qwery

2

Table of Contents

Contents Page

Abstract 2

General

Data Breach Response Policy 3

Disaster Recovery Plan Policy 4-5

Ethics Policy 5-6

Password Protection Policy 6-7

Network Security

Wireless Communication Policy 7-8

Bluetooth Baseline Requirements Policy 9

Router and Switch Security Policy 10-11

Server Security

Database Credentials Policy 12

Technology Equipment Disposal Policy 12-13

Workstation Security Policy 14

Software Installation Policy 15

Server Security Policy 16

Definition of Terms 17

References 18

Abstract

Joe’s Gaming Company (JGC) takes security of the establishment very seriously. For instance, when it comes to securing our customer’s data through transactions in the store, we made sure to have the strongest encryption possible so that no outside source can have access to their data, which will be explained in detail later on in this document. In addition to this, not only have we secured the transactions of customers in the store but also online as well. We want our consumers to feel safe and secure as possible when purchasing products from our business in store and online, so we made sure to make security our #1 priority. Throughout the document, I, the owner of Joe’s Gaming Company, will explain the main aspects of security that has been implemented into the company and break down each category of security so that it can be understandable as to why I chose that specific kind of security policy to be used in the company. Moreover, I believe the company will benefit from this Security Policy document because I will definitely be in need of more employees in the future as this establishment continues to grow. So, in order for the new workers to understand the Security Policy in detail, this document would be the perfect read.

Security Policy for Joe’s Gaming Company

General

The purpose of the policy is to establish the goals and the vision for the breach response process. In other words, this policy will clearly describe who this applies to and under what circumstances. My intentions for publishing a Data Breach Response Policy mainly was to focus significant attention on data security, data security breaches and how Joe’s Gaming Company’s established reputation of openness, trust and integrity should respond to such activity. I am 100% committed to protecting my employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. This policy also mandates that any individual who suspects that a theft, breach or exposure of Joe’s Gaming Company’s protected data or sensitive data has occurred must immediately provide a description of what occurred via e-mail to [email protected], by calling 567-452-1212, or through the use of the help desk reporting web page at http://JoesGamingCompany.com. This e-mail address, phone number, and web page are monitored by my Information Security Administrator. Therefore, the team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place. Considering the fact that the encryption I placed on the data is the strongest out there, I doubt anyone would want to mess with the company’s data.

Since disasters rarely do happen in this company, I often ignored the disaster recovery planning process. However, I do know it is important to realize that having a contingency plan in the event of a disaster gives Joe’s Gaming Company a competitive advantage. So, that’s why I decided to implement this policy because anything can happen and it’s important to always have a backup plan so the company won’t be at a complete loss. This policy requires management to financially support and diligently attend to disaster possibility planning efforts. Disasters are not limited only to adverse weather conditions. Any event that could likely cause delay of service for an extended period of time should be considered. The Disaster Recovery Plan is mainly linked to the Business Continuity Plan. This is a plan that helps ensure that business processes can continue during a time of emergency or disaster. So basically, these two go hand-in-hand with one another. The following below are the Contingency plans:

Contingency plans put in place:

· Computer Emergency Response Plan: Who is to be contacted, when, and how? What

immediate actions must be taken in the event of certain occurrences?

· Succession Plan: Describe the flow of responsibility when normal staff is unavailable

to perform their duties.

· Data Study: Detail the data stored on the systems, its criticality, and its confidentiality.

· Criticality of Service List: List all the services provided and their order of

importance.

· It also explains the order of recovery in both short-term and long-term timeframes.

· Data Backup and Restoration Plan: Explain which data is backed up, the media to

which it is saved, where that media is stored, and how often the backup is done. It

should also describe how that data could be recovered.

· Equipment Replacement Plan: Describe what equipment is required to begin to

provide services, list the order in which it is necessary, and note where to purchase

the equipment.

Ethics Policy

Joe’s Gaming Company is committed to protecting its employees, staff and partners

from illegal or damaging actions by individuals, either knowingly or unknowingly. When Joe’s Gaming Company addresses issues proactively and uses correct judgment, it will help set us

apart from competitors and portray a higher standard from the norm. Joe’s Gaming Company will not tolerate any wrongdoing or indecency at any time. Joe’s Gaming Company will take the appropriate measures to act quickly in correcting the issue if the ethical code is broken. The purpose of this policy is to establish an environment of openness, trust and to emphasize the

employees’ and consumers’ expectation to be treated to fair business practices. This policy will

serve to guide business behavior to ensure ethical conduct. Effective ethics is a team effort

involving the participation and support of every Joe’s Gaming Company employee. All employees should familiarize themselves with the ethics guidelines that follow this introduction. This policy applies to employees, staff, temporaries, and other workers at

Joe’s Gaming Company, including all personnel affiliated with third parties.

Unethical Behavior:

· Joe’s Gaming Company will avoid the intent and appearance of unethical or

compromising practice in relationships, actions and communications.

· Joe’s Gaming Company will not tolerate harassment or discrimination.

· Unauthorized use of company trade, marketing, operational, personnel,

financial, source code, & technical information integral to the success of the

company will not be tolerated.

· Joe’s Gaming Company will not permit impropriety at any time and we will act ethically

and responsibly in accordance with laws.

· Joe’s Gaming Company employees will not use corporate assets or business

relationships for personal use or gain.

· NO modding of any game provided to use in Joe’s Gaming Company will be tolerated. Doing so will result in an instant ban from the company followed with a lawsuit.

Password Protection Policy

Passwords are an important aspect of Joe’s Gaming Company. A poorly chosen password may result in unauthorized access and/or exploitation of our resources. All staff and employees with access to Joe’s Gaming Company systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The purpose of this policy is to establish a standard for creation of strong passwords and the protection of those passwords. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Joe’s Gaming Company facility, has access to the Joe’s Gaming Company network, or stores any nonpublic Joe’s Gaming Company information.

Password Creation:

· Users must use a separate, unique password for each of their work-related accounts.

· Users may not use any work-related passwords for their own, personal accounts.

· User accounts that have system-level privileges granted through group memberships must have a unique password from all other accounts held by that user to access system-level privileges.

· It is highly recommended that someone of multi-factor authentication is used for any privileged accounts.

Network Security

Wireless Communication Policy

With the mass expansion of smartphones and tablets, universal wireless connectivity is almost a given at any organization. Insecure wireless configuration can provide an easy open door for malicious threat actors. The purpose of this policy is to secure and protect the information assets owned by Joe’s Gaming Company. Joe’s Gaming Company provides gaming consoles to use, free Wi-Fi networks to connect to and other electronic device systems to meet missions, goals, and initiatives. Joe’s Gaming Company grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets. This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to Joe’s Gaming Company’s network. Only those wireless infrastructure devices that meet the standards specified in this policy or are granted an exception by the Information Security Department are approved for connectivity to a Joe’s Gaming Company network. All employees, staff, consultants, temporary and other workers at Joe’s Gaming Company, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of Joe’s Gaming Company must adhere to this policy. This policy applies to all wireless infrastructure devices that connect to a Joe’s Gaming Company network or reside on a Joe’s Gaming Company site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data.

General Requirements:

All wireless infrastructure devices that reside at a Joe’s Gaming Company site and connect to a

Joe’s Gaming Company network, or provide access to information classified as Joe’s Gaming Company Confidential, or above must:

· Abide by the standards specified in the Wireless Communication Standard.

· Be installed, supported, and maintained by an approved support team.

· Use Joe’s Gaming Company approved authentication protocols and infrastructure.

· Use Joe’s Gaming Company approved encryption protocols.

· Maintain a hardware address (MAC address) that can be registered and tracked.

· Not interfere with wireless access deployments maintained by other support organizations.

Bluetooth Baseline Requirements Policy

Bluetooth enabled devices are exploding on the Internet at an astonishing rate and the range of connectivity has increased substantially. Insecure Bluetooth connections can introduce a number of potential serious security issues. Hence, there is a need for a minimum standard for connecting Bluetooth enabled devices.

The purpose of this policy is to provide a minimum baseline standard for connecting Bluetooth enabled devices to the Joe’s Gaming Company network or Joe’s Gaming Company owned devices. The intent of the minimum standard is to ensure sufficient protection of Personally Identifiable Information (any data that could potentially be used to identify a particular person) and confidential Joe’s Gaming Company data. This policy applies to any Bluetooth enabled device that is connected to Joe’s Gaming Company network or owned devices:

· No Bluetooth Device shall be deployed on Joe’s Gaming Company equipment that does not meet a minimum of Bluetooth v2.1 specification without written authorization from the InfoSec Team.

· Any Bluetooth equipment purchased prior to this policy must comply with all parts of this policy except the Bluetooth version specifications.

· When pairing your Bluetooth unit to your Bluetooth enabled equipment (i.e. phone, laptop, etc.), ensure that you are not in a public area where you PIN can be compromised.

· If your Bluetooth enabled equipment asks for you to enter your pin after you have initially paired it, you must refuse the pairing request and report it to Help Desk, immediately.

Router and Switch Security Policy

The purpose of this policy is to describe a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of Joe’s Gaming Company. All employees, temporary and other workers at Joe’s Gaming Company and its subsidiaries must adhere to this policy. All routers and switches connected to Joe’s Gaming Company networks are affected. Every router must meet the following configuration standards:

1. No local user accounts are configured on the router. Routers and switches must use

TACACS+ (Terminal Access Controller Access Control System) for all user authentication.

2. The enable password on the router or switch must be kept in a secure encrypted form. The router or switch must have the enable password set to the current production router/switch password from the device’s support organization.

3. The following services or features must be disabled:

· IP directed broadcasts

· Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses

· TCP small services

· UDP small services

· All source routing and switching

· All web services running on router

· Joe’s Gaming Company discovery protocol on Internet connected interfaces

· Telnet, FTP, and HTTP services

· Auto-configuration

4. The following services should be disabled unless a business justification is provided:

· Joe’s Gaming Company discovery protocol and other discovery protocols

· Dynamic trunking

· Scripting environments, such as the TCL shell

5. The following services must be configured:

· Password-encryption

· NTP configured to a corporate standard source

6. All routing updates shall be done using secure routing updates.

7. Each router must have the following statement presented for all forms of login whether remote or local: "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring."

Server Security

Database Credentials Policy

Database authentication credentials are a necessary part of authorizing applications to connect to internal databases. However, incorrect use, storage and transmission of such credentials could lead to compromise of very sensitive assets and be a springboard to wider compromise within the organization. This policy states the requirements for securely storing and retrieving database usernames and passwords (i.e., database credentials) for use by a program that will access a database running on one of Joe’s Gaming Company's networks. Software applications running on Joe’s Gaming Company's networks may require access to one of the

many internal database servers. In order to access these databases, a program must authenticate

to the database by presenting acceptable credentials. If the credentials are improperly stored, the

credentials may be compromised leading to a compromise of the database. This, in effect, would make the information from our customers’ tangible to hackers and we will do our utmost best to prevent that from occurring.

Technology Equipment Disposal Policy

Technology equipment often contains parts which cannot simply be thrown away. Proper

disposal of equipment is both environmentally responsible and often required by law. In

addition, hard drives, USB drives, CD-ROMs and other storage media contain various kinds of

Joe’s Gaming Company data, some of which is considered sensitive. In order to protect the

constituent’s data, all storage mediums must be properly erased before being disposed of.

However, simply deleting or even formatting data is not considered sufficient. When deleting

files or formatting a device, data is marked for deletion, but is still accessible until being

overwritten by a new file. Therefore, special tools must be used to securely erase data prior to

equipment disposal.

The purpose of this policy is to define the guidelines for the disposal of technology equipment and components owned by Joe’s Gaming Company. This policy applies to any computer/technology equipment or peripheral devices that are no longer needed within Joe’s Gaming Company including, but not limited to the following: personal computers, hard drives, laptops, or gaming consoles (ex: PlayStation 4, Xbox One), peripherals (ex: keyboards, mice, speakers and portable storage devices (ex: USB drives). All employees and affiliates must comply with this policy:

Technology Equipment Disposal:

· When Technology assets have reached the end of their useful life they should be sent to the Equipment Disposal Team office for proper disposal.

· The Equipment Disposal Team will securely erase all storage mediums in accordance with current industry best practices.

· No computer equipment should be disposed of via skips, dumps, landfill etc.

· Electronic recycling bins may be periodically placed in locations around Joe’s Gaming Company. These can be used to dispose of equipment. The Equipment Disposal Team will properly remove all data prior to final disposal. Computer Equipment refers to desktop and laptop computers, monitors or any storage device, network switches, routers, wireless access points and batteries.

· Technology equipment with non-functioning memory or storage technology will have the memory or storage device removed and it will be physically destroyed.

Workstation Security Policy

The purpose of this policy is to provide guidance for workstation security for Joe’s Gaming Company workstations in order to ensure the security of information on the workstation and information the workstation may have access to. This policy applies to all Joe’s Gaming Company employees with a Joe’s Gaming Company-owned or personal-workstation connected to the Joe’s Gaming Company network. Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information

and that access to sensitive information is restricted to authorized users.

Appropriate measures include:

· Restricting physical access to workstations to only authorized personnel.

· Securing workstations (screen lock or logout) prior to leaving area to prevent

unauthorized access.

· Enabling a password-protected screen saver with a short timeout period to ensure that

workstations that were left unsecured will be protected.

· The password must comply with Joe’s Gaming Company Password Policy.

· Complying with all applicable password policies and procedures. See Joe’s Gaming Company Password Policy.

· Ensuring workstations are used for authorized business purposes only.

· Never installing unauthorized software on workstations.

Software Installation Policy

Allowing employees to install software on company computing devices opens the organization up to unnecessary exposure. Conflicting file versions or DLLs which can prevent programs from running, the introduction of malware from infected installation software, unlicensed software which could be discovered during inspection, and programs which can be used to hack the organization’s network are examples of the problems that can be introduced when employees install software on company equipment. The purpose of this policy is to outline the requirements around installation software on Joe’s Gaming Company computing devices. To minimize the risk of loss of program functionality, the exposure of sensitive information contained within Joe’s Gaming Company computing network, the risk of introducing malware, and the legal exposure of running unlicensed software.

· Employees may not install software on Joe’s Gaming Company’s computing devices operated within the Joe’s Gaming Company network.

· Software requests must first be approved by the requester’s manager and then be made to the Information Technology department or Support Center in writing or via email.

· Software must be selected from an approved software list, maintained by the Information Technology department, unless no selection on the list meets the requester’s need.

· The Information Technology Department will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.

Server Security Policy

Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors. Consistent Server installation policies, ownership and configuration management are all about doing the basics well. The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Joe’s Gaming Company. Effective implementation of this policy will minimize unauthorized access to Joe’s Gaming Company copyrighted information and technology. All employees, staff, temporary and other workers at Joe’s Gaming Company and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by Joe’s Gaming Company or registered under a Joe’s Gaming Company-owned internal network domain.

· Servers must be registered within the management system. At a

minimum, the following information is required to positively identify the point of

contact:

· Server contact(s) and location, and a backup contact

· Hardware and Operating System/Version

· Main functions and applications, if applicable

· Information in the management system must be kept up-to-date.

· Configuration changes for production servers must follow the appropriate change management procedures.

· The servers are meant to provide a secure and faster way to access the data of customers who have provided their information to us after purchasing a product.

Definition of Terms

1. Multi-Factor Authentication - is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.

2. MAC Address - stands for Media Access Control Address and is a hardware identification number that uniquely identifies each device on a network.

3. TACACS (Terminal Access Controller Access Control System) - is an older authentication protocol common to UNIX networks that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system.

4. DLL (Dynamic Link Library) - contains a library of functions and other information that can be accessed by a Windows program.

References Information Security Policy Templates. (n.d.). Retrieved from https://www.sans.org/security-resources/policies What is multifactor authentication (MFA)? - Definition from WhatIs.com. (n.d.). Retrieved from https://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA MAC Address. (n.d.). Retrieved from https://techterms.com/definition/macaddress What is TACACS (Terminal Access Controller Access Control System)? - Definition from WhatIs.com. (n.d.). Retrieved from https://searchsecurity.techtarget.com/definition/TACACS DLL. (n.d.). Retrieved from https://techterms.com/definition/dll