Publishing Security Standards

Author: KnownTraveler

security_standards.md

@@ -0,0 +1,72 @@
+Security Standards
+============================
+
+## 1. Overview
+See Purpose
+
+## 2. Purpose
+The purpose of this policy is to provide guidance for workstation security for Gadgetry workstations in order to ensure the security of information on the workstation and information the workstation may have access to.
+
+## 3. Scope
+This policy applies to all Gadgetry employees, contractors, workforce members, vendors and agents with a Gadgetry-owned or Customer owned workstations connected to Gadgetry or Customer owned networks.
+
+## 4. Policy
+Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information is restricted to authorized users.
+
+4.1 Workforce members using workstations shall consider the sensitivity of the information and minimize the possibility of unauthorized access.
+
+4.2 Gadgetry will implement physical and technical safeguards for all workstations that access Customer systems to restrict access to authorized users.
+
+4.3 Appropriate measures include:
+
+- Restricting access to workstations to only authorized personnel.
+- Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
+- Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected. The password must comply with *Gadgetry's Password Policy*.
+- Ensuring workstations are used for authorized purposes only.
+- Complying with the *Portable Workstation Encryption Standard*.
+- Complying with the *Baseline Workstation Configuration Standard*.
+- Complying with the *Network and Wireless Communication*.
+
+## 5. Compliance
+
+5.1 Compliance Measurement
+Gadgetry will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, workstation monitoring, internal and external audits, and feedback to the policy owner.
+
+5.2 Exceptions
+Any exception to the policy must be approved by Gadgetry in advance.
+
+5.3 Non-Compliance
+An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
+
+## 6. Related Standards and Policies
+
+6.1 Gadgetry Password Policy
+
+- All user-level Gadgetry passwords will expire every 90 days and must be changed.
+- New passwords cannot be the same as the previous four passwords.
+- Passwords must be at least eight characters in length. Longer is better.
+- Passwords must contain both uppercase and lowercase characters (e.g., a-z and A-Z).
+- Passwords must contain at least one number (e.g., 0-9).
+- Passwords must contain at least one punctuation character (e.g., 0-9 and !@#$%^&*).
+- Accounts shall be locked after six failed login attempts within 30 minutes and shall remain locked for at least 30 minutes or until the System Administrator unlocks the account
+
+6.2 Baseline Workstation Configuration Standard
+
+- All workstations must be running current and supported version of its operating system. 
+- All workstations must be secured with a password-protected screen saver or automatic logoff that will take effect after no more than 15 minutes of inactivity. 
+- Before leaving a workstation unattended, even briefly, users must lock or logoff the workstation to prevent unauthorized access. 
+- Anti-virus software must be enabled, running, and up-to-date.
+- Anti-virus software must be configured to perform a full anti-virus scan weekly.
+
+6.3 Portable Workstation Encryption Standards
+
+- Portable workstations (i.e. laptops) should be fully encrypted.
+
+6.4 Network and Wireless Communication Standard
+
+- When using Public networks (e.g. Airport, Hotel) use of VPN is required.
+- Private networks should be password protected using *Gadgetry's Password Standard*
+- Use of Secure Protocols (e.g. HTTPS, SFTP, SSH) are required for network communication across public networks.
+
+-------------
+Gadgetry 2020