Information

Technology
Cyber Security
Policy v4.0.0
Intelligence Node
February 01, 2020

201, Boston House, Suren Road, [email protected]

Chakala, Andheri (E), Mumbai - 400093 www.intelligencenode.com
CIN No: U72300MH2012PTC235742 Phone no.: +91 22 6555 5056;
 Intelligence Node Consulting Private Limited

POLICY MANUAL

INTRODUCTION
This Cyber Security Policy is a formal set of rules by which those people who are given access to
company technology and information assets must abide.

The Cyber Security Policy serves several purposes. The main purpose is to inform company users:
employees, contractors and other authorized users of their obligatory requirements for protecting
the technology and information assets of the company. The Cyber Security Policy describes the
technology and information assets that we must protect and identifies many of the threats to
those assets.

The Cyber Security Policy also describes the user’s responsibilities and privileges. What is
considered acceptable use? What are the rules regarding Internet access? The policy answers
these questions, describes user limitations and informs users there will be penalties for violation
of the policy. This document also contains procedures for responding to incidents that threaten
the security of the company computer systems and network.

WHAT ARE WE PROTECTING

It is the obligation of all users of the company systems to protect the technology and information
assets of the company. This information must be protected from unauthorized access, theft and
destruction. The technology and information assets of the company are made up of the following
components:

Page 2
 • Computer hardware, CPU, disc, Email, web, application servers, PC systems, application
software, system software, etc.
• System Software including: operating systems, database management systems, and backup
and restore software, communications protocols, and so forth.
• Application Software: used by the various departments within the company. This includes
custom written software applications, and commercial off the shelf software packages.
• Communications Network hardware and software including: routers, routing tables, hubs,
modems, multiplexers, switches, firewalls, private lines, and associated network
management software and tools.

CLASSIFICATION OF INFORMATION
User information found in computer system files and databases shall be classified as either
confidential or non-confidential. The company shall classify the information controlled by
them. Senior manager is required to review and approve the classification of the information
and determine the appropriate level of security to best protect it.

CLASSIFICATION OF COMPUTER SYSTEMS

Security Level Description Example

RED This system contains confidential Server containing confidential

information – information that data and other department
cannot be revealed to personnel information on databases.
outside of the company. Even Network routers and firewalls
within the company, access to this containing confidential routing
information is provided on a “need tables and security information.
to know” basis.

The system provides mission-

critical services vital to the
operation of the business. Failure
of this system may have life
threatening consequences and/or
an adverse financial impact on the
business of the company.

Page 3
 GREEN This system does not contain User department PCs used to
confidential information or access Server and application(s).
perform critical services, but it Management workstations used by
provides the ability to access RED systems and network
systems through the network. administrators.

WHITE This system is not externally A test system used by system

accessible. It is on an isolated LAN designers and programmers to
segment, unable to access RED or develop new computer systems.
GREEN systems. It does not
contain sensitive information or
perform critical services.

BLACK This system is externally A public Web server with non-

accessible. It is isolated from RED sensitive information.
or GREEN systems by a firewall.
While it performs important
services, it does not contain
confidential information.

Page 4
 LOCAL AREA NETWORK (LAN) CLASSIFICATIONS
A LAN will be classified by the systems directly connected to it. For example, if a LAN contains just
one RED system and all network users will be subject to the same restrictions as RED systems
users. A LAN will assume the Security Classification of the highest-level systems attached to it.

DEFINITIONS

Externally accessible to public. The system may be accessed via the Internet by persons
outside of the company without a logon id or password. The system may be accessed via dial-up
connection without providing a logon id or password. It is possible to “ping” the system from the
Internet. The system may or may not be behind a firewall. A public Web Server is an example of
this type of system.

Non-Public, Externally accessible. Users of the system must have a valid logon id and
password. The system must have at least one level of firewall protection between its network and
the Internet. The system may be accessed via the Internet or the private Intranet. A private FTP
server used to exchange files with business partners is an example of this type of system.

Internally accessible only. Users of the system must have a valid logon id and password. The
system must have at least two levels of firewall protection between its network and the Internet.
The system is not visible to Internet users. It may have a private Internet (non-translated)
address and it does not respond to a “ping” from the Internet. A private intranet Web Server is an
example of this type of system.

Chief Information Officer. The Director of the Department of Information Technology (IT) shall
serve as the Chief Information Officer.

Security Administrator. An employee of IT shall be designated as the Security Administrator for

the company.

Page 5
 Threats to Security

EMPLOYEES
One of the biggest security threats is employees. They may do damage to your systems
either through incompetence or on purpose. You must layer your security to compensate for
that as well. You mitigate this by doing the following.

ü Only give out appropriate rights to systems. Limit access to only business hours.
ü Don’t share accounts to access systems. Never share your login information with co-
workers.
ü When employees are separated or disciplined, you remove or limit access to systems.
ü Advanced – Keep detailed system logs on all computer activity.
ü Physically secure computer assets, so that only staff with appropriate need can access.

AMATEUR HACKERS AND VANDALS.

These people are the most common type of attackers on the internet. The probability of attack is
extremely high and there is also likely to be a large number of attacks. There are usually crimes of
opportunity. There amateur hackers are scanning the internet and looking for well known
security holes that have not been plugged. Web servers and electronic mail are their favourite
targets. Once they find a weakness they will exploit it to plant viruses, trojan horses, or use the
resources of your system for their own means. if they do not find an obvious weakness they are
likely to move on to an easier target.

CRIMINAL HACKERS AND SABOTEURS.

The probability of this type of attack is low, but not entirely unlikely given the amount of sensitive
information contained in databases. The skill of these attackers is medium to high as they are
likely to be trained in the use of the latest hacker tools. The attacks are well planned and are
based on any weaknesses discovered that will allow a foothold into the network.

User Responsibilities
This section establishes usage policy for the computer systems, networks and information
resources of the office. It pertains to all employees and contractors who use the computer
systems, networks, and information resources as business partners, and individuals who are
granted access to the network for the business purposes of the company.

Page 6
 ACCEPTABLE USE
User accounts on company computer systems are to be used only for business of the company and
not to be used for personal activities. Unauthorized use of the system may be in violation of the
law, constitutes theft and can be punishable by law. Therefore, unauthorized use of the company
computing system and facilities may constitute grounds for either civil or criminal prosecution.

Users are personally responsible for protecting all confidential information used and/or stored on
their accounts. This includes their logon IDs and passwords. Furthermore, they are prohibited
from making unauthorized copies of such confidential information and/or distributing it to
unauthorized persons outside of the company.

Users shall not purposely engage in activity with the intent to: harass other users; degrade the
performance of the system; divert system resources to their own use; or gain access to company
systems for which they do not have authorization.

Users shall not attach unauthorized devices on their PCs or workstations, unless they have
received specific authorization from the employees’ manager and/or the company IT designee.

Users shall not download unauthorized software from the Internet onto their PCs or workstations.

Users are required to report any weaknesses in the company computer security, any incidents of
misuse or violation of this policy to their immediate supervisor.

USE OF THE INTERNET

The company will provide Internet access to employees and contractors who are connected to the
internal network and who has a business need for this access. Employees and contractors must
obtain permission from their supervisor and file a request with the Security Administrator.

The Internet is a business tool for the company. It is to be used for business-related purposes such
as: communicating via electronic mail with suppliers and business partners, obtaining useful
business information and relevant technical and business topics.

Page 7
 The Internet service may not be used for transmitting, retrieving or storing any communications
of a discriminatory or harassing nature or which are derogatory to any individual or group,
obscene or pornographic, or defamatory or threatening in nature for “chain letters” or any other
purpose which is illegal or for personal gain.

USER CLASSIFICATION
All users are expected to have knowledge of these security policies and are required to report
violations to the Security Administrator. Furthermore, all users must conform to the Acceptable
Use Policy defined in this document. The company has established the following user groups and
defined the access privileges and responsibilities:

User Category Privileges & Responsibilities

Department Users (Employees) Access to application and databases as

required for job function. (RED and/or
GREEN cleared)

System Administrators Access to computer systems, routers, hubs,

and other infrastructure technology
required for job function. Access to
confidential information on a “need to
know” basis only.

Security Administrator Highest level of security clearance. Allowed

access to all computer systems, databases,
firewalls, and network devices as required
for job function.

Systems Analyst/Programmer Access to applications and databases as

required for specific job function. Not
authorized to access routers, firewalls, or
other network devices.

Contractors/Consultants Access to applications and databases as

required for specific job functions. Access to
routers and firewall only if required for job

Page 8
 function. Knowledge of security policies.
Access to company information and systems
must be approved in writing by the company
director/CEO.

Other Agencies and Business Partners Access allowed to selected applications only
when contract or inter-agency access
agreement is in place or required by
applicable laws.

General Public Access is limited to applications running on

public Web servers. The public will not be
allowed to access confidential information.

MONITORING USE OF COMPUTER SYSTEMS

The company has the right and capability to monitor electronic information created and/or
communicated by persons using company computer systems and networks, including e-mail
messages and usage of the Internet. It is not the company policy or intent to continuously
monitor all computer usage by employees or other users of the company computer systems and
network. However, users of the systems should be aware that the company may monitor usage,
including, but not limited to, patterns of usage of the Internet (e.g. site accessed, on-line length,
time of day access), and employees’ electronic files and messages to the extent necessary to
ensure that the Internet and other electronic communications are being used in compliance with
the law and with company policy.

Access Control
A fundamental component of our Cyber Security Policy is controlling access to the critical
information resources that require protection from unauthorized disclosure or modification. The
fundamental meaning of access control is that permissions are assigned to individuals or systems
that are authorized to access specific resources. Access controls exist at various layers of the
system, including the network. Access control is implemented by logon ID and password. At the
application and database level, other access control methods can be implemented to further
restrict access. The application and database systems can limit the number of applications and
databases available to users based on their job requirements.

Page 9
 USER SYSTEM AND NETWORK ACCESS – NORMAL USER IDENTIFICATION
All users will be required to have a unique logon ID and password for access to systems. The
user’s password should be kept confidential and MUST NOT be shared with management &
supervisory personnel and/or any other employee whatsoever. All users must comply with
the following rules regarding the creation and maintenance of passwords:

• Password must not be found in any English or foreign dictionary. That is, do not use any
common name, noun, verb, adverb, or adjective. These can be easily cracked using standard
“hacker tools”.
• Passwords should not be posted on or near computer terminals or otherwise be readily
accessible in the terminal.
• Password must be changed every 45 days.
• User accounts will be frozen after 3 failed login attempts.
• Logon IDs and passwords will be suspended after 30 days of no usage.

Users are not allowed to access password files on any network infrastructure component.
Password files on servers will be monitored for access by unauthorized users. Copying, reading,
deleting or modifying a password file on any computer system is prohibited.

Users will not be allowed to logon as a System Administrator. Users who need this level of access
to production systems must request a Special Access account as outlined elsewhere in this
document.

Employee Logon IDs and passwords will be deactivated as soon as possible if the employee is
terminated, fired, suspended, placed on leave, or otherwise leaves the employment of the
company office.

Supervisors / Managers shall immediately and directly contact the company IT Manager to report
change in employee status that requires terminating or modifying employee logon access
privileges.

Page 10
 Employees who forget their password must call the IT department to get a new password
assigned to their account. The employee must identify himself/herself by government issued ID to
the IT department.

Employees will be responsible for all transactions occurring during Logon sessions initiated by
use of the employee’s password and ID. Employees shall not logon to a computer and then allow
another individual to use the computer or otherwise share access to the computer systems.

SYSTEM ADMINISTRATOR ACCESS

System Administrators, network administrators, and security administrators will have full access
to host systems, routers, hubs, and firewalls as required to fulfill the duties of their job.

All system administrator passwords will be DELETED immediately after any employee who has
access to such passwords is terminated, fired, or otherwise leaves the employment of the
company.

SPECIAL ACCESS
Special access accounts are provided to individuals requiring temporary system administrator
privileges in order to perform their job. These accounts are monitored by the company and
require the permission of the user’s company IT Manager. Monitoring of the special access
accounts is done by entering the users into a specific area and periodically generating reports to
management. The reports will show who currently has a special access account, for what reason,
and when it will expire. Special accounts will expire every day and will not be automatically
renewed without written permission.

CONNECTING TO THIRD-PARTY NETWORKS

This policy is established to ensure a secure method of connectivity provided between the
company and all third-part companies and other entities required to electronically exchange
information with company.

“Third-party” refers to vendors, consultants and business partners doing business with company,
and other partners that have a need to exchange information with the company. Third-party
network connections are to be used only by the employees of the third-party, only for the business
purposes of the company. The third-party company will ensure that only authorized users will be
allowed to access information on the company network. The third-party will not allow Internet
traffic or other private network traffic to flow into the network.

Page 11
 This policy applies to all third-party connection requests and any existing third-party
connections. In cases where the existing third-party network connections do not meet the
requirements outlined in this document, they will be re-designed as needed.

All requests for third-party connections must be made by submitting a written request and be
approved by the company.

CONNECTING DEVICES TO THE NETWORK

Only authorized devices may be connected to the company network(s). Authorized devices
include PCs and workstations owned by company that comply with the configuration guidelines of
the company. Other authorized devices include network infrastructure devices used for network
management and monitoring.

Users shall not attach to the network: non-company computers that are not authorized, owned
and/or controlled by company.
NOTE: Users are not authorized to attach any device that would alter the topology characteristics
of the Network or any unauthorized storage devices, e.g. thumb drives and writable CD’s.

REMOTE ACCESS
Only authorized persons may remotely access the company network. Remote access is provided
to those employees, contractors and business partners of the company that have a legitimate
business need to exchange information, copy files or programs, or access computer applications.
Authorized connection can be remote PC to the network or a remote network to company
network connection. The only acceptable method of remotely connecting into the internal
network is using a secure ID.

UNAUTHORIZED REMOTE ACCESS

The attachment of (e.g. hubs) to a user’s PC or workstation that is connected to the company LAN
is not allowed without the written permission of the company. Additionally, users may not install
personal software designed to provide remote control of the PC or workstation. This type of
remote access bypasses the authorized highly secure methods of remote access and poses a threat
to the security of the entire network.

Page 12
 Penalty for Security Violation
The company takes the issue of security seriously. Those people who use the technology and
information resources of company must be aware that they can be disciplined if they violate this
policy. Upon violation of this policy, an employee of company may be subject to discipline
up to and including discharge. The specific discipline imposed will be determined by a case-by-
case basis, taking into consideration the nature and severity of the violation of the Cyber Security
Policy, prior violations of the policy committed by the individual, state and federal laws and all
other relevant information. Discipline which may be taken against an employee shall be
administrated in accordance with any appropriate rules or policies and the company Policy
Manual.

In a case where the accused person is not an employee of company the matter shall be submitted
to the CAO. The CAO may refer the information to law enforcement agencies and/or prosecutors
for consideration as to whether criminal charges should be filed against the alleged violator(s).

Security Incident Handling Procedures

This section provides some policy guidelines and procedures for handling security incidents. The
term “security incident” is defined as any irregular or adverse event that threatens the security,
integrity, or availability of the information resources on any part of the company network. Some
examples of security incidents are:

• Illegal access of a company computer system. For example, a hacker logs onto a production
server and copies the password file.
• Damage to a company computer system or network caused by illegal access. Releasing a
virus or worm would be an example.
• Denial of service attack against a company web server. For example, a hacker initiates a
flood of packets against a Web server designed to cause the system to crash.
• Malicious use of system resources to launch an attack against other computer outside of the
company network. For example, the system administrator notices a connection to an
unknown network and a strange process accumulating a lot of server time.

Employees, who believe their terminal or computer systems have been subjected to a security
incident, or has otherwise been improperly accessed or used, should report the situation to their
manager immediately. The employee shall not turn off the computer or delete suspicious files.
Leaving the computer in the condition it was in when the security incident was discovered will
assist in identifying the source of the problem and in determining the steps that should be taken
to remedy the problem.

Page 13