Network Security Policy

Company Security Policy

The purpose of this security policy is to ensure the proper use of data across the network from all employees, contractors, and limited vendors.

Server 

Corporate server access is only granted to employees and contractors on the administrative team.  Backups are performed on a daily basis to a separate location and transferred to an offsite location as specified by the administrative manager.

Computers

All corporate computers are to have an approved encryption software installed to protect the contents of the hard drive.  COMPANY employees are responsible for locking the device whenever away for an extended time period.  A password protected timed screen saver must be configured at all times to ensure it is activated whenever the device has been inactive for longer than five minutes.

Confidential data

Protection of confidential data which includes but is not limited to, blueprints, employee records, and client information.  It is the responsibility of the administrative team to protect confidential data on the corporate network.  The Traps anti-virus software must be up to date and functioning properly on all devices located on the corporate network.  All devices are required to have encryption setup on their hard drives.  The network administrator is required to maintain the secured network at all times to ensure the protection of all confidential data.  If new firmware or software updates are released, they must be applied within a months’ time.  In the case of a network breach, it should be dealt with immediately and all users are to be notified.

If a COMPANY employee transmits any confidential data, the responsibility is now the COMPANY employees.  Ensuring the data is encrypted during transmission reduces the risk of multiple threats.  It is required to have the following software installed and configured, Traps Anti-Virus, Veracrpyt encryption software, and a secured network connection.  If confidential data must be transferred from its originally location off the network, then the COMPANY employee is required to encrypt the documentation before it can be transferred, sent, or moved.  A COMPANY employee will not allow any unauthorized users to view the confidential data.

Databases

Maintenance and backups are required on a regular basis to ensure the integrity of the database.  A full backup will be completed on a monthly basis, while periodic backups are completed on a daily basis.  Encryption is required utilizing the Veracrypt software, once the backup is completed.  The backups are then transferred to an offsite location on a weekly basis, by a member of the administrative team.  Maintenance is mandatory on a weekly basis and is the responsibility of the administrative team.  Database servers are required to have anti-virus software installed and functioning constantly.

COMPANY employees with database access are not allowed to share access or discuss the contents with others.  Database utilization must be done in a considerate manner and any change requests should be delivered to the manager on duty.  It is the responsibility of the COMPANY employee to safely close and exit the database when finished working with it.

Passwords

Password requirements include at least one capital letter, one number, one special character and should be a minimum of 8 characters long without multiple consecutive characters.  Any common dictionary words, name or username, and birthdates are not allowed.  Passwords must be changed every 90 days and cannot contain previous passwords.  Selecting a password that meets expectations is required and can be done utilizing phrases such as “What Would Jesus Do At All Times?”.  This phrase can be broken down into a password like so “WwJdAaT1?”.  Password managers may be used if approved by the information services department manager.  The usage of password generator can be authorized if selecting a password is too difficult.

Network equipment and configuration

Physical access to networking equipment is only provided to the administrative team, specifically the network administrator.  Configuration access and changes to networking equipment is only permitted by the networking team.  Regular firmware and software updates should be applied on a regular basis, within a month of their release.  Backups of the networking configuration are required after any modifications.

Software

The COMPANY software development team is responsible for maintaining updates, changes, and backups of all software on the network.  Anti-virus software should be deployed on all devices across the network.  All software servers, including the licensing server are required to have a static IP and constant traffic monitoring.  Administrators are responsible for access to the servers containing licensed software.  Top-Level administrators are responsible for all custom-made applications and software.

Update releases will be monitored by COMPANY employees to ensure they are applied within a timely manner.  Testing is required before the updates are applied to ensure and check their effect on the system.  A backup of the software’s current state is required before and after the update has been applied.

Equipment

It’s the COMPANY employee’s responsibility to report any damages, issues, theft, or loss of COMPANY equipment.  Every device is required to have an inventory sticker to manage the inventory and acknowledge their existence on the network, from updates, changes, and tracking.  Care and maintenance is the responsibility of the COMPANY employee’s, if it is out of the employee’s abilities, it will be reported to the information services department immediately.

Communication

The information technology system allows smooth communication, as long as the system is utilized properly.  Confidential data must not be shared with anyone who does not have the appropriate access.  The COMPANY employee must gain approval from their manager to share any data with employees outside of the department which the data resides.  Encryption software is required when sending emails to other employees and clients.

Remote accessibility

It is the employee’s responsibility for any actions performed while remotely connected to the COMPANY corporate network.  An approved VPN client is required to access the internal network whenever working offsite.  Recreational use of a device that is connected to the corporate network is not permitted and the employee is held accountable for any actions performed.