This policy defines the risk management requirements for the identification of the appropriate control posture for all Ringmaster Technologies computer and communications information system assets.
This policy applies to all Ringmaster Technologies computer systems and facilities, with a target audience of Ringmaster Technologies Executive Management, Information Technology employees and partners.
Management Support for Information Security
- Critical Business Function – Information and information systems are necessary for the performance of just about every essential activity at Ringmaster Technologies. If there were to be a serious security problem with this information or these information systems, Ringmaster Technologies could suffer serious consequences including lost customers, reduced revenues, and degraded reputation. As a result, information security now must be a critical part of the Ringmaster Technologies business environment.
Information Security Program
- Information Security Program – Ringmaster Technologies must implement a comprehensive, written information security program that will secure Ringmaster Technologies information assets in a manner commensurate with each asset’s value as established by risk assessment and mitigation measures. The information security program must be updated and re-approved by Ringmaster Technologies management annually or whenever there is a material change in the organization or infrastructure.
- Information Security Policies – Written information security policies and procedures must be implemented and enforced to assure the security, reliability, integrity, and availability of Ringmaster Technologies information assets.
- Risk Assessments – The information security program must be updated, as appropriate, based on the results of the organization’s risk assessment and any risk assessment completed by a Third-Party.
Intellectual Property Rights
- Legal Ownership – With the exception of material clearly owned by third parties, Ringmaster Technologies is the legal Owner of all business information stored on or passing through in its systems. Unless the chief technology officer has signed a specific written agreement, all business-related information developed while a user is employed by Ringmaster Technologies is Ringmaster Technologies property.
- Unauthorized Copying – Users must not copy software provided by Ringmaster Technologies to any storage media, transfer such software to another computer, or disclose such software to outside parties without advance permission from their supervisor. Ordinary backup copies are an authorized exception to this policy.
Information Security Roles and Responsibilities
- Management Responsibility and Accountability – Information security is a management responsibility, and decision-making for information security must not be delegated. While specialists and advisors play an important role in helping to make sure that controls are designed properly, functioning properly, and adhered to consistently, it is the manager in charge of the business area involved who is primarily responsible for information security.
- Asset Ownership – All production information assets possessed by or used by Ringmaster Technologies must have a designated owner with ownership responsibilities clearly documented.
Acceptable Use of Assets and Information Systems
- Compliance Statement – All workers who wish to use Ringmaster Technologies multi-user computer systems must sign a NDA and compliance statement prior to being given access to Ringmaster Technologies computer systems. Where users already have user IDs, such signatures must be obtained prior to receiving annually renewed user IDs. A signature on this compliance statement indicates the involved user understands and agrees to adhere to Ringmaster Technologies policies and procedures related to computers and networks, including the instructions contained in this policy.
- Personal Use of Systems – Ringmaster Technologies information systems are intended to be used for business purposes only. Incidental personal use is permissible if the use does not consume more than a trivial amount of resources that could otherwise be used for business purposes, does not interfere with worker productivity, and does not preempt any business activity. Permissible incidental use of an electronic mail system would, for example, involve sending a message to schedule a luncheon. Personal use that does not fall into these three categories requires the advance permission of a department manager. Games that are shipped with computer operating systems can be played during scheduled breaks or lunch as long as this activity does not interfere with either worker productivity or intention. Games that take the form of separate software packages are prohibited. Use of Ringmaster Technologies information systems for chain letters, charitable solicitations, political campaign material, religious work, transmission of objectionable material, or any other non-business use is prohibited.
- Secure Internet Use – Workers are provided with Internet access to perform their job duties. Workers must take special care to ensure that they do not represent Ringmaster Technologies on Internet discussion groups and in other public forums, unless they have previously received top management authorization to act in this capacity. All information received from the Internet should be considered to be suspect until confirmed by reliable sources. Workers must not place Ringmaster Technologies material on any publicly accessible computer system such as the Internet unless the posting has been approved by both the information Owner and the director of the Information Technology department. Sensitive information, including passwords and credit card numbers, must not be sent across the Internet unless this information is in encrypted form.
- Posting Information to Public Discussion Groups – Users must not post to public discussion groups, “blogs”, chat rooms, or other public forums on the Internet unless they have been preauthorized by the Public Relations department to make this type of representation on behalf of Ringmaster Technologies. Management reserves the right to remove any Internet posting by a worker at Ringmaster Technologies that it deems inappropriate and potentially damaging to the organization’s reputation.
- Secure Electronic Mail Use – Every Ringmaster Technologies worker who uses computers in the course of their regular job duties will be granted an Internet electronic mail address and related privileges. All Ringmaster Technologies business communications sent by electronic mail must be sent and received using this company electronic mail address. A personal Internet service provider electronic mail account or any other electronic mail address must not be used for Ringmaster Technologies business unless a worker obtains management approval. Emotional outbursts sent through electronic mail and overloading the electronic mail account of someone through a deluge of messages are forbidden. All business electronic mail communications must be proofread before they are sent, and professional and businesslike in both tone and appearance. Electronic mail is a public communication method much like a postcard. All Ringmaster Technologies workers must refrain from sending credit card numbers, passwords, or other sensitive information that might be intercepted.
Information Classification and Handling
- Consistent Information Handling – Ringmaster Technologies information, and information that has been entrusted to Ringmaster Technologies, must be protected in a manner commensurate with its sensitivity and criticality. Security measures must be employed regardless of the media on which information is stored, the systems that process it, or the methods by which it is moved. Information must be protected in a manner that is consistent with it’s classification, no matter what its stage in the life cycle from origination to destruction.
- Software and Data Exchange Agreements – Exchanges of in-house software or internal information between Ringmaster Technologies and any Third-Party must be accompanied by a written agreement that specifies the terms of the exchange, and the manner in which the software or information is to be handled and protected.
- Confidential Information Encryption – All computerized confidential information must be encrypted, with tools approved by the Information Security Department, when not in active use for authorized business purposes.
- Mobile Computing and Work at Home
- Approval for Remote Access – Remote access to Ringmaster Technologies computers must be granted only to those users who have a demonstrable business need for such access. Permission to access Ringmaster Technologies computers remotely is granted by and annually reviewed by a user’s manager. Ringmaster Technologies reserves the right to conduct surprise audits of users with remote access privileges. These surprise audits could include visits to remote sites and a review of the contents of a computer used to access Ringmaster Technologies systems.
- Access Control Packages – All portable and remote computers that are under the control of Ringmaster Technologies workers and that are used to process Ringmaster Technologies business information must be protected with an access control package approved by the Information Security department. These access control packages must prevent unauthorized use of the machines and unauthorized access to Ringmaster Technologies information. These access control packages must prevent virus infections and other types of damage from malicious software.
- Handling of Sensitive Information – Sensitive (Confidential or Secret) information must not leave Ringmaster Technologies offices. If it is necessary to remove computer-readable sensitive information from Ringmaster Technologies offices, this information must be protected with encryption facilities approved by Information Security. If sensitive information is transmitted over public computer networks such as the Internet, this transmission must take place with encryption facilities approved by Information Security. All portable and remote systems storing sensitive Ringmaster Technologies information must also employ hard disk encryption systems.
Information Access Control
- Need to Know – Access to information in the possession of, or under the control of Ringmaster Technologies must be provided based on the need to know. Information must be disclosed only to people who have a legitimate business need for the information. At the same time, workers must not withhold access to information when the Owner of the information instructs that it be shared.
- Access Approval – To implement the need-to-know concept, Ringmaster Technologies has adopted an access request and Owner approval process. Workers must not attempt to access sensitive information unless the relevant Owner has granted them access rights. When a worker changes job duties (including termination, transfer, promotion and leave of absence) his or her supervisor must immediately notify the Information Security department. The privileges granted to all workers must be periodically reviewed by information Owners and Custodians to ensure that only those with a current need to know presently have access.
- User IDs and Passwords – To implement the need-to-know process, Ringmaster Technologies requires that each worker accessing multi-user information systems have a unique user ID and a private password. These user Ids must be employed to restrict system privileges based on job duties, project responsibilities, and other business activities. Each worker is personally responsible for the usage of his or her user ID and password.
- User Authentication – All production information system user IDs must have a linked password or a stronger mechanism such as a dynamic password token, to ensure that only the authorized user is able to utilize the user ID. Users are responsible for all activity that takes place with their user ID and password or other authentication mechanism. A user must change their password immediately if they suspect that it has been discovered or used by another person. Users must notify Information Security if other access control mechanisms are broken or if they suspect that these mechanisms have been compromised.
- Difficult-to-Guess Passwords – Users must choose passwords that are difficult to guess. This means that passwords must not be related to one’s job or personal life. For example, a car license plate number, a spouse’s name, or fragments of an address must not be used. This also means passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, technical terms, and slang must not be used.
- Password Constraints – Passwords must be at least 8 characters long. Passwords must be changed every 90 days or at more frequent intervals. Whenever a worker suspects that a password has become known to another person, that password must immediately be changed.
- Background Checks – All workers to be placed in computer-related positions of trust are subject to a background check. This process shall include examination of criminal conviction records, lawsuit records, credit bureau records, driver’s license records, and verification of previous employment.
- Rights to Material Developed – While performing services for Ringmaster Technologies, workers must grant to Ringmaster Technologies exclusive rights to patents, copyrights, inventions, or other intellectual property they originate or develop. All programs and documentation generated by or provided by workers for the benefit of Ringmaster Technologies are the property of Ringmaster Technologies. Ringmaster Technologies asserts the legal ownership of the contents of all information systems under its control. Ringmaster Technologies reserves the right to access and use this information at its discretion.
- Release of Information to Third Parties – Unless it has specifically been designated as public, all Ringmaster Technologies internal information must be protected from disclosure to third parties. Third parties may be given access to Ringmaster Technologies internal information only when a demonstrable need to know exists, when a Ringmaster Technologies non-disclosure agreement has been signed, and when such a disclosure has been expressly authorized by the relevant Ringmaster Technologies information Owner. If sensitive information is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, the information Owner and the Information Security department must be notified.
- Ringmaster Technologies Non-Disclosure Agreements – Whenever communications with third parties necessitate the release of sensitive Ringmaster Technologies information, a standard non-disclosure agreement (NDA) must be signed by the Third-Party. Information released to these third parties must be limited to the topics directly related to the involved project or business relationship, and the disclosure must be approved in advance by the involved information Owner.
- Third-Party Security Requirements – As a condition of gaining access to the Ringmaster Technologies computer network, every Third-Party must secure its own connected systems in a manner consistent with Ringmaster Technologies requirements. Ringmaster Technologies must reserve the right to audit the security measures in effect on Third-Party-connected systems without prior warning. Ringmaster Technologies also must reserve the right to immediately terminate network connections with all third-party systems not meeting such requirements.
- Physical Security to Control Information Access – Access to every office, computer machine room, and other Ringmaster Technologies work area containing sensitive information must be physically restricted to those people with a need to know. When not in use, sensitive information must always be protected from unauthorized disclosure. When left in an unattended room, sensitive information in paper form must be locked away in appropriate containers.
- Clear Desk and Screen – If a Custodian of such information believes he or she will be away for less than 30 minutes, information in paper form may be left on a desk or in some other readily observed spot only if all doors and windows to the unattended room are closed and locked. During non-working hours, workers in areas containing sensitive information must lock-up all information. Unless information is in active use by authorized people, desks must be clear and clean during non-working hours to prevent unauthorized access to information. Workers must position their computer screens such that unauthorized people cannot look over their shoulder and see the sensitive information displayed.
- Firewalls Required – All connections between Ringmaster Technologies internal networks and the Internet or any other publicly accessible computer network must include an approved firewall or related access control system. The privileges permitted through this firewall or related access control system must be based on business needs and must be defined in an access control standard issued by the Information Systems Security department.
- Internal Network Connections – All Ringmaster Technologies computers that store sensitive information, and that are permanently or intermittently connected to internal computer networks must have a password-based access control system approved by the Information Security department. Regardless of the network connections, all stand-alone computers handling sensitive information must also employ an approved password-based access control system.
- Session Security – Users working with all other types of computers must employ the screen saver passwords that are provided with operating systems, so that after a period of no activity the screen will go blank until the correct password is again entered. Multi-user systems throughout Ringmaster Technologies must employ automatic log off systems that automatically terminate a user’s session after a defined period of inactivity.
- Third-Party Connection Approval – Ringmaster Technologies computers or networks may be connected to third-party computers or networks only after the Information Security department has determined that the combined systems will be in compliance with Ringmaster Technologies security requirements.
- When to Use Encryption – Whenever Confidential or Secret information is sent over a public computer network like the Internet, encryption methods authorized by the Information Security department must be used to protect it. Whenever Secret information is stored in a computer, this storage must be achieved with similar authorized encryption methods.
- Key Selection – Many encryption routines require that the user provide a seed or a key as input. Users must protect these security parameters from unauthorized disclosure, just as they would protect passwords from unauthorized disclosure. Rules for choosing strong seeds or keys must follow all rules for choosing strong passwords.
Viruses and Malicious Software
- Virus Checking Required – Malicious software (virus-checking) systems approved by the Information Security department must be in place on all personal computers with operating systems susceptible to viruses, on all firewalls with external network connections, and on all electronic mail servers. All files coming from external sources must be checked before execution or usage. If encryption or data compression has been used, these processes must be reversed before the virus-checking process takes place. Users must not turn off or disable virus-checking systems.
Application and Systems Development
- Production System Definition – Information systems that have been designated production systems have special security requirements. A production system is a system that is regularly used to process information critical to Ringmaster Technologies business. Although a production system may be physically situated anywhere, the production system designation is assigned by the Information Systems department Computer Operations manager.
- Special Production System Requirements – All software developed in-house that runs on production systems must be developed according to the Information Systems department’s systems development methodology (SDM). This methodology must ensure that the software will be adequately documented and tested before it is used for critical Ringmaster Technologies information. The SDM also must ensure that production systems include adequate control measures. Production systems also must have designated Owners and Custodians for the critical information they process. Information Security must perform periodic risk assessments of production systems to determine whether the controls employed are adequate. All production systems must have an access control system to restrict who can access the system and restrict the privileges available to these users. A designated access control administrator who is not a regular user on the system must be assigned for all production systems.
- Separation Between Production, Development, And Test Systems – Where resources permit, there must be a separation between the production, development, and test environments. Where these distinctions have been established, development and test staff must not be permitted to have access to production systems. All production software testing must proceed with sanitized information where Confidential or Secret information is replaced with dummy data. All security fixes provided by software vendors must go through the systems development methodology testing process and must be promptly installed. Application programmers must not be given access to production information. A formal and documented change control process must be used to restrict and approve changes to production systems. All application program-based access paths other than the approved user access paths must be deleted or disabled before software is moved into production.
- Systems Development Conventions – All production software development and software maintenance activities performed by in-house staff must adhere to Information Technology department policies, standards, procedures, and other systems development conventions. These conventions include the proper testing, training, and documentation.
- Change Control – Users must not install new or upgraded operating systems or application software on personal computers or other machines used to process Ringmaster Technologies information. Systems used to process Ringmaster Technologies information may be owned by Ringmaster Technologies, but have been specifically recognized as systems used for regular business activities. This approach permits Ringmaster Technologies to perform automatic software distribution, automatic software license management, automated remote backup, and related functions on a centralized and coordinated basis. While change control will be maintained through the above-mentioned access control packages, users can, however, change the preferences on software packages, such as the fonts for a word processing package.
- Production Application System Logs – All computer systems running Ringmaster Technologies production application systems must include logs that record, at a minimum, user session activity including user IDs, logon date and time, logoff date and time, as well as applications invoked, changes to critical application system files, changes to the privileges of users, and system start-ups and shut-downs.
- Expectations of Privacy – Users must have no expectation of privacy when using information systems at Ringmaster Technologies. To manage systems and enforce security, Ringmaster Technologies may log, review, and otherwise utilize any information stored on or passing through its systems. Ringmaster Technologies may capture user activity such as telephone numbers dialed, and web sites visited.
- Right to Search and Monitor – Ringmaster Technologies management reserves the right to monitor, inspect, or search at any time all Ringmaster Technologies information systems. This examination may take place with or without the consent, presence, or knowledge the involved workers. The information systems subject to such examination include, but are not limited to, electronic mail system files, personal computer hard drive files, voice mail files, printer spool files, fax machine output, desk drawers, and storage areas. All searches of this nature must be conducted after the approval of the Legal and Security departments has been obtained. Because Ringmaster Technologies computers and networks are provided for business purposes only, workers must have no expectation of privacy associated with the information they store in or send through these information systems. Ringmaster Technologies management retains the right to remove from its information systems any material it views as offensive or potentially illegal.
- Collecting Information – Ringmaster Technologies does not collect information that is unnecessary for business purposes. Ringmaster Technologies does not collect information from third parties (such as customers), unless the third parties are notified prior to the collection activities.
- Third-Party Information Privacy – A wide variety of third parties have entrusted their information to Ringmaster Technologies for business purposes, and all workers at Ringmaster Technologies must do their best to safeguard the privacy and security of this information. Customer account data is Confidential, and access must be strictly limited based on business need for such access. Customer account information must not be distributed to third parties without advance authorization by the customer.
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Ringmaster Technologies reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Ringmaster Technologies does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Ringmaster Technologies reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.
- Information Asset – Any Ringmaster Technologies data in any form, and the equipment used to manage, process, or store Ringmaster Technologies data, that is used in the course of executing business. This includes, but is not limited to, corporate, customer, and partner data.
- Partner – Any non-employee of Ringmaster Technologies who is contractually bound to provide some form of service to Ringmaster Technologies.
- Password – An arbitrary string of characters chosen by a user that is used to authenticate the user when he attempts to log on, in order to prevent unauthorized access to his account.
- User – Any Ringmaster Technologies employee or partner who has been authorized to access any Ringmaster Technologies electronic information resource.
ISO/IEC 27002: 4.0 Risk Management
RMT: IRMP-IT Risk Management
NIST: Risk Assessment (RA)
NIST SP 800-30 – Risk Assessment Guide
PCI-DSS: 12.2 Annual Risk Assessments
HIPAA: Security Management Process – Risk Management (R)