objectionable e
mails turn up on a typical report. "If it happens a couple
of time
s," Arroyo says, "I call the employee in." He gives the employee a copy of the
report and the agency's
, and "99 percent of the time, when I talk with the
employee, it stops immediately," he says. Arroyo notifies the employee's supervisor only
if the

improper mail use persists, and that seldom happens. He's not aware of any major
discipline meted out to Corporation employees for their mail use.

(Ferris, 2000
, Forcht2000/2001

Privacy and Access Policy

Privacy is another issue that shou
ld be approached by a company with a website.
The policy to secure the company’s private information may involve passwords into
certain ‘employee’s only’ sections of the webpage. As described in the email policy, the
employees may be given usernames alon
g with a password. This will assure the

company that their information is safe from hackers and other threats. To be effective, a
privacy policy must be supported by security measures that protect against unauthorized

disclosures of private information.
Proper security measures include a technical solution
that keeps rogue users out of the portions of databases containing private information.

The Privacy and Access Policy may go further and involve dividing privileges
among employees. For instance, the

CEO of the company may have access to more
information than the average employee.
The policy verifies the sensitivity level of data
and classifies

it appropriately.
It also d

who has access to information and

custodial dutie
The policy s

up security controls and advise

custodians and users of those controls
. Finally, the policy o

that custodians and
users are following policy to the best of their ability in the best interest of the company.

Businesses are starti
ng to realize that one of the costs of a computer system is that of
hardening it from outside penetration.

This is b
ecause some systems such as a Web
server are designed to be penetrated (to a degree), security, inevitably, has to be
compromised. The tric
k, like in a museum or brewery tour, is to keep visitors where they
belong. (Connolly; 2000
, Jacobs; 2001,


Remote Access Security

Remote access refers to the act of connecting to a company’s network through a
device not controlled by t
hat company. Remote access must be regulated for many
reasons, including keeping company information confidential and preventing viruses
from destroying company files.

When a user remotely connects to a network they are
using their own monitor and keyboa
rd but the company’s CPU. All processing is done
on the company’s CPU and therefore any downloaded viruses can encrypt the company’s
files. A network can be most susceptible to a downloaded virus through file sharing
between employees and their peers. I
t would beneficial to require employees to use anti

virus software and refrain from file sharing to prevent against virus infection. (Luzzader;
2001, Forcht; 2000/2001
, Christopher; 2003)

With technology improving, the use of laptops, PDAs and smart phone
s gives
people easier access to the Internet, and in turn, access to a company’s network. For
example, someone can be at a restaurant and log onto a company’s network while being
unaware of who is around them. This can put the company at risk for informa
leakage. Therefore, companies can obtain firewalls, which will allow them to monitor
and control remote connection. In order to prevent against unauthorized network access,
companies can set up user IDs and passwords to restrict access. (Luzzader; 2
Gartenberg; 2002
, Christopher; 2003

Remote access will help a company expand by making access to certain files
easier for authorized employees. However, if not monitored properly with periodic scans
and security updates, a company will put themselve
s at risk for hackers, viruses and
information leakage. In order to keep their company safe and secure without sacrificing
convenience, a remote access policy should be established.
(Andress; 2001, Christopher;
2003, Luzzader; 2001)

Company Record Policy

Company records and information are one of the company’s most valuable assets.
It is absolutely vital to secure these records and allow access only to authorized
personnel. The loss of or leakage of company records or files would have a damaging
. Therefore, a company record policy should be as simple and straightforward so all
employees easily understand the policy. Complicated instructions leave room for

misinterpretation, which can result in a loss of information for the company. (Avolio;
, Christopher
; 2003
, Forcht;2000/2001

There are 3 techniques for areas of the network, which need additional security,
beyond the traditional username and password. The first is
intrusion detection software
which keeps track of who uses the system and

the location of their access point. The
second technique is
, which examines the user logs on a daily or weekly basis
and whether or not users have tried to gain access to areas they do not have clearance.
The third technique is
information back

, which provides a company with duplicate

copies of important data in case the original is deleted or altered. Duplicate copies must
not be stored in the same place as the original. (Forcht; 2000/2001
, Christopher; 2003

In conclusion, company records

and information need to be kept safe, and a
company should have a director of security to oversee all aspects of network security.
This individual should be responsible for emergency network management and making
sure all administrators are appropriately

trained. (Konicki; 2001
, Christopher; 2003,

Password Policy

Password Policy

is a must have for any security policy.
This may be the single
most important
security measure taken
. Passwords are a double lock security measure.
The more passwords generated

through all levels of a business the harder it will be for
someone to hack into the system. Passwords

should be stated as easily as possible for
employees to adhere to quickly. Characters should be kept to a minimum and used with
numbers to increase secur
ity. Passwords with long characters or letters and numbers
joined are hard to break, but they are almost impossible to remember. This can open a
gate to employees keeping their passwords written on papers and leaving them lying

around. A person walking by
a desk or computer can ha
ve easy access to an employee’s

password when it is taped to the keyboard or put in a drawer. An employee should have
the freedom to
create their own password. A password can be easier to remember if
produced by that person. Annive
rsary dates, birthdays, children’s or pets
names should
not be a source used for creating a password. This information is too easily attainable by
other employees.

(Forcht; 2000/2001
, Gartenberg;2002,

When an employee is fired or resigns fro
m their position passwords should be
changed by all employees at
the same

Changing all employee passwords can
decrease the chance of the former employee accessing the network using another

Passwords should also be changed after
promotion or periodically.
Doing this can increase the security already set forth by the company.
(Connolly; 2000
Palmer;2001, Christopher; 2003

Compliance Policy

Compliance Policy

may be the most important issue within a security policy
There is no n
eed for a security policy if there is no employee compliance or regulation
within the policy use.
A policy is only as good as its enforcements. When an employee is
hired they should sign and date a form stating that they have read and understood the
ty policy.

This will encourage the employee to read the document and also can be
referenced to later if there is any violation in the policy by that employee. Also

a new
form should be
signed by

each employee if there are any revisions made to the securi
(Forcht; 2000/2001
, Christopher; 2003, Andress;2001

ach department

should be required to hold meetings

to discuss any questions or
comments that employees may have about the policy. Employees should also be

encouraged to make suggestions on ma
king the policy better and more secure.
Technology is advancing every day and the policy must form with the times.

(Andress;2001, Christopher, Forcht;2000/2001)

The policy should state the actions that will be taken by the company if any
violations of the
policy are made. Legal action can be taken against any employee who
knowingly or unknowingly violates the policy. Employees should be told if any

are made

and the actions

this can defer other employees from making
the same mistake.

lly; 2000

Forcht;2000/2001, Christopher; 2003


Company Background

Wilson Greatbatch Technologies, INC

manufacturer and creator
power sources, wet tantalum capacitors and precision engineered com
ponents used in
implantable medical devices
along with many other medical supplies that are in high
demand today

The company was founded in the 1950’s by Mr. Wilson Greatbatch. He
became a leader in biomedical engineering technology when he invented the I
Cardiac Pacemaker.

In 1972, Wilson Greatbatch, Ltd. developed and manufactured the
first implantable Lithium Iodine battery in the world: Model 702E.
The Lithium Iodine
technology emerged as the system of choice over any other battery system use
d in cardiac

Also as technology advanced and pacemakers became smaller so did the
need for smaller batteries. WGB was the first company to invent a battery 5mm small;
this put them far ahead of the competition.

industries, a divisi
on of Wilson
Greatbatch, were

founded in 1979 to fulfill the growing need for Lithium batteries. In the
1970’s they developed the concept of the implantable defibrillator, which was eventually
implanted by 1987. By 1997 WGB had achieved several different g
oals some of which
the capacitor development project, d
the first wet tantalum
capacitor, and the implantation of the

titanium encased lithium/carbon monofluoride

pacemaker battery. Along with these goals WGB also acquire
d Hittman Materials &
Medical Components, Inc. forming Greatbatch
Hittman. This merge resulted in an
expanded product line including other medical device components. In 2000 WGBT went
public on the New York Stock Exchange. Since then WGB merged with Batter
Engineering Inc: 2001 Sierra
KD: 2002 Globe
Tool: 2004 NanoGram Devices Corp
. The
merging of all the preceding companies with Wilson Greatbatch has opened doors into
designing and developing more innovative power sources helping in such areas as
e technology, the military and oceanographic applications all over the world.
Wilson Greatbatch Technologies has been the leader in developing the most
technologically advanced medical products for over thirty years.

; 2003)


work Security Policy Recommendations

mail Policy

Wilson Greatbatch Technologies addresses the need for n
etwork security in the
area of E
mail prote
ction. Their purpose for an E
ail policy is to promote the use of e
mail as an efficient communication

and data
gathering tool, and to ensure that Wilson
Greatbatch Technologies Associates, partners and customers have th
e information
necessary to use E
mail to their best advantage in supporting business. The goal on WGT
is to eliminate the use or sending
of harassing, disparaging, vulgar, or obscene, sexually
oriented, and other similarly objectionable language or images.

he company is
approaching the issue in an appropriate manner by installing responsibilities into the
employees and p
artners of WGT. T
he company’s E
mail policy is enforced by every
individual in the company. The individual that has recognized a situation, in which the
policy is broken, is not liable for his or her privacy. Once a situation is suspected the
servers are investiga
ted. The E
mail accounts of employees and others are not
private or confidential in an instance where reasonable doubt is recognized.

he only
weakness associated with this policy is that the employee is r
eceiving full trust in his/her
mail browsing.
The system seems like it could be manipulated do to the fact that
employees are not always going to take precautions. An employee may not completely
lockdown his/her computer when leaving his/her desk for brief periods of time. The
company should install

a quick process to completely hibernate the individual’s
computer, with a form of password to quickly replace the screen.

(Forcht; 2000/2001,
, Christopher; 2003


Privacy and Access Policy

The Wilson Greatbatch Technologies company has develope
d a policy

for access
and privacy of
company information. This policy is designed to protect the network from
unauthorized Users and to protect company information as defined by the Information
Policy. The company has developed various password technique
s in approaching the
issue of privacy and access of the company network.

Some Username and password
guidelines include password expiration, the three strike rule, character requirements, and
reusable passwords after expiration. WGT takes this option
out of the employee’s
preference and has made strict guidelines that are followed with few exceptions.

only potential
downfalls to this network security issue are

the few exceptions that the
company allows. They

with proper pape
rwork and documentation,
but flaws may occur between computer screen and paperwork. Overall the policy is
accurate and just, allowing the employee little freedom in how the network is accessed.
This reduces the instance of fraud or other forms of corrupt
ion within or from the many
outside threats


Remote Access Security

Wilson Greatbatch Technologies (WGT) network security policy contains a division for
remote access security, which was one of the issues
covered in chapter 1. According to
the WGT policy, the purpose was “to establish the security requirements for connecting
to the WGT network from remote locations”(p. 2). The policy is intended for all WGT
associates, contractors, vendors and business pa
rtners. The definition section defines and
clarifies terms used in the network security policy, such as Remote Location, Split
tunneling, Virtual Private Network, etc, in order to limit confusion within the policy. The

portion of the policy, which is res
ponsible for monitoring remote access, states “WGT
security analyst or WGT IT management must be notified immediately of any loss of
WGT information to unauthorized parties, occurrence of unauthorized access and loss,
theft or disclosure of access control
mechanisms” (p. 3). There is a procedure section
that informs employees of the rules and regulations that apply to WGT access such as
submitting a request, having anti
virus software, firewall devices, and limiting access to
business use only, etc. The l
ast section deals with the remote access policy request form.
This is for employees to understand that violations of the policy may result in disabling
of remote access privileges and changes in the policy will be notified via email.
Therefore, WGT has a

written agreement with employees who are connecting remotely
of their understanding of the policy. WGT’s remote access security policy is laid out in a
organized format which consists of 6 sections: Purpose, Scope, Definitions,
Responsibilities, Procedur
es, and Compliance (Christopher; 2003, Luzzader; 2001,
Forcht; 2000/2001).

Strengths in the policy include requiring that all devices connecting to the
network must have anti
virus software or firewalls intended for high
speed Internet
connections. A weak
ness in the policy is that WGT does not have a separate section for
devices such as Internet phones, PDA’s and laptops. There should be regulations, such as
where not to use those portable devices, for example, in public. The policy did make a
to using PDA’s, and Internet phones and that they may connect to a non
network while connected to the WGT network, this is called split
tunneling. A
recommendation to improve the policy would be incorporating a separate section that
provides rules and

regulations against using Internet phones, PDA’s and Laptops to

connect to the WGT system. The policy requires that all devices have anti
software, but there is no regulation restricting the use of PDA’s and Internet phones that
do not all come wit
h anti
virus software. (Luzzader; 2001, Gartenberg; 2002
Christopher; 2003

Company Record Policy

In chapter one, the issue of company records and information was discussed and
how valuable it is for a company to keep private. Wilson Greatbatch Techno
logies does
not have a specific Company record policy, but it has an information security policy,
which discusses different types of classifications in which information is categorized.
This information security policy also covers management over the comp
any files and

This policy classified the company’s information in three categories:
Public Information, Protected Information and Confidential Information. Public
information requires no special handling and is not expected to have a seriou
s or adverse
impact on the company. Examples of public information include website information,
bulletin board info, cafeteria menus, etc. Protected information requires a higher level of
classification and if disclosed, would have some kind of impact on

the company.
Examples of protected information include operating procedures and job postings.

Confidential information is information that is considered sensitive and could potentially
cause serious damage to the company. Access to this information is
on a “need

(Christopher; 2003


WGT information security policy defines the roles of the senior manager, staff
manager and information custodians. Mentioned in chapter one was auditing, where the
user logs are examined on a da
ily or weekly basis on whether or not users have tried to

gain access to areas they are not cleared to enter. The information custodian is
responsible for auditing and to correct and prevent any obvious vulnerabilities of the
network. The staff manager e
xplains to employees the security requirements of this
policy and is responsible that all employees understand it. The senior manager is
responsible for the staff manager and the information custodian and has final
accountability for security of informati
on. (Konicki; 2001, Christopher; 2003


The information security policy did a good job of explaining how information is
categorized and how gets access to it. Delegating responsibility to the senior and staff
managers along with the informatio
n custodian leaves little question as to their roles in

case anything goes wrong. What could be improved in this security policy is the
institution of the other two techniques discussed in chapter 1: Intrusion detection software
and information back up.

Nowhere in this policy does it discuss how to back up
classified files and where to store them. This could result in major disorganization if the
system was ever broken in to. Intrusion detection software would help monitor where
people are accessing th
e network. (Forcht; 2000/2001, Avolio;2000, Christopher; 2003)

Password Policy

The Wilson Greatbatch Technology
password policy

states several different
issues within the actual policy itself. The password can contain uppercase and lowercase
letters and
numerals. Also non
alphanumeric characters can be used such as: *, #,%,&.

Users are given specific rules to keep passwords confidential. Passwords are not to be
released to anyone. Workstations must be locked when an employee leaves their
machine. There is

to be no writing down or posting on or near their computer of any

password. E
mailing onto a website or in an email of a password is prohibited. Instant
messaging of passwords is not allowed by any employee. Employees are not permitted to
save passwords o
r usernames into web browsers or windows

Password procedures
followed by WGT

include: The expiring of all passwords after

ninety days. Accounts are
locked after three consecutive failed attempts in fifteen minutes. Passwords must have at
least eight char
acters. Capitals, numerals and punctuation must be included in the
creation of a password. Passwords cannot be reused after they expire. An employee may
not use their last fifteen passwords.

If a password is forgotten or if someone has obtained
another emp
loyees password the user should call the help desk and have their password
changed. This process also requires the help desk to hang up with the employee and call
back. After this has been done an email must be sent to the employee stating the changing
the password. The termination of an employee will result in the disabling of their
account. This policy is to be followed by all levels of manag
ement. (Christopher; 2003,
Gartenberg;2002, Palmer;2001)

The policy stated above has many of the same qualitie
s found in other password
security policies. Wilson Greatbatch


has defined some core requirements in
their password policy. The issues stated have the backing of a strong password policy.
Some changes that could increase the system security w
ould be to
have all employees
change their passwords when another employee is terminated.

Also to have passwords
limited in character numbers to allow for easy recollection.
(Christopher; 2003,
Palmer;2001, Gartenberg;2002)


Compliance Policy

Compliance f
or WGT is dealt

on an individual issue basis. Each issue is
discussed in length as to the rules and regulations followed by a discussion of compliance
and violation of the preceding rules.
The compliance policy states; any violation to the
policy may
result in disabled access and any other discipline as determined within the HR
Discipline Policy. All changes and updates to the
policy will be communicated to r
access users via E
mail and will be posted on the company internet. Also as a condition
o employment, all associates must sign an information security compliance agreement
indicating that they have read and understand WGT policies and procedures regarding

information security, and must

agree to perform their work according to such policies an
procedures. Violations of the WGT Information Security policy must be promptly
reported to the IT Security Analyst.

; 2003

; 2000

Wilson Greatbatch Technologies has stated the compliance rules, but they were
ry vague on violation issues. An improvement that should be made to the policy would
be to state the exact punishment for violations or noncompliance. This may deter future
employees from leaking sensitive information

by knowing ahead of time the
ces to their actions
; 2001
, Connolly;2000
, Christopher; 2003



Andress, M. (2001, November19).
Effective security starts with policies

Retrieved August 23, 2004, from

o, F. (2000, March 20).
Best Practices in Network Security
Network Computing

Retrieved August 23, 2004, from

Christopher, K. (2003, December 9).
Network Security Policy
Wilson Greatbatch

Connolly, P
. (2000, July 10).
Security starts from within

Retrieved August 25, 2004 from

Dunbar, M. (2001, November).
Sound policy equals strong security
Credit Union Magazine.

Retrieved August 25, 20
04 from

Ellis, C. (2003, February).
7 Steps' for network security
Communications News.

Retrieved August 25, 2004 from

Forcht, K. Ayers, W. (2000/2001, Winter).

Developing a computer securit
y policy for
organizational use and implementation
Journal of Computer Information Systems.

Retrieved August 25, 2004 from

Gartenberg, M. (2002, June 24).
Being Tough, Gentle With Data Security

Retrieved August 25, 2004 from

Hulme, G. (2000, October 16).
Beware of the Threat from Within

Retrieved August 25, 2004 from

Hulme, G. (2001, September 3).
t Takes Notice,

Information Week.

Retrieved August 25, 2004 from

Jacobs, J.; Pearl, M.; Irvine, S. (2001, Mar).
Protecting Online Privacy to Avoid Liability,

Association Management
. Retrieved August 25, 2004 from

Konicki, S. and Scott, K. with Garvey, M. and Gilbert, A and Greenemeier, L. and Rendleman, J.
(2001, October 15
). IT On High Alert
Information Week
. Retrieved from

Luzadder, D. and Bryce, R. and Gohring, N. a
nd Ploskina, B. and Scanlon, B. and Smetannikov
M. and Spangler, T. (2001, October 22
Feeling Insecure
Interactive Week
. Retrieved
August 28, 2004, from


Palmer, ME. (2001, May/June
Information Security Policy Framework: Bes
t Practices For
Security Policy In The E
Commerce Age
, Information Systems Security
. Retrieved
August 28, 2004, from

Wood, C. (2000, February 11).
Get Data Safety Policies On Paper
American Banker
. Retrieved
August 28, 2004, from

Yasin,. (2001, January 08).
Policy management hits the web
Internet Week
. Retrieved August
28, 2004, from