Sign in to follow this  
Followers 0
Ragnarok30

My Security Policy Assignment

5 posts in this topic

It's not done, but it's pretty close to being done. I KNOW THERE ARE GRAMMATICAL / SPELLING MISTAKES! If you guys see anything that needs added, let me know. Or else atleast tell me what you think so far.

By the way, some are complete sentences while others are notes waiting to be completed.

Summary:

This acceptable use policy has been designed to define a strict set of guidelines to protect information and hardware from inappropriate use at the League of Shadows University.

Scope:

This policy is designed to c to cloak all students, faculty, employees, and any visitors at the League of Shadows University. This covers any and all equipment and data transmissions provided by the university.

General Usages :

1.Students, faculty, staff, temps, and visitors should exercise good judgment while making use of LSU equipment and Internet communications.

2.No network is completely infallible. With that in mind, sensitive data should be secured.

3.Clients on the network are installed with VNC. Administrators are allowed to monitor traffic at on the network to prevent any adverse usage.

General Security Practices:

1.Choose secure passwords

2.Passwords will expire every 90 days

3.User accounts are not to be shared

4.Administration will take care giving out user accounts.

5.Wireless network will be WPA secured.

6.Users are suggested to lock workstations when they aren't in use.

Unacceptable Network Activity:

1.All network users that fall under this scope are to exercise due care. Users are not permitted to take part activity aiming towards adverse actions.

2.Portscanning is prohibited on the premises. Portscanning is the initial step to executing malicious actives. Portscans MAY be conducted in closed lab environments.

Aditionally system administrators and network technicians are allowed to use portscanners for general network upkeep and maintenance.

3.Man in the middle attacks, attacks are a form of eavesdropping. This malicious attack is a direct violation to network policy.

4.Denial of service and distributed denial of service, also known as: DoS or DDoS. Within our private network or using our network to attack clients across the internet is strictly prohibited.

5.Portscanning is prohibited on the premises. Portscanning is the initial step to executing malicious actives. Portscans MAY be conducted in closed lab environments. Aditionally system administrators and network technicians are allowed to use portscanners for general network upkeep and maintenance.

6.Anything in the nature of cracking is not permitted what so ever.

7.Spoofing is not permitted what so ever. Spoofing is a form of malicious activity. Again this is in the exception in a lab environment.

Email and Communications Violations

1.No email spamming

2.No e-mail bombing

3.Ports associated with instant messangers will not be opened.

Enforcement

Any person covered under the scope of the acceptable use policy who is found breach these terms may face disciplinary action, up to and including termination.

Definitions:

Spoofing -

An attempt to gain access to a system by posing as an authorized user. Synonymous with impersonating, masquerading or mimicking.

Spamming -

Unsolicited e-mail normally sent in bulk.

Edited by Ragnarok30
0

Share this post


Link to post
Share on other sites

Never done one of these, and whilst it's not the same thing, the Binrev rules you see when you create an account are a good read. May give you some ideas.

Good luck with the assignment mate :D

0

Share this post


Link to post
Share on other sites

You may want to go a little further with your definitions, even as granular as defining what a computer is or isn't (desktop, laptop, pda, smartphone, etc) and what "the network" encompasses. What is a system administrator? Does a student with a job as the sysadmin of a local company qualify, or only university employees? Is there only a specific class of employee? Consider an official appointment letter from university management authorizing system administrators and reference the appointment letter requirement in the policy.

Think of this as a legal document, because it is. Try to think on how a lawyer would dissect every statement in the policy and invalidate it or raise questions about what the directive "really means". This becomes especially important when you are using the policy as evidence of violation of acceptable use.

For example, secure passwords can mean a lot of different things. It needs to be explicitly defined. You don't need to talk about systems, but you do need to mention requirements. What about requiring the use of WPA for wireless networks? WPA doesnt do you much good if it includes an insecure RADIUS implementation. You really don't need to go into protocol detail in a policy - it is sufficient to say that only the authorized university wireless network is permitted and all devices must be authorized by the university IT staff. This authorization requires a separate application for student owned networking devices that defines what this authorized network is and how it is defined and must be signed by that student before being granted access. Also, avoid making "suggestions". A policy is mandatory. If you start including discretionary language you open the door to a big mess.

Your scope includes only networking services provided by the university, but how do you handle those provided by non university entities? Do they have free reign even when they negatively impact the university production environment? You mention not using the university network to DoS internet victims, but what about internal targets?

You have a decent start here, you just need to define it more clearly.

0

Share this post


Link to post
Share on other sites

you can find some examples of security policies at SANS, also the security in computing book, of pfleeger & pfleeger has some good references and instructions of how to create a security policy.

now that im thinking about it you can find and info about sec_pol at an CISSP book or smth.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0