Premium Essay

Authorize User Policy

In: Computers and Technology

Submitted By shadowdodgee
Words 1478
Pages 6
Example Acceptable Use Policy for IT Systems

Using this policy
One of the challenges facing organizations today is enabling employees to work productively while also ensuring the security of the IT network and, crucially, the data on it. Given that technology is continually changing, employees play a significant role in IT security. This policy provides a framework for users to follow when accessing IT systems and the data on them. It is intended to act as a guideline for organizations looking to implement or update their own Acceptable Use Policy.
Feel free to adapt this policy to suit your organization. Where required, adjust, remove or add information according to your needs and your attitude to risk. This is not a comprehensive policy but rather a pragmatic template intended to serve as the basis for your own policy.
Your use of this policy is entirely at your own risk and Sophos therefore makes no conditions, warranties, or representations of any kind, including without limitation fitness for a particular purpose.
This policy should be linked to other policies which support your organization’s posture on IT and data security, such as a mobile device security policy, safe password policy and a data security policy.

Example Policy

1. Introduction

This Acceptable Use Policy (AUP) for IT Systems is designed to protect , our employees, customers and other partners from harm caused by the misuse of our IT systems and our data. Misuse includes both deliberate and inadvertent actions.

The repercussions of misuse of our systems can be severe. Potential damage includes, but is not limited to, malware infection (e.g. computer viruses), legal and financial penalties for data leakage, and lost productivity resulting from network downtime.

Everyone who works at is responsible for the security of our IT systems and the data on them. As such, all...

Similar Documents

Premium Essay


...and/or list items for sale with an international shipping option (such as worldwide shipping). PARTIES. If you have a PayPal account, this Agreement is between: · You; · eBay – specifically, the operator of the eBay site where you sell your item, if not your own eBay site of registration. For items sold on, you are contracting with eBay Inc. For items sold on any of eBay’s E.U. sites, you are contracting with eBay Europe S.à.r.l. For items sold on, you are contracting with eBay India Pvt. Ltd. For items sold on an eBay site outside of the U.S., E.U., and India, you are contracting with eBay International AG; and, · PayPal – specifically, the PayPal entity with which you have entered into a User Agreement to receive the PayPal Services. For example, if your PayPal account is registered in Canada, you are contracting with PayPal CA Limited. If you do not have a PayPal account, then this Agreement is between you and eBay only. APPLICATION TO ALL CURRENT & FUTURE LISTINGS. This Agreement will apply to all of your active...

Words: 1469 - Pages: 6

Premium Essay

It Security

...Information Security Policy University of Phoenix IT/244 Intro to IT Security Instructor’s Name: Mark Cherry Date: 03/11/2012 * Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3. Network/server equipment 2 4.2.4. Equipment maintenance 2 4.2.5. Security of laptops/roaming equipment 2 5. Access Control Policy 2 6. Network Security Policy 3 7. References 3 Executive Summary This plan seeks to provide the best security available while keeping cost at a minimum. The security plan will implement the best software available along with other security measures to keep all information as secure as possible. The plan should be able to provide top notch security measures with the least amount of monitoring and maintenance. The plan should be fully active and available in the least amount of time with the least amount of disruption from day to day business. Project constraints will be mostly likely be in the cost sector, this may delay certain implantation of security measures but should not delay......

Words: 2076 - Pages: 9

Premium Essay

Proposed Solution

...non-repudiation, authentication, and authorization. This document also recommends technologies, processes, and policies that can be used to solve or mitigate denial-of-service (DOS) attacks, which can halt a business operation, and finally, discuss costs and benefits of effective protection measures and costs and penalties of ineffective or nonexistent protection measures. A workplace or business has many assets whether technological or not that contribute to their daily operation. For the most parts, even the non technological assets are somewhat controlled through the use of information technology means. Sometimes, those assets are physical such as workstations, servers, or non physical such as data. Either type of assets is indispensable for a company to secure for the business to continue operating, thus the importance of information security policy. An information security policy should fulfill many purposes. It should: protect people and information; set the rules for expected behavior by users, system administrators, management, and security personnel; authorize security personnel to monitor, probe, and investigate; define and authorize the consequences of violation; define the company consensus baseline stance on security; help minimize risk; and help track compliance with regulations and legislation (Diver, 2006). Also, the existence of information security policies are necessary in order to regulate employees behavior towards the use of a...

Words: 1275 - Pages: 6

Free Essay

Cis333 Week 5 Lab 4

...change is documented, and that no service is disrupted unless absolutely necessary, and that all resources efficiently used. 2. What type of access control system uses security labels? • A LBA C Label Base Access Control 3. Describe two options you would enable in a Windows Domain password policy. • Password must meet complexity requirements • Minimum Password length 4. Where would patch management and software updates fall under in security operations and management? • Procedures/ The SA or other personnel to be the responsible authority in informing all local authorities about patches that are related to software packages included on the entire inventory of the organizations software. • • Also in Procedures/ Additionally, any post-patch update distributions to the Database/Management Configuration Plan will be executed immediately after any patching has been done. 5. Is there a setting in your GPO to specify how many logon attempts will lock out an account? Yes, The Account Lockout Threshold can be set, this policy determines the number of failed attempts to logon, before the users’ account becomes locked. Once locked, it can not be used unless it is reset by an Administrator, or until the accounts lockout duration expires. A value of up to 999 failed logon attempts can be set, or you may set the value to zero, to allow the account to never be locked out. Name two......

Words: 689 - Pages: 3

Premium Essay

Multi-Layered Security Plan

...adequately protect the confidentiality, integrity, and availability of the information assets in the IT Infrastructure. Each one of the domain of the typical IT Infrastructure needs a proper security controls to ensure the confidentiality, integrity, and availability (CIA Triad). The following are the overview of the seven Domains: User Domain This is the domain of users that access systems, application, and data. It is the information asset of the organization that will be available to a rightful user by authenticating the user by the acceptable use policy (AUP). It is also define that the user is the weakest link in an IT infrastructure, but by educating user of the sensitivity of the IT infrastructure in the security awareness, security control shall be enforced. Security control to this domain can also be enforced by defining and implement the user policy of the IT infrastructure. Workstation Domain This is the domain where users first connect to the IT infrastructure. Because of numerous threats, it is necessary to implement a workstation logon for the user to authenticate the user for the security control of this domain. Users will be authenticated in the system by defining its credentials and roles to the system in order to gain permission and access to the IT infrastructure (Tipton and Henry, 2007). LAN Domain This is the domain where all the computers, printers, and servers connect to each other...

Words: 889 - Pages: 4

Free Essay

Administering Active Directory Rights Management Services

...Administering Active Directory Rights Management Services Detail the administrative tasks used to ensure security of the AD RMS environment including administering and implementing trust policies, security policies, and the configuration and deployment of rights policy templates. Describe the risks as well as the advantages of implementation of this service. When it comes to AD RMS it’s all about data privacy. Having information available and ready to you or the user, whether if you’re at home or in the office with the door closed this is what networking is all about. Now when trying to protect that same information, but still keeping a sense of flow throughout the sharing of this data can become tricky. That’s where RMS comes in to play with RMS there are two forms of protection we get from this one is through encryption and the other is through policy and this is called “Persistent Protection”. With persistent protection it controls access through trusted identities, secures transmissions, and embeds digital usage policies. Pretty much if you don’t have credentials to open or view a document will just forget it. But if you are authorized to open and view the document then policies step into place allowing or not allowing you to do certain things with said document (cool huh)? Now this policy and encryption (RMS) is very unique because it follows this said document where ever it goes. So to ensure security when the author wants to send a secure piece of data for the......

Words: 542 - Pages: 3

Premium Essay

Mcbride Financial Security

...McBride Financial Security Policy To bring McBride’s electronic key online will provide a great source of control in their area of physical security. Employees will only have access to areas that their work in and access to information according to their rank in McBride facility. Any unauthorized access to any area of any McBride facility will be punishable in accordance with McBride's Non-Compliance Policy. If an access card, key are lost or stolen or is not returned a fee will be charged for a new item. When an access card is lost, it will be deactivated immediately until a new card is issued. When processing a loan application, McBride is in control of large amount of sensitive customer information including the customer’s credit report and history. The protection of this information is very important. To protect data from loss, equipment failure, or intentional destruction, all mortgage applications and associated data will be backed up to magnetic tape as well as archived to a remote server daily. Magnetic tape backups will be performed every evening (except for Sunday when tape drives will be cleaned and maintained). All data backups will be perform only by an authorized member of McBride's in-house IT department. Another way that McBride will now protect sensitive data is through account access controls. Passwords, encryption, and pertinent classification of data are a few measures that will be implemented to ensure this protection. Every procedure and......

Words: 663 - Pages: 3

Premium Essay


...without services, should something happen with the ISP. A SLA is important to a company in making recovery plans, knowing what critical systems need to be available for a continuance of business and formulation of disaster recovery. 2. The user domain has several risk’s involved, as people are involved and there is no way employees can be monitored without the use of CCTV. Social engineering a person trying to obtain information through malicious means. The greatest tool in mitigating risk in the user domain is training and reminders for users to be aware of their surroundings. No acceptable user’s policy, AUP, or lack of training employees on the correct usage of the network. User accounts left active, if the employee is terminated, and another employee has the log on credentials. Mitigation would to be disabling all user accounts upon termination. 3. The use of USB’s or disk, the files could contain viruses and infect other files or applications on the network. No acceptable user’s policy, AUP, or lack of training employees on the correct usage of the network 4. A. HIPPA-applies to any organization that handles health contains health employers ,health plan sponsors, health care providers, public health authorizes and more B. SOX- applies to any business that required to be registered with the securities and exchanged commissions. This is pretty much any public trading company C. PCI DSS- it is not a law it is more of a standard that......

Words: 389 - Pages: 2

Free Essay

Is3230 Lab 5 Assessment

...control process 3. Remote Access servers, Authentication servers, and Logical IDS 4. Network should be both connected and secured physically and remotely in order to avoid unauthorized access to the system. The three are the computer has authorized access. Computer settings must be in compliance with the security standards, and the user having authorization access. 5. NAC Systems implement network security policy at the network access point relatively than the client (endpoint) operating system. Reliant on the system architecture and configuration, NAC systems can deliver physical port security or logical port/access security. NAC systems necessitate authentication for both the endpoint and user before the network access point forwards traffic for that client 6. PKI refers to a framework of programs, data standards, communication protocols, policies, and cryptographic mechanisms. The PKI infrastructure delivers for the generation, production, spreading, control, accounting and obliteration of public key certificates. PKI offers a selection of facilities containing issuance of digital certificates to individual users and servers, end-user enrollment software, assimilation with certificate directories. 7. Public key or asymmetric cryptography uses a pair of simultaneously generated keys to perform encryption and decryption. The private key is used to encrypt, the public key can be used to decrypt and verify that the sender holds the private key. This......

Words: 468 - Pages: 2

Premium Essay

Unit 1 Assignment 2

...Windows Limited environment is that all new users will be created within Active Directory at the Local Group Policy Object (GPO) level. They are assigned to Site GPO’s, Domain GPO’s, & an overall Organizational Unit GPO. The Organizational GPO would be “Ken 7 Windows Limited”, the Domain would be manager (level of authority), Site GPO would be location (state if national, country if international). The last level would be the Local GPO, where each users’ information is at. This is the level in which all new users are individually created or modified. One of the plus’ to Active Directory is that instead of having to manage each user account individually, you can modify the privileges of the higher level to apply the changes to all (eg. All users in the accounting department you want to now have access to something they previously did not). With the use of the levels of GPO’s described above, the lower level (user account) takes precedence over the higher level. If you want a specific manger or individual user to have privileges to something that the others in that GPO (Local, Site, or Domain) don’t, you have authorize that individual the privilege. It makes the management of privileges and security much easier to track, and not have to worry about mistakes being made. If they happen to be made, they can quickly be fixed or corrected. The last thing I want to cover is the use of SID’s (Security ID’s). Under Active Directory each user is assigned a SID, which......

Words: 372 - Pages: 2

Free Essay

Is3230 Unit 6 Assignment 1

...You are provided with the following list of privileges, roles, rights, and actions: 1. Must authenticate when accessing network resources 2. Is allowed remote access 3. Periodically reviews all user accounts 4. Authorizes risk assessments 5. Performs security assessments 6. Creates group policy objects 7. May send inbound e-mail 8. Is allowed to install software in a secured network 9. Performs daily log reviews 10. Is allowed to change the firewall rules 11. Manages incident response 12. Provides user awareness training 13. Access the file system within authorized system and groups 14. Develop infrastructure architecture plan 15. Manages Internet service provider (ISP) and Internet connectivity 16. Install patches on production system 17. May delete files from group folder 18. Installs security software 19. Create system users 20. Monitors systems for dormant accounts 21. May request file system changes 22. Develops and implements configuration standards 23. Grants access to resources 24. Create user accounts 25. May make file system changes 26. Run a backup program to capture changes to data and systems 27. May appoint a data/application custodian 28. May disable/delete unused accounts 29. May bypass authentication 30. Approves access to resources In the table given below, you need to relate the matching privileges, roles, rights, and actions to the account type on the left...

Words: 269 - Pages: 2

Premium Essay

Nt1330 Unit 1 Assignment 1

...enhanced access to resources hosted across the partnerships. The existing infrastructure does however present several challenges to implementing streamlined resource access including: 1- Exchanging user information between partners in a secure fashion. 2- Establishing a link between a user identity at a Partners 3- Enabling single sign-on between Partner Web sites. 4- Providing single logout (SLO) between Partner Websites. 5- Controlling access to resources based on partners user identity. 6- Inability to leverage disparate identity infrastructure across environments such...

Words: 817 - Pages: 4

Premium Essay

Information on Company Policies

...To: ISAACS, BRANDY From: Misty Ann Powers ( Subject: Company Policies Security Information Policy By being given access to Electrolux's IT systems you have become part of the team, helping to safeguard our systems and the information they contain. This document is intended to give you an overview of your role, the Group's rules and hopefully a security-minded attitude. All Electrolux employees and contractors are expected to follow the guidelines set out in the Group's Information Security Framework (ISF). Violation of these rules, or failure to perform responsibilities as defined in the ISF (and summarized here), will be sufficient cause for disciplinary action up to and including termination. In addition to following the ISF, users are expected to be proactive with line management in raising any issue that they feel could compromise the confidentiality, integrity or availability of IT systems or where they suspect a breach of procedure. If, after reading this, you have any questions please talk to your Line Manager, HR, I.T. Security or your Sector IT Manager. The full text of the ISF can be accessed via E-gate. ACCESS Electrolux only authorizes the user to access information, which is needed to perform their job. It is a criminal offense to attempt to gain access to any information system/database for which authority has not been given. Any such attempt will be deemed as an act of gross misconduct, resulting in disciplinary action, up......

Words: 855 - Pages: 4

Premium Essay


...receipt for a full refund. See Section 9. Satisfaction Guaranteed below for more details. 1. LICENSE GRANT AND RESTRICTIONS. Intuit Inc. (“Intuit”, “us”, “we”, “our”) grants you (“you” and “your” means an individual or single entity) the following rights provided that you comply with all of the terms and conditions of this Agreement. (i) Single User License. You may install and use a copy of the Software on up to three (3) computers used by a single household. If you purchased a valid license for the Software and received an Authentic Intuit CDROM, such CDROM is your backup copy of the Software. If you purchased a valid license and received the Software pre-installed on a new computer or through an electronic download, you may make one backup copy of the Software, but only for the purpose of reinstalling the Software, if needed, on the computer(s) referenced in (a) above. (ii) Multi User License. You may: (a) install the Software on the number of computers equal to the number of user licenses you purchased; (b) access and use the Software solely by the number of specific persons corresponding to the number of user licenses you purchased; (c) place a copy of your software data files on a...

Words: 9718 - Pages: 39

Premium Essay


...unfavorable publicity, increased oversight of your agency, computer breaches, and even a reduction in your IT budget. In this white paper, we’ll look at: • What FISMA is and why it was created • Key steps in achieving FISMA compliance • Tools that can help you meet FISMA requirements FISMA provides a set of specific guidelines for federal agencies on how to plan for, budget, implement, and maintain secure systems. These new, stricter security guidelines replaced an expired set of rules under the Government Information Security Reform Act. To achieve FISMA compliance, your agency must: • Plan for security • Ensure that appropriate officials are assigned security responsibility • Periodically review IT security controls • Authorize system processing prior to operations and periodically thereafter. Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; confidentiality which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and availability, which means ensuring timely and reliable access to and use of information. The term national security system means any information system including any telecommunications system used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency the function, operation, or use of......

Words: 894 - Pages: 4