Computer Protection Security
Guidelines

Some of the positives that can result from putting these computer protection security guidelines into practice include

• Greatly improved information security focus
• Better understanding of personal computer vulnerabilities
• Fewer information security incidents
• Fewer audit concerns / comments
• Greatly improved business focus

As a company desires to grow from a small to a medium sized business it becomes increasingly apparent that leadership must protect corporate resources, corporate information, and the information of customers, associates, and employees, placed in their custody.

Equipment and information in any form is considered an asset of the company and thus must be properly used and adequately protected. This includes usage of personal computers.

Leadership must ensure that the business is controlled, information is adequately protected, and laws are not being violated... AND... Personal Computers play a very large role in the overall equation.

The responsibility for the security of PCs lies with leadership and PC users. The required degree of PC security depends upon the vulnerability to equipment theft, and the sensitivity of information contained on hard drives and removable media.

User ID and authentication access controls becomes the first line of defense to protect against unauthorized access in a computing, communication, or application environment. As a requirement, all users validate their right to access the computing resource.

The validation process is the use of an identification code (userid) and a password or another unique aspect of an individual's physical characteristics. Access controls should prevent unauthorized access to company information through technical, i.e., operating system, and / or procedural, i.e., rules methods. Current industry standards support identification codes and passwords, although other technologies, such as smart cards or biometric keys (face id, fingerprints, retinal prints), can be used to manage highly sensitive information.

Password Controls

Computer protection security involves keeping passwords confidential and only known by you. It must never be shared, publicized in any way, stored on a programmable function key, or kept in a manner where an unauthorized person could gain access.

Password controls should include the following:

a)  Users select and keep passwords confidential. Any passwords assigned by a security administrator should be at the time of initial assignment only. Remove any initial passwords that remain unchanged for five (5) days after assignment to prevent usage.

b)  Keep passwords masked, never display them in clear text on any company computing resource device.

c)  Store passwords in encrypted form, and where technically possible, transmitted using encryption.

d)  Do not allow password file access. Passwords can only be reset, not viewed.

e)  Change ppasswords at an interval not to exceed 30 days.

f)   Password length must be a minimum of eight (8) characters or the maximum length supported by the application or system if less than (8) characters.

g)  Password configurations should be alpha, numeric combinations, and special characters where possible.

h)  Password controls must be in place to prohibit password reuse by use of a password history log or minimal time between password changes, where possible.

Other computer protection security password-related controls include

a)  Display ownership statement prior to the access of company information by indicating the level of accessed company classified information.

b)  Invoke automatic time-out and user re-authentication after a specific period of no terminal activity. Set the period of time-out  consistent with the sensitivity of company information. Normally, this period should not exceed thirty minutes.

c)  Log unsuccessful information access attempts showing access source location. Provide the log to the company information owner to identify and address unauthorized access attempt activity.

d)  Suspend userid access after a maximum of six (6) failed sign-on attempts.

e)  Disable userids, if not used for a period of ninety days.

f)   Prevent hardware/software features that bypass any company computing resource security sign-on procedures, e.g., no automated sign-on, icon-select sign-ons, userids and passwords run through an executable file. This requirement does not preclude the use of products and/or services that provide "single image sign-on" capabilities when approved by information technology management.

g)  Controlled access to company information, applications, systems, and infrastructure must have the ability to protect to the file level, including creation, deletion, read, and write. Clearly define the access with segregation of duties, where appropriate.

h)  Require that company computing resources, e.g., workstation, server that are connected to a company computing network resource must have access controls in place. These access controls should be consistent with the risks of unauthorized disclosure or compromise of company information.

i)    Require additional controls for remote access, including:

1. Audit trails of all outside company computing resources activity between host and user to uncover intrusion attempts and/or successes during sign-on and sign-off.
2. Encryption for company classified information, or require compensating practices if access controls are inadequate to protect company information.

General Computer Protection Security Guidelines

• Consider any customer owned information stored on company PCs, or accessible by company employees utilizing PCs, as  sensitive information.
• Sensitive information, customer, or company, whether stored or processed at the host, network server, or PC, must be properly protected and handled.
• Mechanisms must ensure that only authorized people gain appropriate access.
• The company reserves the right to audit any equipment or materials used for company business.

• Keep important or critical files on removable media, not the hard drive.
• For computer protection security always use surge protection.
• Removable media should be labeled to show data, ownership, and sensitivity.
• Secure removable media, i.e., DVDs, CD's, printouts, programs containing sensitive information.
• Care should be taken to remove all removable media when "booting". Most viruses enter PCs from the boot sector of removable media.
• Format removable media to be re-used, to erase any possible viruses.
• Use password protected screen savers.
• Downloading from public bulletin boards is considered high risk.
• For computer protection security, turn off and lock your PC at the end of the workday to prevent unauthorized access and possible contamination.
• Ensure that all keys are removed from lockable units and kept in a secure place.
• Make backups of all of your important files.
  
• Backup copies must be made of all original software as soon as it is received.
• Store backup copies offsite, away from the PC.
• PCs delivered with software already installed should be scanned for viruses before general use.
• For computer protection security scan all software for viruses before using.
• Periodically scan all hard drives and removable media for viruses.

Copyrights and Licensing

• Adhere to all purchased software copyright and duplication restrictions. When upgrading software, both the original and upgrade are considered licensed products. The original product must not be used on other systems.
• Obey all copyright and intellectual property laws.

Computer Protection Security and Prevention

• Sensitive information, especially that which has been downloaded from a mainframe or file server, must be placed on a system that protects it from unauthorized access or use.
• Immediately report the loss of any equipment, original software diskettes or CD's, removable media, or documentation to the company security department.
• Use of shareware or freeware is considered high risk.
• If a computer system has been compromised, i.e., virus infection, security breach, loss of information, etc., notify the company information security department immediately and isolate suspected PC(s) and diskettes and CD's to prevent further infection.
• Do not place food or drink on or near the keyboard or computer.

Symptoms of a Virus Infection

• Programs taking longer to start or running slower than usual.
• Executable files vanishing unexpectedly.
• Unexplained decreases in the amount of available memory or increases in areas marked "bad" on magnetic media.
• Unusual video displays, including strange messages, peculiar graphics, or "scrolling" of the screen.