[K12OSN] OT: what are your usage and Web publishing policies?
Timothy Legge
tlegge at rogers.com
Thu Aug 24 20:11:29 UTC 2006
Matt Oquist wrote:
> I'm looking for some examples of non-Draconian computer usage
> policies, and I'm also interested to know what policies, if any, your
> schools have adopted for teachers publishing on the Web. I know some
> schools are concerned about liability issues WRT teachers' webpages;
> how have your schools responded to this "threat"?
For well written best practice policies see:
http://www.sans.org/resources/policies/
They can be easily tweaked to your needs but my not cover all the topics
you mentioned. However policies include:
Acceptable Encryption Policy
Defines requirements for encryption algorithms used within the
organization.
Acceptable Use Policy
Defines acceptable use of equipment and computing services, and the
appropriate employee security measures to protect the organization's
corporate resources and proprietary information.
Analog/ISDN Line Policy
Defines standards for use of analog/ISDN lines for Fax sending and
receiving, and for connection to computers.
Anti-Virus Process
Defines guidelines for effectively reducing the threat of computer
viruses on the organization's network.
Application Service Provider Policy
Defines minimum security criteria that an ASP must execute in order
to be considered for use on a project by the organization.
Application Service Provider Standards
Outlines the minimum security standards for the ASP. This policy is
referenced in the ASP Policy above.
Acquisition Assessment Policy
Defines responsibilities regarding corporate acquisitions, and
defines the minimum requirements of an acquisition assessment to be
completed by the information security group.
Audit Vulnerability Scanning Policy
Defines the requirements and provides the authority for the
information security team to conduct audits and risk assessments to
ensure integrity of information/resources, to investigate incidents, to
ensure conformance to security policies, or to monitor user/system
activity where appropriate.
Automatically Forwarded Email Policy
Documents the requirement that no email will be automatically
forwarded to an external destination without prior approval from the
appropriate manager or director.
Database Credentials Coding Policy
Defines requirements for securely storing and retrieving database
usernames and passwords.
Dial-in Access Policy
Defines appropriate dial-in access and its use by authorized personnel.
DMZ Lab Security Policy
Defines standards for all networks and equipment deployed in labs
located in the "Demilitarized Zone" or external network segments.
E-mail Policy
Defines standards to prevent tarnishing the public image of the
organization.
E-mail Retention
The Email Retention Policy is intended to help employees determine
what information sent or received by email should be retained and for
how long.
Ethics Policy
Defines the means to establish a culture of openness, trust and
integrity in business practices.
Extranet Policy
Defines the requirement that third party organizations requiring
access to the organization's networks must sign a third-party connection
agreement.
Information Sensitivity Policy
Defines the requirements for classifying and securing the
organization's information in a manner appropriate to its sensitivity level.
Internal Lab Security Policy
Defines requirements for internal labs to ensure that confidential
information and technologies are not compromised, and that production
services and interests of the organization are protected from lab
activities.
Internet DMZ Equipment Policy
Defines the standards to be met by all equipment owned and/or
operated by the organization that is located outside the organization's
Internet firewalls (the demilitarized zone or DMZ)).
Lab Anti-Virus Policy
Defines requirements which must be met by all computers connected
to the organization's lab networks to ensure effective virus detection
and prevention.
Password Protection Policy
Defines standards for creating, protecting, and changing strong
passwords.
Remote Access Policy
Defines standards for connecting to the organization's network from
any host or network external to the organization.
Risk Assessment Policy
Defines the requirements and provides the authority for the
information security team to identify, assess, and remediate risks to
the organization's information infrastructure associated with conducting
business.
Router Security Policy
Defines standards for minimal security configuration for routers
and switches inside a production network, or used in a production capacity.
Server Security Policy
Defines standards for minimal security configuration for servers
inside the organization's production network, or used in a production
capacity.
The Third Party Network Connection Agreement
Defines the standards and requirements, including legal
requirements, needed in order to interconnect a third party
organization's network to the production network. This agreement must be
signed by both parties.
VPN Security Policy
Defines the requirements for Remote Access IPSec or L2TP Virtual
Wireless Communication Policy
Defines standards for wireless systems used to connect to the
organization's networks.
Tim
More information about the K12OSN
mailing list