[K12OSN] OT: what are your usage and Web publishing policies?

Timothy Legge tlegge at rogers.com
Thu Aug 24 20:11:29 UTC 2006 

Matt Oquist wrote:
> I'm looking for some examples of non-Draconian computer usage
> policies, and I'm also interested to know what policies, if any, your
> schools have adopted for teachers publishing on the Web.  I know some
> schools are concerned about liability issues WRT teachers' webpages;
> how have your schools responded to this "threat"?

For well written best practice policies see:

http://www.sans.org/resources/policies/

They can be easily tweaked to your needs but my not cover all the topics 
you mentioned.  However policies include:

Acceptable Encryption Policy
     Defines requirements for encryption algorithms used within the 
organization.

Acceptable Use Policy
     Defines acceptable use of equipment and computing services, and the 
appropriate employee security measures to protect the organization's 
corporate resources and proprietary information.

Analog/ISDN Line Policy
     Defines standards for use of analog/ISDN lines for Fax sending and 
receiving, and for connection to computers.

Anti-Virus Process
     Defines guidelines for effectively reducing the threat of computer 
viruses on the organization's network.

Application Service Provider Policy
     Defines minimum security criteria that an ASP must execute in order 
to be considered for use on a project by the organization.

Application Service Provider Standards
     Outlines the minimum security standards for the ASP. This policy is 
referenced in the ASP Policy above.

Acquisition Assessment Policy
     Defines responsibilities regarding corporate acquisitions, and 
defines the minimum requirements of an acquisition assessment to be 
completed by the information security group.

Audit Vulnerability Scanning Policy
     Defines the requirements and provides the authority for the 
information security team to conduct audits and risk assessments to 
ensure integrity of information/resources, to investigate incidents, to 
ensure conformance to security policies, or to monitor user/system 
activity where appropriate.

Automatically Forwarded Email Policy
     Documents the requirement that no email will be automatically 
forwarded to an external destination without prior approval from the 
appropriate manager or director.

Database Credentials Coding Policy
     Defines requirements for securely storing and retrieving database 
usernames and passwords.

Dial-in Access Policy
     Defines appropriate dial-in access and its use by authorized personnel.

DMZ Lab Security Policy
     Defines standards for all networks and equipment deployed in labs 
located in the "Demilitarized Zone" or external network segments.

E-mail Policy
     Defines standards to prevent tarnishing the public image of the 
organization.

E-mail Retention
     The Email Retention Policy is intended to help employees determine 
what information sent or received by email should be retained and for 
how long.

Ethics Policy
     Defines the means to establish a culture of openness, trust and 
integrity in business practices.

Extranet Policy
     Defines the requirement that third party organizations requiring 
access to the organization's networks must sign a third-party connection 
agreement.

Information Sensitivity Policy
     Defines the requirements for classifying and securing the 
organization's information in a manner appropriate to its sensitivity level.

Internal Lab Security Policy
     Defines requirements for internal labs to ensure that confidential 
information and technologies are not compromised, and that production 
services and interests of the organization are protected from lab 
activities.

Internet DMZ Equipment Policy
     Defines the standards to be met by all equipment owned and/or 
operated by the organization that is located outside the organization's 
Internet firewalls (the demilitarized zone or DMZ)).

Lab Anti-Virus Policy
     Defines requirements which must be met by all computers connected 
to the organization's lab networks to ensure effective virus detection 
and prevention.

Password Protection Policy
     Defines standards for creating, protecting, and changing strong 
passwords.

Remote Access Policy
     Defines standards for connecting to the organization's network from 
any host or network external to the organization.

Risk Assessment Policy
     Defines the requirements and provides the authority for the 
information security team to identify, assess, and remediate risks to 
the organization's information infrastructure associated with conducting 
business.

Router Security Policy
     Defines standards for minimal security configuration for routers 
and switches inside a production network, or used in a production capacity.

Server Security Policy
     Defines standards for minimal security configuration for servers 
inside the organization's production network, or used in a production 
capacity.

The Third Party Network Connection Agreement
     Defines the standards and requirements, including legal 
requirements, needed in order to interconnect a third party 
organization's network to the production network. This agreement must be 
signed by both parties.

VPN Security Policy
     Defines the requirements for Remote Access IPSec or L2TP Virtual

Wireless Communication Policy
     Defines standards for wireless systems used to connect to the 
organization's networks.

Tim

More information about the K12OSN mailing list