Security & Information Sensitivity Policy
SECURITY & INFORMATION SENSITIVITY POLICY
1. This policy document is owned and overseen by WebxSolution Ltd. It is a high level statement of Security Policy, objectives, processes and evaluation of the effectiveness of security measures.
2. The implementation of this Security Policy and the more security measures in the Information Sensitivity Policy document is the responsibility of Mr Mark Smeed (Company Director), Mr Paul Franklin (Company Director) and all employees of WebxSolution Ltd.
1. This Policy document is a high level policy for the employees of WebxSolution Ltd;
2. The security of Customers data is an integral part of WebxSolution Ltd's business mode;
3. It is the responsibility of all employees of WebxSolution Ltd to be aware of this Security Policy and the Information Sensitivity Policy that forms part of this document;
4. It is important that people working in and for WebxSolution Ltd understand the importance of sustaining a security regime;
5. The key aspect of WebxSolution Security Policy is ensuring our systems and processes are secure so that information held electronically is protected.
This Policy document provides all employees with a single point of reference on the standards required to protect information at varying sensitivity levels and the security measures taken by WebxSolution Ltd for the security of customers data. If in doubt as to the level of sensitivity to be ascribed to any information, the first point of contact is Mr Mark Smeed (Company Director) or Mr Paul Franklin (Company Director).
3. HARDWARE, WIRELESS NETWORK SECURITY
Network Hardware Security
Our network data is stored in a RAID 1 setup. A classic RAID 1 mirrored pair contains two disks over a single disk. Since each member contains a complete copy and can be addressed independently, ordinary wear and tear reliability is raised by the power of self-contained copies.
As a simplified example, consider a RAID 1 with two identical models of a disk drive, each with a 5% probability that the disk would fail within three years. Provided that the failures are statistically independent, then the probability of both disks failing during the three-year lifetime is 0.25%. Thus, the probability of losing all data is 0.25% over a three-year period if nothing is done to the array. If the first disk fails and is never replaced, then there is a 5% chance the data will be lost. If only one of the disks fails, no data would be lost. As long as a failed disk is replaced before the second disk fails, the data is safe.
As a well-managed system the above is irrelevant because the failed hard drive will not be ignored but will be replaced. This means that the overall system is determined by the probability the remaining drive will continue to operate through the repair period, which is the total time it takes to detect a failure, replace the failed hard drive, and for that drive to be rebuilt. If it takes one hour to replace the failed drive and 9 hours to repopulate it, the overall system reliability is defined by the probability the remaining drive will operate for ten hours without failure.
Wireless Network Security
Wireless security is the prevention of unauthorized access or damage to computers using wireless networks. Our wireless network is setup using a two-factor authentication requiring approved MAC address and WEP key access.
Two-factor authentication is commonly found in electronic computer authentication, where basic authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. Two-factor authentication seeks to decrease the probability that the requestor is presenting false evidence of its identity. The number of factors is important, as it implies a higher probability that the bearer of the identity evidence indeed holds that identity.
A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment.
MAC addresses are used for numerous network technologies and are often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, this usually encodes the manufacturer's registered identification number and may be referred to as the burned-in address.
Our MAC authentication works by attempting to authenticate the user based upon the MAC address of the device used by the user. If the MAC address isn’t stored within the wireless network database, the device will not be allowed to pass traffic and denied access to our network.
Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless network. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by the key of 10 or 26 hexadecimal digits, this is widely in use and is often the first security choice presented to users by router configuration tools.
This is adopted as our second-factor in authentication and will not allow the user to pass traffic and will deny access to our network unless first authenticated by our WEP key.
Our anti-virus system provides protection against viruses and malicious code, such as worms and Trojan horses, by detecting and removing the malicious code and by preventing unwanted effects and repairing damage that may have resulted. Antivirus software uses a variety of techniques — such as signature scanners, activity blockers, and heuristic scanners — to protect computer systems against potentially harmful viruses, worms, and Trojan horses.
Our Antivirus software combines the following technologies:
Signature scanners can identify known malicious code. Scanners search for “signature strings” or use algorithmic detection methods to identify known code. They rely on a significant amount of prior knowledge about the malicious code. Therefore, it is critical that the signature information for scanners be current. Our scanners are configured to automatically update their signature information from a designated source, typically on a daily basis.
Activity (or behaviour) blockers contain a list of rules that a legitimate program must follow. If the program breaks one of the rules, the activity blockers alert the users. The idea is that untrusted code is first checked for improper behaviour. If none is found, the code can be run in a restricted environment, where dynamic checks are performed on each potentially dangerous action before it is permitted to take effect. By adding multiple layers of reviews and checks to the execution process, activity blockers can prevent malicious code from performing undesirable actions.
Heuristic scanners work to protect against known viruses. Heuristic scanners can be classified as either static or dynamic. Static heuristic scanners use virus signatures, much like standard signature scanners but instead of scanning for specific viruses, they scan for lines of code that are associated with virus-like behaviours. These scanners are often supplemented by additional programs that search for more complex, virus-like behaviour patterns. Dynamic heuristic scanners identify suspicious files and load them into a simulated computer system to emulate their execution. This allows the scanner to protect the network from the unknown infected file.
Our network firewall is a device deployed between networks to restrict which types of traffic can pass from one network to another.
The firewalls work by comparing network traffic to a set of rules, each of which typically specifies a network or application protocol and the source and destination of the communication. For example, a rule might permit an e-mail to reach our e-mail server from an external host.
Accordingly, our network firewall can be effective at stopping network service worms that target a particular service or service port number, especially if the service or port is not widely used. Because network firewalls can restrict both incoming and outgoing traffic, they can also be used to stop certain worm infections within the system from spreading to external systems.
Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorised people.
It guards against identity theft and virus attack, it is important in keeping sensitive data secure and makes it inaccessible to anyone who would like to take advantage of it for illegitimate purposes. In this regard it offers a security solution for data protection.
It adopts an encryption technique called Advanced Encryption Standard (AES) to ensure the security of sensitive data information by storing it in an encrypted format with a set of encryption key. Among different sizes of encryption key, our systems provide share-level AES 256-bit encryption to block off unauthorised access attempts.
Our premises are secured by a 2½ inch backdoor which is steal-lined from the outside with a triple locking system. The windows are secured by ¾ inch steel-bars which are concrete and welded into the external walls of the premises. The front of the shop is secured by a 5 Lever Deadlocks and a Roll Shutter which is protected by two bullet locks located on the right and left and a Roller Shutter Ground Unit & Armoured Padlock. The roll shutter switch is encased in a steel cast box with an 80mm Master Padlock with Closed Shackle M50D.
This has then further been independently checked and verified by a locksmith and metropolitan support officer both confirming the security of our premises.
Machines where customer data are stored are secured to a physical wall.
INFORMATION SENSITIVITY POLICY GUIDELINES
The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of WebxSolution Ltd without proper authorization.
The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).
All employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect WebxSolution Ltd Confidential information (e.g., WebxSolution Ltd Confidential information should not be left unattended in conference rooms).
Questions about the proper classification of a specific piece of information should be addressed to Mr Mark Smeed or Mr Paul Franklin.
All WebxSolution Ltd information is categorised into two main classifications:
1. WebxSolution Ltd Public
2. WebxSolution Ltd Confidential
WebxSolution Ltd Public information is information that has been declared public knowledge by someone with the authority to do so and can freely be given to anyone without any possible damage to WebxSolution Ltd systems.
WebxSolution Ltd Confidential contains all other information. It is a continuum, in that it is understood that some information is more sensitive than other information, and should be protected in a more secure manner. Included is information that should be protected very closely, such as trade secrets, development programs, potential acquisition targets and other information integral to the success of our company.
Also included in WebxSolution Ltd Confidential is information that is less critical, such as telephone directories, general corporate information, personnel information, etc., which does not require as stringent a degree of protection.
A subset of WebxSolution Ltd Confidential information is WebxSolution Ltd Third Party Confidential information. This is confidential information belonging or pertaining to another corporation which has been entrusted to WebxSolution Ltd by that company under non-disclosure agreements and other contracts. Examples of this type of information include everything from joint development efforts to website software management, vendor lists, customer orders, supplier information and customers confidential Information of which WebxSolution Ltd has access to by way of their provision of support services.
Information in this category ranges from extremely sensitive to information about the fact that we've connected a supplier / vendor into WebxSolution Ltd’s network to support our operations.
WebxSolution Ltd personnel are encouraged to use common sense judgment in securing WebxSolution Ltd Confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact Mr Mark Smeed or Mr Paul Franklin.
The Sensitivity Guidelines below provide details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as WebxSolution Ltd Confidential information in each column may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the WebxSolution Ltd Confidential information in question.
3.1 Minimal Sensitivity
General corporate information; some personnel and technical information
Marking guidelines for information in hardcopy or electronic form
Note: any of these markings may be used with the additional annotation of "3rd Party Confidential".
Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words "WebxSolution Ltd Confidential" may be written or designated in a conspicuous place on or in the information in question. Other labels that may be used include "WebxSolution Ltd Proprietary" or similar labels at the discretion of your individual business unit or department. Even if no marking is present, WebxSolution Ltd information is presumed to be "WebxSolution Ltd Confidential" unless expressly determined to be Public information by a WebxSolution Ltd employee with authority to do so.
a) Access: WebxSolution Ltd employees, contractors, people with a business need to know;
b) Distribution within: Standard electronic mail, VoIP and electronic file transmission methods;
c) Distribution outside: Royal Mail and other public or private carriers approved electronic mail and electronic file transmission methods;
d) Electronic distribution: No restrictions;
e) Storage: Keep from view of unauthorised people; do not leave in view on table top. Machines should be administered with security in mind. Protect from loss; electronic information and website systems should have individual access controls where possible and appropriate;
f) Disposal/Destruction: Outdated paper information should be disposed in a Cross Shredder on WebxSolution Ltd premises and disposed off-site; electronic data should be expunged/cleared. Reliably erased or physically destroyed media.
3.2 More Sensitive
Business, financial, technical, and most personnel information
Marking guidelines for information in hardcopy or electronic form
Note: any of these markings may be used with the additional annotation of "3rd Party Confidential". As the sensitivity level of the information increases, you may, in addition or instead of marking the information "WebxSolution Ltd Confidential" or WebxSolution Ltd Proprietary", wish to label the information "WebxSolution Ltd Internal Use Only" or other similar labels at the discretion of your individual business unit or department to denote a more sensitive level of information. However, marking is discretionary at all times.
a) Access: WebxSolution Ltd employees and non-employees with signed non-disclosure agreements who have a business need to know.
b) Distribution within: Standard interoffice mail, approved electronic mail and electronic file transmission methods.
c) Distribution outside: Sent via Royal mail or approved private carriers.
d) Electronic distribution: No restrictions to approved recipients.
e) Storage: Keep from view of unauthorised people; do not leave in view on table top. Machines should be administered with security in mind. Protect from loss; Individual access controls are highly recommended for electronic information and website systems.
f) Disposal/Destruction: Outdated paper information should be disposed in a Cross Shredder on WebxSolution Ltd premises and disposed off-site; electronic data should be expunged/cleared. Reliably erase or physically destroyed media.
3.3 Highly Sensitive:
Trade secrets & marketing, operational, personnel, financial, source code, & technical information, information of a highly sensitive degree of which WebxSolution Ltd have access to as a part of their Customer Support services and all information integral to the success of WebxSolution Ltd.
Marking guidelines for information in hardcopy or electronic form
Note: any of these markings may be used with the additional annotation of "3rd Party Confidential". To indicate that WebxSolution Confidential information is very sensitive, you may should label the information "WebxSolution Ltd Internal: Registered and Restricted", "WebxSolution Ltd Eyes Only", "WebxSolution Ltd Confidential" or similar labels at the discretion of your individual business unit or department. Once again, this type of WebxSolution Ltd Confidential information need not be marked, but users should be aware that this information is very sensitive and be protected as such.
a) Access: Only those individuals (WebxSolution Ltd employees and non-employees) designated with approved access and signed non-disclosure agreements.
b) Distribution within: Delivered direct - signature required, envelopes stamped confidential, or approved electronic file transmission methods.
c) Distribution outside: Delivered direct; signature required; approved private carriers.
d) Electronic distribution: No restriction to approved recipients but it is highly recommended, where possible, that all information be encrypted.
e) Storage: Keep from view of unauthorised people; do not leave in view on table top. Machines should be administered with security in mind. Protect from loss; Individual access controls are very highly recommended for electronic information and website systems. Physical security is generally used, and information should be stored in a physically secured computer.
g) Disposal/Destruction: Outdated paper information should be disposed in a Cross Shredder on WebxSolution Ltd premises and disposed off-site; electronic data should be expunged/cleared. Reliably erase or physically destroyed media.
Any breach of this policy may constitute a disciplinary offence and may be unlawful. Therefore a serious breach of this policy could result in dismissal (or termination of contract for non-employees) of the Employee concerned on the grounds of gross misconduct
3. Terms and Definitions
To minimize risk to WebxSolution Ltd from an outside business connection. WebxSolution Ltd computer use by competitors and unauthorized personnel must be restricted so that, in the event of an attempt to access WebxSolution Ltd corporate information, the amount of information at risk is minimized.
Configuration of WebxSolution Ltd -to-other business connections
Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary.
Approved Electronic File Transmission Methods
Includes supported FTP clients and Web browsers.
Envelopes Stamped Confidential
You are not required to use a special envelope. Put your document(s) into an interoffice envelope, seal it, address it, and stamp it confidential.
Approved Electronic Mail
Includes all mail systems supported by the IT Support Team. If you have a business need to use other mailers contact the appropriate support organization.
Company Information System Resources
Company Information System Resources include, but are not limited to, all computers, devices, their data and programs, as well as all paper information and any information at the Internal Use Only level and above.
To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data, supplied as a part of ‘Spybot – Search & Destroy’ Utilities. Otherwise, the PC or Mac's normal erasure routine keeps the data intact until overwritten. The same thing happens on UNIX machines, but data is much more difficult to retrieve on UNIX systems.
Access control includes authorization, authentication, access approval and audit. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token.
When a user wants to initiate a specific action against a specific part (for example, view electronic information), the system checks the permission for this combination of user, item, and action. If it is allowed, then the user can proceed. Otherwise, the action is not allowed. This permits different part (or objects) to be accessible to different designated access levels.
All requests to change these permissions on a part (or objects) or the Access Control level requires written Approval from the Customer by the person with necessary authority to do so.
Insecure Internet Links
Insecure Internet Links are all network links that originate from a locale or travel over lines that are not totally under the control of WebxSolution Ltd.
Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.
A Private Link is an electronic communications path that WebxSolution Ltd has control over its entire distance. For example, all WebxSolution ltd networks are connected via a private link. Computers with modem connected via a standard land line (not mobile phone) to another computer have established a private link. ISDN lines to employee's homes is a private link.
WebxSolution Ltd also can establish private links to other companies, so that all email correspondence can be sent in a more secure manner. Companies which WebxSolution Ltd has established private links include all announced acquisitions and some short term temporary links.