* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download procedure name - Siskiyou Central Credit Union
Survey
Document related concepts
Cyber-security regulation wikipedia , lookup
Information security wikipedia , lookup
Cyberattack wikipedia , lookup
Security-focused operating system wikipedia , lookup
Wireless security wikipedia , lookup
Information privacy law wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Distributed firewall wikipedia , lookup
Mobile security wikipedia , lookup
Unix security wikipedia , lookup
Computer security wikipedia , lookup
Social engineering (security) wikipedia , lookup
Transcript
Siskiyou Central Credit Union Procedures INFORMATION SECURITY PROCEDURES Core Data Processing System o Our core system resides on a IBM i5 server and is hosted by CMC Flex and is located at the Yreka main office, this system can be accessed in two formats, IBM’s Client Access software and CMC Flex’s new Java interface known as JUICE. Core Data Process Server Updates o Updates or patches to the core system are supplied by CMC Flex via C/D or FTP(file transfer protocol), these may include IBM ‘s PTF or direct download patches. Direct downloads are sent to the server via FTP from CMC Flex, this may include version updates, fixes for open service request or service call fixes approved by the Information Security Officer. o JUICE fixes are sent in scheduled deployments, these are scheduled for the third week of each month on Thursday after EOD is processed. The Information Security Officer receives an e-mail and / or a phone call to confirm and notify the credit union of each deployment. Core Data Process Server Maintenance o Maintenance on our i5 server is performed quarterly, verify distribution queue retentions are checked prior to any purging, this is outlined in our I5 quarterly cleanup procedure, this includes purging old data, i.e.; Review and clean wrkoutq, Purge Credit reports, Purge audio history, Purge Flex Teller history, Purge AP History, Purged closed accounts, Purge share, and archived purged accounts. Core Data Process Server Backups o A complete system backup is performed prior to quarterly purging, so that any data purged can be recovered, and then another complete system backup is performed once the cleanup process is completed. Daily, weekly and monthly backups are performed, please refer to our End of Day, End of Month and our Disaster Recover Procedures. 12/11/2009 Rev. 03/2012 1 Siskiyou Central Credit Union Procedures Core Data Process Server Monitoring / Logs o System job logs are review by the Information Security Officer to identify any system changes or modifications. Any Job logs that show changes to the core system will be retain to identify the system changes to ensure these were approved. Use of Voicemail, Electronic Mail and the Internet o Company Access To Voice And Computer Communications o While the Credit Union voicemail and computer (e-mail) systems are provided for business purposes, it recognizes that employees may make incidental use of these systems for personal messages. These messages will be treated no differently than written business messages, and may be accessed by the Credit Union for a variety of reasons. Please be clear that anything you send, receive, or store on any Credit Union-provided system may be read, listened to, or copied. The best guideline is: if you don’t want management to see it or hear it, don’t use the Credit Union equipment to write it, receive it, send it, or store it. o Password Control o Employee Password best practice is review annually (see SCCU Security Training Program). o The System Manager/IT Specialist maintains a record of the following passwords: o Internet o E-mail o Intranet o Telephone voicemail o Vacation calendar o Personnel evaluation program o Employee time clock program o Kelley Blue Book o You are not permitted to use any password except your own to gain access to any password protected program. o Obligation To Protect Confidential Information o In using all electronic communication systems, you are required to protect the integrity of the Credit Union’s proprietary and confidential business information and confidential information relating to the Credit Union employees. Because electronic systems are not private and use of these systems creates documents and recordings that may be easily distributed to individuals other than the intended reader, you must exercise caution 12/11/2009 Rev. 03/2012 2 Siskiyou Central Credit Union Procedures when you use voicemail or e-mail to transmit Credit Union trade secrets or other confidential information. o Restrictions On Use Of Electronic Systems o Like other Company assets, the Credit Union’s voicemail, e-mail and Internet systems may be used only in a responsible and lawful manner. The following policies apply to all use of these systems: o These systems may not be used to send any communication that may reasonably be perceived as discriminatory, harassing, offensive, or disruptive. o They may not be used to send communications or material that defames or disparages an individual, Credit Union, or business. o They may not be used to conduct personal business. Solicitations, offers to buy and sell goods or services, and other personal messages to groups are not an appropriate use of these systems. o You must not make any copies of the Credit Union’s computer software or computer files except for backup purposes. You must not give software to any other person. o Loading of any unauthorized personal software is not allowed. Network o Changes to any part of the credit union network must be documented and approved by the Information Security Officer, this includes but is not limited to; configuration changes to any device, adding or removing any type of devices to the network. Wireless network devices are not allowed on the credit union internal network. Network / Wireless Access Control o The credit union has all devices assigned a static IP address, DHCP (Dynamic Host Configuration Protocol) is not enabled on the internal network. The use of DHCP is setup on the credit unions Linksys Firewall. The credit union uses a Linksys wireless router / firewall in conjunction with it‘s Linksys firewall to be used for internet access only and in no way tied to the internal credit union network, this access is locked and encrypted with a 128 encryption key. The Information Security Officer manages the encryption key. This access is for internal use only to allow auditors or other vendors that may need temporary internet access as well 12/11/2009 Rev. 03/2012 3 Siskiyou Central Credit Union Procedures as Board Of Directors Meeting and Training Webinars, if a cabled connection is needed the Information Security Officer or assigned will locate the Ethernet port needed for internet access and redirect this cable to the Firewall’s DHCP port, this will not allow access to the credit unions network, but will allow the use of the internet. Network Anti Virus/Spyware o The Fortinet Firewall and Cymphonix web content filtering devices supports antivirus and spyware content blocking, these unit’s update virus and spyware definitions daily. Network Monitoring/Alerts/Report/Logs o The credit union internal network is monitored and protected by several devices, Fortinet Firewall, Cymphonix web content filtering device, Intrusion Detection System (IDS) system know as snort and Spiceworks, a network monitor that supports network inventory management as well as a helpdesk to manage network concerns. o Our Firewall is managed by CMC Flex, the credit union receives monthly reports of all firewall activities, these are reviewed and logged by the Information Security Officer. The Cymphonix device, IDS system and Spiceworks are accessed through the local Intranet; the Information Security Officer manages access to this device. Any changes or modification to these systems must be approved by the Information Security Officer; all logs are reviewed to insure the integrity of the system. Reports and alerts are e-mailed to the Information Security Officer through the Cymphonix web content filtering devices, IDS system and Spiceworks automatically per the policies setup within the reporting / monitoring properties. Personal Computers Access Control o All credit union pc’s are password protected, each account established must be setup with a password. All accounts must have a log out time period enabled and set to no longer than 15 minutes with password set on resume. Personal Computers Maintenance o Maintenance is performed by the Information Security Officer weekly on all pc’s on Wednesday and Thursday’s, this includes; 12/11/2009 Rev. 03/2012 4 Siskiyou Central Credit Union Procedures Disk cleanup, that includes deleting of downloaded program files, offline web pages, recycle bin, temporary files, web client/ published temporary files. Windows operating system updates and security patches, revision updates and service pack releases. (Note; Revision updates and Service Packs will not be installed on production machines until they have been tested to ensure compatibility of third party vendor software.) Third party software such as Microsoft Office, Adobe, etc. will be checked for updates and security patches weekly. Defragmentation of the hard drives are performed monthly, unless new hardware or software programs are installed, then a Defragmentation will be performed after modification of the pc are completed. Personal Computers Anti Virus / Spyware o All credit union pc’s are protected with Symantec Endpoint Protection 11.0. All pc’s are monitored by the Symantec Endpoint Protection server, updates are pushed out from the server 24/7 to all pc’s on the network. The Information Security Officer monitors system performance and reviews logs daily to ensure virus and spyware system is operating properly. If a credit union laptop pc is taken off of the local network, the antivirus program is configured to receive updates via the internet to ensure virus definitions are up to date. Personal Computers Monitoring o All PCs are monitored by our Spiceworks system, any modifications or changes made to any PC on the local network will be logged, the Information Security Officer will be notified via e-mail of any changes made to any machine this includes any automated updates. Personal Computers Backups o Backups of personal files are performed monthly on all WorkStation pc’s. 12/11/2009 Rev. 03/2012 5 Siskiyou Central Credit Union Procedures o Critical PC systems such as: Symantic antivirus server, time forced data, wisdom data and website data files are backed up weekly. JMFA Server is backed up daily. o All data is backup up to a remote drive located in the server room on PC31 Drive F running Raid for redundancy. Personal Computer Software o Any software modifications or installations must be approved by the Information Security Officer prior to being installed or updated. Firewall / Routers o The credit union firewall are maintained by CMC Flex, all configuration file are backed up to CMC Flex’s hardware department and the credit union’s Information Security Officer keeps a onsite copy of the file. Internet Router, MLPS Routers and lines are managed and monitored by AT&T, with backup modem and e-mail notification sent to the credit union if any problems occurs. 12/11/2009 Rev. 03/2012 6