Network Security Policy Builder

DataComm Networks, Inc. delivers to you a comprehensive CD with Wizards and Templates enabling you to author and publish a 40+ page custom Security Policies & Procedures Manual that meets GLBA-based Federal Regulatory auditing guidelines.



Introduction

Information and information systems are necessary for the performance of just about every essential activity within your financial institution. If there were to be a serious security problem with this “information”, or these “information systems”, your business could suffer serious consequences including lost customers, reduced revenues, and / or degraded reputation. As a result, information security must now be a critical part of your bank’s business environment.

DataComm Networks, a leading network systems integrator and Managed Network and Security Services provider to financial institutions has assembled PolicyPRO, a comprehensive CD with Wizards and Templates enabling you to author and publish a 40+ page custom Security Policies & Procedures Manual that meets GLBA-based Federal Regulatory auditing guidelines. This will ensure that your organization is able to support the further growth of its business, as well as ensure a consistently high level of customer service. Our CD and the documentation it provides are intended to support your bank’s reputation for high-integrity and high-quality business dealings. Because prevention of security problems is considerably less expensive that recovering from a breach, these policies can greatly reduce costs in the long run.

Our Solution

Using our innovative PolicyPRO, your institution will be able to create a document and policies to address the following information classification categories:
Public – Public Information is information that can be disclosed to anyone. It would not violate an individual’s rights to privacy. Knowledge of this information won’t expose your institution to financial loss, embarrassment, or jeopardize the security of your organization’s assets. Examples:
  • Marketing Brochures
  • Public Annual Reports
  • Business Cards
  • Press Releases
Internal – Internal Use Information is information that, due to its technical or business sensitivity is limited to your bank’s employees and non-bank employees and vendors covered by a non-disclosure agreement. If there were unauthorized disclosure, compromise or destruction, there would be minimal to no significant impact to your business, its customers, or employees. Examples:
  • Employee Handbook
  • Telephone Directory
  • Organization Charts
  • Policies
  • Routing Admin / Office Information
Confidential – Confidential Information is defined as information whose unauthorized disclosures compromise, or whose destruction would directly or indirectly have an adverse affect on your business, its customers and / or employees. Financial loss, damage to your bank’s reputation, loss of business, and potential legal action could occur. It is intended solely for use within the bank and is limited to those with “business-need-to-know” authorization. Examples:
  • System Requirements
  • Configuration Standards
  • Proprietary Software
  • Personnel Records
  • Customer Records
  • Business Plans
  • Customer Correspondence
  • Budget Information
  • Security Plans and Standards
Restricted – Restricted Information, the highest level of classification, is information whose unauthorized disclosure, compromise or destruction would result in severe damage, provide significant advantage to a competitor, or cause penalties to the bank, its customers or employees. It is intended solely for restricted use within the bank, and is limited to those with an explicit, predetermined stringent “business-need-to-know” authorization. Examples:
  • Strategic Plans
  • Encryption Keys
  • Passwords, PIN Numbers and other Authentication Information
  • Credit Card Account Information
  • Security Audits and Logs
  • IP Addresses for Security-Related Servers

How it Works

That’s the easy part! DataComm will send you the software you need to quickly create an Information Security Policy for use throughout the organization. Your information security officer or management simply needs to fill in the blanks, answering predetermined questions that appear when you install the software, created in Microsoft® Word Format. After the questions are answered, and the “blanks” are filled in, the software immediately creates the Word Document you need to implement as your new Information Security Policy. The process can usually be done in less than ten (10) minutes.

Table of Contents

The “document” or Information Security Policy PolicyPRO will create, and will include and cover in detail, the following and more:

  • An Agreement to Comply with Policy – for all bank employees to acknowledge that they’ve read and agree to comply with the Information and Information Systems Security Policy you’ve created.

  • An Introduction Section – that outlines the purpose of the Policy and Document as it applies to information:
    • As a Critical Business Function
    • Supporting Business Objectives
    • Describing why Consistent Compliance is Essential
    • That a Team Effort is Required
    • Reasons for Classification of Information and a definition of the Classifications (Expanded from the
    • Classifications described above)

  • Information Security Responsibilities – Defines the following:

    • Who are the “Information” Owners?
    • Role Descriptions:
    • Worker’s Manager
    • Information Custodians
    • Information Users
    • Information Security Department
    • Board and Management Involvement
    • Board Notification of Security Changes
    • Internal Audit and Compliance Department

  • Access Management – Defines the following:
    • Access Philosophy
    • Access Approval Process
    • User ID Assignment
    • User Authentication
    • Default Facilities
    • Inactive Session Time Outs
    • Access Revocation
    • Security Warning Banners
    • Restricted Access to Servers
    • Activity Logging

  • Fixed Password Management – Defining the following:
    • Choosing Passwords
    • Changing Passwords
    • Protecting Passwords

  • Acceptable Use of the Internet – Defining the following:
    • Not a Fringe Benefit
    • Information Reliability
    • Posting Information to Discussing Groups
    • Downloading Software
    • Acceptable Browsing
    • Confidential Information Transmission
    • International Transfer of Data
    • Activation of Services
    • User Anonymity
    • Security Reports

  • Electronic Mail – Covering these topics:
    • Sharing and Forwarding
    • Default Protection
    • Message Recording
    • Contents of Messages
    • Harassing or Offensive Messages
    • Right to Monitor Email

  • Remote Access – Covering the following:
    • Approval for Remote Access
    • Authentication of Remote Users
    • Location Independence
    • Access Control Software
    • Personal Firewalls
    • Dial-Up Access
    • Handling of Sensitive Information
    • Theft of Equipment
    • Remote Office Security
    • Travel Considerations

  • Viruses, Malicious Software, and Change Control – Covering these topics:
    • Virus Checking Required
    • AntiVirus System Configuration and Updating
    • If a Virus is Detected – What to do…

  • Establishing Network Connections – Described the approved processes or policies regarding connectivity to the network.

  • Encryption – Defines:
    • Default Protection Not Provided
    • When to Use Encryption
    • Key Selection

  • Printing, Copying, and Fax Transmission – That covers:
    • Faxing Precautions
    • Printer Precautions
    • Copy Machine Precautions
    • Destruction of Waste Copies
    • Repair Services

  • Personal Use of Systems – covering Personal Use and Testing Prohibition.

  • Logging and Monitoring – Covering Session Monitoring, Email Monitoring, and Remote Access Session Monitoring.

  • Outsourced Services and Third Party Services – That covers:
    • Third Party Access to Systems Requires Signed Contract
    • Third Party Agreements On Usage of Software
    • Third Party Non-Disclosure Agreements and Sensitive Information – including the documents you can use.
    • Requests for Information Referred to Public Relations
    • Third Party Supervision in Areas Containing Sensitive Information
    • Security Requirements for Network-Connected Third Party Systems
    • Agreements with Third Parties which Handle Information
    • Approval Required for Access to Internal Systems by Third Parties
    • Risk Acceptance Process and Permissible Exceptions to Policies

  • Third Party Disclosure – Covering Preauthorization for Public Statements, Non-Disclosure Agreements, and Third Party Non-Disclosure Agreements.

  • Third Party Access – Details Acceptable Third Party Access Policies.

  • Risk Assessment and Security Testing – Defines policies for Periodic Risk Assessment and Periodic Security Testing.

  • Privacy – Defining:
    • Exceptions of Privacy
    • Non-Public Personal Information Privacy
    • Privacy Notification
    • Collecting Non-Public Personal Information
    • Opt-Out Policy
    • Third Party Information Privacy

  • Intellectual Property Rights – That defines Legal Ownership, covers Making Copies of Software, and Labeling.

  • Systems Development – Defining:
    • Production System Definition
    • Special Production System Requirements
    • Separation Between Production, Development, and Test Systems
    • User Programming

  • Change Management – Defining Change Control Policies.

  • Reporting Problems – What to Report and How to Report Policy Definition.

  • Intrusion Detection and Incident Response – Defines policies for Use of Intrusion Detection Systems and Responding to Incidents.

  • Non-Compliance Situations – Covers Risk Acceptance and Directions to Receive Further Information.

Noted above: PolicyPRO includes a Non-Disclosure Agreement and Management Risk Acceptance Memo for Employees and Third Parties.

Summary

Most financial institutions have all of the information systems, people and tools they need to conduct business with their internal and external customers, employees, and third party vendors. Many struggle with the processes associated with developing a working and compliant Information Security Policy. This template allows you to create the document or policy you need to assure the security and protection of your “Information”. Your auditors and examiners will be comfortable that your organization has covered all of the Information classifications important to your business operations.

As a Managed Security Service Provider to financial institutions nationwide, we realize that our banking clients need to focus on their customers and “banking” first. Many of the day-to-day projects, processes and headaches associated with developing and maintaining an adequate information security policy can be accomplished quickly by using DataComm’s PolicyPRO . This policy template enables your organization to implement a comprehensive security policy tailored to your environment without the time and effort traditional policy manuals require.

Once the application has been loaded creating a custom policy is as simple as…
  • Answer several questions concerning the organization’s Management and Environment.
  • Review the generated policy and remove areas that do not pertain to your organization’s environment or policy.

DataComm’s PolicyPRO addresses the following areas:
  • Information Classification
  • Access Management
  • Logging and Monitoring
  • Third Party Disclosure
  • Risk Assessment and Security Testing
  • Systems Development
  • Acceptable Use of Internet
  • Remote Access
  • Network Connections
  • Printing, Copying, Fax
  • Transmissions
  • IDS and Incident Response
  • Information Security Responsibilities
  • Personal Use of Systems
  • Outsourcing Services and Third Party Services
  • Third Party Access
  • Privacy
  • Intellectual Property Rights
  • Fixed Password Management
  • Electronic Mail
  • Virus, Malicious Code and Change Control
  • Encryption
  • Change Management
  • Reporting Problems
  • Non-Compliance Situations
Receive Management Approval, Publish and Distribute Policy - Complete and Ready to be Enforced!

For More Information

Call Us at 1-800-544-4627, or send an email info@dcninc.com

Join Newsletter



DataComm is always striving to find simple solutions to difficult problems and then offering those solutions to our customers.

Miguel Rosado
Purchasing & Production Supervisor
Home    Solutions    About Us    Partners    News    Events    Contact Us    Site Map    Search

Copyright © DataComm Networks, Inc.