Gulf Business Form’s IT Security Policies
At Gulf Business Forms we take data and security very seriously. On this page we have taken the steps outlined in context our IT Security Policies which identifies the rules and procedures for all individuals accessing and using our company’s IT assets and resources.
Definitions
Information Systems: All electronic means used to create, store, access, transmit, and use data, information, or communications in the conduct of administrative, instructional, research, or service activities.
Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Authorized User: An individual or automated application or process that is authorized access to the resource by the system owner, in accordance with the system owner’s procedures and rules.
Extranet: An intranet that is partially accessible to authorized persons outside of a company or organization.
Overview
Data, electronic file content, information systems, and computer systems at Gulf Business Forms, Inc., hereinafter, referred to as GBF is managed as valuable organization resources.
Gulf Business Forms Information Technology’s (IT) intentions are not to impose restrictions that are contrary to GBF’s established culture of openness, trust, and integrity. IT is committed to protecting GBF’s authorized users, partners, and the company from illegal or damaging actions by individuals either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including, but not limited to, computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and File Transfer Protocol (FTP) are the property of GBF.
These systems are to be used for business purposes in serving the interests of GBF and of its clients and members during normal operations.
Effective security is a team effort involving the participation and support of every GBF employee, volunteer, and affiliate who deals with information and/or information systems.
It is the responsibility of every computer user to know these guidelines and to conduct activities accordingly.
Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at GBF. These rules are in place to protect the authorized user and GBF. Inappropriate use exposes GBF to risks including virus attacks, compromise of network systems and services, and legal issues.
Scope
This policy applies to the use of information, electronic and computing devices, and network resources to conduct GBF business or interacts with internal networks and business systems, whether owned or leased by GBF, the employee, or a third party.
All employees, volunteer/directors, contractors, consultants, temporaries, and other workers at GBF, including all personnel affiliated with third parties, are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with GBF policies and standards, local laws, and regulations.
POLICY DETAILS
Ownership of Electronic Files
All electronic files created, sent, received, or stored on GBF owned, leased, or administered equipment or otherwise under the custody and control of GBF are the property of GBF.
Privacy
This policy explains what information we collect and how we secure data when you use Gulf Business Forms site, services, products (‘Services”). You can further read our privacy policy here. Our aim is not just to comply with privacy law. It’s to earn your trust.
Electronic file content may also be accessed by appropriate personnel in accordance with directives from Human Resources or the President/CEO.
General Use and Ownership
Access requests must be authorized and submitted from departmental supervisors for employees to gain access to computer systems. Authorized users are accountable for all activity that takes place under their username.
Authorized users should be aware that the data and files they create on the corporate systems immediately become the property of GBF. Because of the need to protect GBF’s network, there is no guarantee of privacy or confidentiality of any information stored on any network device belonging to GBF.
For security and network maintenance purposes, authorized individuals within the GBF IT Department may monitor equipment, systems, and network traffic at any time.
GBF’s IT Department reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
GBF’s IT Department reserves the right to remove any non-business related software or files from any system.
Examples of non-business related software or files include, but are not limited to; games, instant messengers, pop email, music files, image files, freeware, and shareware.
Security and Proprietary Information
All mobile and computing devices that connect to the internal network must comply with this policy and the following policies:
• Account Management
• Anti-Virus
• Owned Mobile Device Acceptable Use and Security
• E-mail
• Internet
• Safeguarding Customer Information
• Personal Device Acceptable Use and Security
• Password
• Wireless (Wi-Fi) Connectivity
• Telecommuting
System level and user level passwords must comply with the Password Policy. Authorized users must not share their GBF login ID(s), account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authentication purposes.
Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
Authorized users may access, use, or share GBF proprietary information only to the extent it is authorized and necessary to fulfill the users assigned job duties.
Certain department PCs and or workstations should are secured password-protected.
All users must lockdown their PCs, laptops, and workstations by locking (control-alt- delete) when the host will be unattended for any amount of time. Employees must log-off, or restart (but not shut down) their PC after their shift.
GBF proprietary information stored on electronic and computing devices, whether owned or leased by GBF, the employee, or a third party, remains the sole property of GBF. All proprietary information must be protected through legal or technical means.
All users are responsible for promptly reporting the theft, loss, or unauthorized disclosure of GBF proprietary information to their immediate supervisor and/or the IT Department.
All users must report any weaknesses in GBF computer security and any incidents of possible misuse or violation of this agreement to their immediate supervisor and/or the IT Department.
Authorized users must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan Horse codes.
Unacceptable Use
Users must not intentionally access, create, store, or transmit material which GBF} may deem to be offensive, indecent, or obscene.
Under no circumstances is an employee, volunteer/director, contractor, consultant, or temporary employee of GBF authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing GBF-owned resources.
System and Network Activities
The following activities are prohibited by users, with no exceptions:
• Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by GBF.
• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution from copyrighted sources, copyrighted music, and the installation of any copyrighted software for which GBF or the end user does not have an active license is prohibited. Users must report unlicensed copies of installed software to GBF IT.
• Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
• Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
• Using a GBF computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws.
• Attempting to access any data, electronic content, or programs contained on GBF systems for which they do not have authorization, explicit consent, or implicit need for their job duties.
• Installing any software, upgrades, updates, or patches on any computer or information system without the prior consent of GBF IT.
• Installing or using non-standard shareware or freeware software without GBF IT approval.
• Installing, disconnecting, or moving any GBF owned computer equipment and peripheral devices without prior consent of GBF’s IT Department.
• Purchasing software or hardware, for GBF use, without prior IT compatibility review.
• Purposely engaging in activity that may; degrade the performance of information systems;
– deprive an authorized GBF user access to a GBF resource;
– obtain extra resources beyond those allocated; or circumvent GBF computer security measures.
• Downloading, installing, or running security programs or utilities that reveal passwords, private information, or exploit weaknesses in the security of a system. For example, GBF users must not run spyware, adware, password cracking programs, packet sniffers, port scanners, or any other non- approved programs on GBF information systems. The GBF IT Department is the only department authorized to perform these actions.
• Circumventing user authentication or security of any host, network, or account.
• Interfering with, or denying service to, any user other than the employee’s host (for example, denial of service attack).
• Using any program/script/command, or sending messages of any kind, with the intent to interfere with or disable a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
Access to the Internet at home, from a GBF-owned computer, must adhere to all the same policies that apply to use from within GBF facilities. Authorized users must not allow family members or other non-authorized users to access GBF computer systems.
GBF information systems must not be used for personal benefit.
Incidental Use
As a convenience to the GBF user community, incidental use of information systems is permitted. The following restrictions apply:
• Authorized Users are responsible for exercising good judgment regarding the reasonableness of personal use. Immediate supervisors are responsible for supervising their employees regarding excessive use.
• Incidental personal use of electronic mail, internet access, fax machines, printers, copiers, and so on, is restricted to GBF approved users; it does not extend to family members or other acquaintances.
• Incidental use must not result in direct costs to GBF without prior approval of management.
• Incidental use must not interfere with the normal performance of an employee’s work duties.
• No files or documents may be sent or received that may cause legal action against, or embarrassment to, GBF.
• Storage of personal email messages, voice messages, files, and documents within GBF’s information systems must be nominal.
• All messages, files, and documents — including personal messages, files, and documents — located on GBF information systems are owned by GBF, may be subject to open records requests, and may be accessed in accordance with this policy.
Review and Acceptance
All GBF staff is responsible for review and acceptance of Acceptable Use OF Information Policy upon starting work at GBF.
New employee on-boarding and training shall include this policy at a minimum, and in addition to all other applicable training and orientation material, and instructions for acceptance shall be provided at that time. Signed acceptance will be received and retained by Information Technology management.
I understand the information in the Acceptable Use of Information Systems policy is a summary only, and it is my responsibility to review and become familiar with all of the material contained in the Comprehensive IT Policy.
I understand the most updated policies and Bylaws will always be located on the intranet for my reference, and it will be my responsibility to review the policies and Bylaws as they are updated.
I further understand the content of the Comprehensive IT Policy supersedes all policies previously issued. I also understand that GBF may supersede, change, eliminate, or add to any policies or practices described in the Comprehensive IT Policy.
By visiting this website “www.gulfforms.com” being employed and or doing business with Gulf Business Forms, Inc., “(GBF)” I read understand, acknowledge and accept the Acceptable Use of Information Systems Policy and it will be my responsibility to review the Gulf Business Forms, Inc., (GBF) IT policies as they are updated.
Overview
Computer accounts are the means used to grant access to Gulf Business Forms’s information systems. These accounts provide a means of providing accountability, a key to any computer security program, for Gulf Business Forms usage.
This means that creating, controlling, and monitoring all computer accounts is extremely important to an overall security program.
Purpose
The purpose of this policy is to establish a standard for the creation, administration, use, and removal of accounts that facilitate access to information and technology resources at Gulf Business Forms.
Audience
This policy applies to the employees, Directors, volunteers, contractors, consultants, temporaries, and other workers at Gulf Business Forms, including all personnel affiliated with third parties with authorized access to any Gulf Business Forms information system.
Policy Detail
Accounts
• All accounts created must have an associated written request and signed management approval that is appropriate for the Gulf Business Forms system or service.
• All accounts are uniquely identifiable using the assigned username.
• Shared accounts on Gulf Business Forms information systems are not permitted.
• Reference the Employee Access During Leave of Absence Policy for removing an employee’s access while on a leave of absence or vacation.
• All default passwords for accounts must be constructed in accordance with the Gulf Business Forms Password Policy.
• All accounts must have a password expiration that complies with the Gulf Business Forms Password Policy.
• Concurrent connections may be limited for technical or security reasons.
• All accounts must be disabled immediately upon notification of any employee’s termination.
Account Management
The following items apply to System Administrators or designated staff:
• Information system user accounts are to be constructed so that they enforce the most restrictive set of rights/privileges or accesses required for the performance of tasks associated with an individual’s account. Further, to eliminate conflicts of interest, accounts shall be created so that no one user can authorize, perform, review, and audit a single transaction.
• All information system accounts will be actively managed. Active management includes the acts of establishing, activating, modifying, disabling, and removing accounts from information systems.
• Access controls will be determined by following established procedures for new employees, employee changes, employee terminations, and leave of absence.
• All account modifications must have a documented process to modify a user account to accommodate situations such as name changes and permission changes.
• Information system accounts are to be reviewed monthly to identify inactive accounts. If an employee or third party account is found to be inactive for 30 days, the owners (of the account) and their manager will be notified of pending disablement. If the account continues to remain inactive for 15 days, it will be manually disabled.
• A list of accounts, for the systems they administer, must be provided when requested by authorized Gulf Business Forms management.
Overview
Malware threats must be managed to minimize the amount of downtime realized by Gulf Business Forms’s systems and prevent risk to critical systems and member data. This policy is established to:
• Create prudent and acceptable practices regarding anti-virus management
• Define key terms regarding malware and anti-virus protection
• Educate individuals, who utilize Gulf Business Forms system resources, on the responsibilities associated with anti-virus protection
Note: The terms virus and malware, as well as anti-virus and anti-malware, may be used interchangeably.
Purpose
This policy was established to help prevent infection of Gulf Business Forms computers, networks, and technology systems from malware and other malicious code. This policy is intended to help prevent damage to user applications, data, files, and hardware.
Audience
This policy applies to all computers connecting to the Gulf Business Forms network for communications, file sharing, etc. This includes, but is not limited to, desktop computers, laptop computers, servers, and any PC based equipment connecting to the Gulf Business Forms network.
Policy Detail
All computer devices connected to the Gulf Business Forms network and networked resources shall have anti-virus software installed and configured so that the virus definition files are current and are routinely and automatically updated. The anti-virus software must be actively running on these services.
The virus protection software must not be disabled or bypassed without IT approval.
The settings for the virus protection software must not be altered in a manner that will reduce the effectiveness of the software.
The automatic update frequency of the virus protection software must not be altered to reduce the frequency of updates.
Each file server, attached to the Gulf Business Forms network, must utilize Gulf Business Forms IT approved virus protection software and setup to detect and clean viruses that may infect Gulf Business Forms resources.
Each e-mail gateway utilizes Gulf Business Forms IT approved e-mail virus protection software.
All files on computer devices will be scanned periodically for malware.
Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to the Service Desk.
If deemed necessary to prevent propagation to other networked devices or detrimental effects to the network or data, an infected computer device may be disconnected from the Gulf Business Forms network until the infection has been removed.
Company users should:
• Avoid viruses by NEVER opening any files or macros attached to an e-mail from an unknown, suspicious, or untrustworthy source. Delete these attachments immediately then remove them from the trash or recycle bin.
• Delete spam, chain, or other junk mail without opening or forwarding the item.
• Never download files from unknown or suspicious sources.
• Always scan removable media from an unknown or non-Gulf Business Forms source (such as a CD or USB from a vendor) for viruses before using it.
• Back up critical data on a regular basis and store the data in a safe place. Critical Gulf Business Forms data can be saved to network drives and are backed up on a periodic basis. Contact the Gulf Business Forms IT Department for details.
Because new viruses are discovered every day, users should periodically check the Anti-Virus Policy for updates. The Gulf Business Forms IT Department should be contacted for updated recommendations.
Overview
Gulf Business Forms is committed to protecting the privacy of its employees and customers and shall protect the confidentiality of nonpublic information consistent with state and federal laws.
Gulf Business Forms has an obligation to ensure the security and confidentiality of its member records and to protect these records against unauthorized access that could result in any type of loss or inconvenience for its customers.
Purpose
The purpose and principle of a “clean desk” policy is to ensure that confidential data is not exposed to individuals who may pass through the area such as members, service personnel, and thieves. It encourages methodical management of one’s workspace.
Because of the risk of being compromised, confidential information should always be treated with care.
Policy Detail
To maintain the security and privacy of employees’ and customers’ personal information, Gulf Business Forms employees should observe the “clean desk” rule. All employees should take appropriate actions to prevent unauthorized persons from having access to member information, applications, or data. Employees are also required to make a conscientious check of their surrounding work environment to ensure that there will be no loss of confidentiality to data media or documents.
The clean desk policy applies to:
• Day Planners and Rolodexes that may contain non-public information
• File cabinets, storage cabinets, and briefcases containing sensitive or confidential information
• Any confidential or sensitive data, including reports, lists, or statements. Sensitive data refers to personal information and restricted data. Personal information includes, but is not limited to:
– An individual’s name
– Social security number
– Driver’s license number or identification card number
– Account number, credit or debit card number, security code, access code or password that could permit access to an individual’s financial account
Restricted data is divided into two categories:
– Personal data, that refers to any combination of information that identifies and describes an individual.
– Limited data, that refers to electronic information whose unauthorized access, modification, or loss could seriously or adversely affect Gulf Business Forms, its members, and non-members.
• Electronic devices, including cell phones and tablet devices
• Keys used to access sensitive information
• Printouts containing sensitive information
• Data on printers, copy machines, and/or fax machines
• Computer workstations and passwords
• Portable media, such as CD’s, disks, or flash drives
• Desks or work areas, including white boards and bookshelves
Overview
Gulf Business Forms operates network firewalls between the Internet and its private internal network to create a secure operating environment for Gulf Business Forms’s computer and network resources. A firewall is just one element of a layered approach to network security.
Purpose
This policy governs how the firewalls will filter Internet traffic to mitigate the risks and losses associated with security threats to Gulf Business Forms’s network and information systems.
The firewall will (at minimum) perform the following security services:
- Access control between the trusted internal network and non trusted external networks
- Block unwanted traffic as determined by the firewall rule-set
- Hide vulnerable internal systems from the Internet
- Hide information, such as system names, network topologies, and internal user IDs, from the Internet
- Log traffic to and from the internal network
- Provide robust authentication
- Provide virtual private network (VPN) connectivity
Policy Detail
All network firewalls, installed and implemented, must conform to the current standards as determined by Gulf Business Forms’s IT Department. Unauthorized or non-standard equipment is subject to immediate removal, confiscation, and/or termination of network connectivity without notice.
The approach adopted to define firewall rule-sets is that all services will be denied by the firewall unless expressly permitted in this policy.
• Outbound – allows all Internet traffic to authorized groups
All traffic is authorized by Internet Protocol (IP) address and port The firewalls will provide:
• Packet filtering – selective passing or blocking of data packets as they pass through a network interface. The most often used criteria are source and destination address, source and destination port, and protocol.
• Application proxy – every packet is stopped at the proxy firewall and examined and compared to the rules configured into the firewall.
• Stateful Inspection – a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
The firewalls will protect against:
• IP spoofing attacks – the creation of IP packets with a forged source IP address with the purpose of concealing the identity of the sender or impersonating another computing system.
• Denial-of-Service (DoS) attacks – the goal is to flood the victim with overwhelming amounts of traffic and the attacker does not care about receiving responses to the attack packets.
• Any network information utility that would reveal information about the Gulf Business Forms domain.
A change control process is required before any firewall rules are modified. Prior to implementation, the Third Party Vendor and Media Temple network administrators are required to have the modifications approved by Gulf Business Forms IT Department. All related documentation is to be retained for three (3) years.
All firewall implementations must adopt the position of “least privilege” and deny all inbound traffic by default. The rule-set should be opened incrementally to only allow permissible traffic.
Firewall rule-sets and configurations require periodic review to ensure they afford the required levels of protection:
Gulf Business Forms must review all network firewall rule-sets and configurations during the initial implementation process and periodically thereafter.
Firewall rule-sets and configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained, to preserve the integrity of the data, should restoration be required.
Access to rule-sets and configurations and backup media must be restricted to those responsible for administration and review.
Responsibilities
The Gulf Business Forms IT Department is responsible for implementing and maintaining Gulf Business Forms firewalls, as well as for enforcing and updating this policy. Logon access to the firewall will be restricted to a primary firewall administrator and designee as assigned. Password construction for the firewall will be consistent with the strong password creation practices.
The specific guidance and direction for information systems security is accordance with the Gulf Business Forms IT Department. IT will manage the configuration of the Gulf Business Forms firewalls.
Gulf Business Forms external firewall management responsibility:
• Retention of the firewall rules
• Patch Management
Review the firewall logs for:
• System errors
• Blocked web sites
• Attacks
• Sending alerts to the Gulf Business Forms network administrators in the event of attacks or system errors
• Backing up the firewalls
Overview
Physical access controls define who is allowed physical access to Gulf Business Forms facilities that house information systems, to the information systems within those facilities, and/or the display mechanisms associated with those information systems. Without physical access controls, the potential exits exists that information systems could be illegitimately, physically accessed and the security of the information they house could be compromised.
Purpose
This policy applies to all facilities of Gulf Business Forms, within which information systems or information system components are housed. Specifically, it includes:
• Data centers or other facilities for which the primary purpose is the housing of IT infrastructure
• Data rooms or other facilities, within shared purpose facilities, for which one of the primary purposes is the housing of IT infrastructure
• Switch and wiring closets or other facilities, for which the primary purpose is not the housing of IT infrastructure
Policy Detail
Access to facilities, information systems, and information system display mechanisms will be limited to authorized personnel only. Authorization will be demonstrated with authorization credentials (identity cards, etc.) that have been issued by Gulf Business Forms.
Access to facilities will be controlled at defined access points with the use of card readers and locked doors. Before physical access to facilities, information systems, or information system display mechanisms is allowed, authorized personnel are required to authenticate themselves at these access points. The delivery and removal of information systems will also be controlled at these access points. No equipment will be allowed to enter or leave the facility, without prior authorization, and all deliveries and removals will be logged.
A list of authorized personnel will be established and maintained so that newly authorized personnel are immediately appended to the list and those personnel who have lost authorization are immediately removed from the list. This list shall be reviewed and, where necessary, updated on at least an annual basis.
If visitors need access to the facilities that house information systems or to the information systems themselves, those visitors must have prior authorization, must be positively identified, and must have their authorization verified before physical access is granted. Once access has been granted, visitors must be escorted, and their activities monitored at all times.
Overview
Security Incident Management at Gulf Business Forms is necessary to detect security incidents, determine the magnitude of the threat presented by these incidents, respond to these incidents, and if required, notify Gulf Business Forms customers of the breach.
Purpose
This policy defines the requirement for reporting and responding to incidents related to Gulf Business Forms information systems and operations. Incident response provides Gulf Business Forms with the capability to identify when a security incident occurs. If monitoring were not in place, the magnitude of harm associated with the incident would be significantly greater than if the incident were noted and corrected.
This policy applies to all information systems and information system components of Gulf Business Forms. Specifically, it includes:
• Mainframes, servers, and other devices that provide centralized computing capabilities.
• Devices that provide centralized storage capabilities.
• Desktops, laptops, and other devices that provide distributed computing capabilities.
• Routers, switches, and other devices that provide network capabilities.
• Firewalls, Intrusion Detection/Prevention (IDP) sensors, and other devices that provide dedicated security capabilities.
In the event a breach of customer’s information occurs, Gulf Business Forms is required by Texas state law to notify individual(s) and or customers as described in Section 521.053 of the Texas Business & Commerce Code.
Policy Detail
Program Organization
• Computer Emergency Response Plans – Gulf Business Forms management must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service. For example, Charter connectivity is interrupted or an isolated malware discovery.
• Incident Response Plan Contents – The Gulf Business Forms incident response plan must include roles, responsibilities, and communication strategies in the event of a compromise, including notification of relevant external partners.
Specific areas covered in the plan include:
– Specific incident response procedures
– Business recovery and continuity procedures
– Data backup processes
– Analysis of legal requirements for reporting compromises
– Identification and coverage for all critical system components
– Reference or inclusion of incident response procedures from relevant external partners, e.g., payment card issuers, suppliers
• Incident Response Testing – at least once every year, the Gulf Business Forms IT Department utilizes simulated incidents to mobilize and test the adequacy of response. Where appropriate, tests will be integrated with testing of related plans (Business Continuity Plan, Disaster Recovery Plan, etc.) where such plans exist. The results of these tests will be documented.
• Incident Response and Recovery – A security incident response capability will be developed and implemented for all information systems that house or access Gulf Business Forms controlled information.
The incident response capability will include a defined plan and will address the seven stages of incident response:
– Preparation
– Detection
– Analysis
– Containment
– Eradication
– Recovery
– Post-Incident Activity
To facilitate incident response operations, responsibility for incident handling operations will be assigned to an incident response team. If an incident occurs, the members of this team will be charged with executing the incident response plan. To ensure that the team is fully prepared for its responsibilities, all team members will be trained in incident response operations on an annual basis.
Incident response plans will be reviewed and, where applicable, revised on an annual basis. The reviews will be based upon the documented results of previously conducted tests or live executions of the incident response plan. Upon completion of plan revision, updated plans will be notified to President and or VP.
• Intrusion Response Procedures – The Gulf Business Forms IT Department documents and periodically revises the Incident Response Plan with intrusion response procedures. These procedures include the sequence of actions that staff must take in response to a suspected information system intrusion, who has the authority to perform what responses, and what resources are available to assist with responses. All staff expected to follow these procedures must be periodically trained in and otherwise acquainted with these procedures.
• Malicious Code Remediation – Steps followed will vary based on scope and severity of a malicious code incident as determined by Information Security Management. They may include but are not limited to: malware removal with one or more tools, data quarantine, permanent data deletion, hard drive wiping, or hard drive/media destruction.
• Data Breach Management – Gulf Business Forms IT management will prepare, test, and annually update the Incident Response Plan that addresses policies and procedures for responding in the event of a breach of sensitive customer data.
• Incident Response Plan Evolution – The Incident Response Plan will be updated to reflect the lessons learned from actual incidents. The Incident Response Plan will be updated to reflect developments in the industry.
Program Communication
• Reporting to Third Parties – Unless required by law or regulation to report information security violations to external authorities, senior management, in conjunction with legal representatives the Gulf Business Forms IT Department will weigh the pros and cons of external disclosure before reporting these violations.
– If a verifiable information systems security problem, or a suspected but likely information security problem, has caused third party private or confidential information to be exposed to unauthorized persons, these third parties will be immediately informed about the situation.
– If sensitive information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties, both its Owner and the IT Department will be notified immediately.
• Display of Incident Reporting Contact Information – Gulf Business Forms contact information and procedures for reporting information security incidents must be prominently displayed on our company website.
• Customer Notification – The notification will be conducted and overseen by Gulf Business Forms.
The notification will contain, at a minimum, the following elements:
– Recommendations for the member to protect him/herself
– Contact information for the Federal Trade Commission
– Contact information for the credit bureaus
TransUnion:
Fraud Victim Assistance Division PO Box 6790
Fullerton, CA 92834-6790
1-800-680-7289
www.transunion.com
Equifax:
PO Box 740241
Atlanta, GA 30374-0241
1-800-525-6285
www.equifax.com
Experian:
PO Box 9554
Allen, TX 75013
1-888-397-3742
www.experian.com
Overview
Most components of the IT infrastructure at Gulf Business Forms are capable of producing logs chronicling their activity over time. These logs often contain very detailed information about the activities of applications and the layers of software and hardware that support those applications.
Logging from critical systems, applications, and services can provide key information and potential indicators of compromise and is critical to have for forensics analysis.
Purpose
Log management can be of great benefit in a variety of scenarios, with proper management, to enhance security, system performance, resource management, and regulatory compliance. Gulf Business Forms performs a periodic risk assessment to determine what information may be captured from the following:
• Access – who is using services
• Change Monitoring – how and when services were modified
• Malfunction – when services fail
• Resource Utilization – how much capacity is used by services
• Security Events – what activity occurred during an incident, and when
• User Activity – what people are doing with services
Policy Detail
Log generation
Depending on the volume of activity and the amount of information in each log entry, logs have the potential of being very large.
Information in logs often cannot be controlled by application, system, or network administrators, so while the listed items are highly desirable, they should not be viewed as absolute requirements.
Application logs
Application logs identify what transactions have been performed, at what time, and for whom. Those logs may also describe the hardware and operating system resources that were used to execute that transaction.
System logs
System logs for operating systems and services, such as web, database, authentication, print, etc., provide detailed information about their activity and are an integral part of system administration.
When related to application logs, they provide an additional layer of detail that is not observable from the application itself. Service logs can also aid in intrusion analysis, when an intrusion bypasses the application itself.
Change management logs, that document changes in the IT or business environment, provide context for the automatically generated logs.
Other sources, such as physical access or surveillance logs, can provide context when investigating security incidents.
Client workstations also generate system logs that are of interest, particularly for local authentication, malware detection, and host-based firewalls.
Network logs
Network devices, such as firewalls, intrusion detection/prevention systems, routers, and switches are generally capable of logging information.
These logs have value of their own to network administrators, but they also may be used to enhance the information in application and other logs.
Many components of the IT infrastructure, such as routers and network-based firewalls, generate logs. All of the logs have potential value and should be maintained. These logs typically describe flows of information through the network, but not the individual packets contained in that flow.
Other components for the network infrastructure, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, provide valuable information about network configuration elements, such as IP addresses, that change over time.
Time synchronization
One of the important functions of a log management infrastructure is to relate records from various sources by time. Therefore, it is important that all components of the IT infrastructure have synchronized clocks. Gulf Business Forms uses Network Time Protocol (NTP) for time synchronization.
Use of log information
Logs often contain information that, if misused, could represent an invasion of the privacy of customers of Gulf Business Forms. While it is necessary for Gulf Business Forms to perform regular collection and monitoring of these logs, this activity should be done in the least invasive manner.
Baseline behavior
It is essential that a baseline of activity, within the IT infrastructure, be established and tracked as it changes over time. Understanding baseline behavior allows for the detection of anomalous behavior, which could indicate a security incident or a change in normal usage patterns. Procedures will be in place to ensure that this information is reviewed on a regular and timely basis.
Investigation
When an incident occurs, various ad hoc questions will need to be answered. These incidents may be security related, or they may be due to a malfunction, a change in the IT infrastructure, or a change in usage patterns. Whatever the cause of the incident, it will be necessary to retrieve and report log records.
Thresholds shall be established that dictate what level of staff or management response is required for any given log entry or group of entries and detailed in a procedure.
Log record life-cycle management
When logs document or contain valuable information related to activities of Gulf Business Forms’s information resources or the people who manage those resources, they are Gulf Business Forms Administrative Records, subject to the requirements of Gulf Business Forms to ensure that they are appropriately managed and preserved and can be retrieved as needed.
Retention
To facilitate investigations, as well as to protect privacy, the retention of log records should be well defined to provide an appropriate balance among the following:
• Confidentiality of specific individuals’ activities
• The need to support investigations
• The cost of retaining the records
Care should be taken not to retain log records that are not needed. The cost of long- term retention can be significant and could expose Gulf Business Forms to high costs of retrieving and reviewing the otherwise unneeded records in the event of litigation.
Log management infrastructure
A log management infrastructure will be established to provide common management of log records. To facilitate the creation of log management infrastructures, system-wide groups will be established to address the following issues:
• Technology solutions that can be used to build log management infrastructures
• Typical retention periods for common examples of logged information
Overview
Systems monitoring and auditing, at Gulf Business Forms, is performed to determine when a failure of the information system security, or a breach of the information systems itself, has occurred, and the details of that breach or failure.
Purpose
System monitoring and auditing is used to determine if inappropriate actions have occurred within an information system. System monitoring is used to look for these actions in real time while system auditing looks for them after the fact.
This policy applies to all information systems and information system components of Gulf Business Forms. Specifically, it includes:
• Mainframes, servers, and other devices that provide centralized computing capabilities
• Devices that provide centralized storage capabilities
• Desktops, laptops, and other devices that provide distributed computing capabilities
• Routers, switches, and other devices that provide network capabilities
• Firewall, Intrusion Detection/Prevention (IDP) sensors, and other devices that provide dedicated security capabilities
Policy Detail
Information systems will be configured to record login/logout and all administrator activities into a log file. Additionally, information systems will be configured to notify administrative personnel if inappropriate, unusual, and/or suspicious activity is noted. Inappropriate, unusual, and/or suspicious activity will be fully investigated by appropriate administrative personnel and findings reported to the IT Department, President or VP.
Information systems are to be provided with sufficient primary (on-line) storage to retain 30-days’ worth of log data and sufficient secondary (off-line) storage to retain one year’s worth of data. If primary storage capacity is exceeded, the information system will be configured to overwrite the oldest logs. In the event of other logging system failures, the information system will be configured to notify an administrator.
System logs shall be manually reviewed weekly. Inappropriate, unusual, and/or suspicious activity will be fully investigated by appropriate administrative personnel and findings reported to appropriate security management personnel.
System logs are considered confidential information. As such, all acce