General IT
Policies for Client Firms
Originally Issued: |
June 3, 2004
|
Last Revised: |
February 25, 2006 |
Attention all staff members: We established these policies as a
default baseline for all of our client sites. They're based on
general IT consensus and current prevailing practices in United
States. Your firm (and your particular branch office), your
employment contract, and personnel handbooks might impose additional
rules, or grant specific waivers, which override this general
document. Use this as a basic guideline.
When in doubt, always ask first!
What's allowed? What's not?
There are three main categories of rules for IT-related activities:
Customization, installation, and web site "surfing." The few
customization items allowed are listed below. All those not mentioned
should be considered improper & disallowed. For installation and web
surfing, the rules are best expressed not in simple yes/no, but in
details showing various risk factors and levels. For explanations and
how to interpret these risk factors, see legend below the 2 tables.
Customization/Personalization:
(generally allowed, within good
taste/judgment) |
- web start page (be sure to not leave a page unattended with
streaming content)
- windows color scheme (reasonable choice, not to interfere
with IT support)
- personal wallpaper (passive images files, never
download .exe packages!)
- change screensaver (but never install new
unauthorized ones!)
Install Programs/Items |
A |
S |
C |
B |
T |
D |
O |
L |
AIM, MSN/Yahoo
Messenger |
|
|
|
|
|
|
|
|
VoIP clients |
|
|
|
|
|
|
|
|
any web "toolbar" |
|
|
|
|
|
|
|
|
music sharing (so-call
P2P, we refer to them as APE) |
|
|
|
|
|
|
|
|
personal applications
(including personal business) |
|
|
|
|
|
|
|
|
gaming applications |
|
|
|
|
|
|
|
|
webcam client software
(including nanny/traffic cam) |
|
|
|
|
|
|
|
|
unauthorized remote
access host/agent |
|
|
|
|
|
|
|
|
remote access client |
|
|
|
|
|
|
|
|
"desktop search" |
|
|
|
|
|
|
|
|
screensavers |
|
|
|
|
|
|
|
|
streaming radio/video
player programs |
|
|
|
|
|
|
|
|
upgrade applications* |
|
|
|
|
|
|
|
|
upgrade/patch O.S.* |
|
|
|
|
|
|
|
|
security "fixes"
programs (including "anti-spyware") |
|
|
|
|
|
|
|
|
store personal data
files |
|
|
|
|
|
|
|
|
setup personal email
account in Outlook/Exchange |
|
|
|
|
|
|
|
|
ftp server/client |
|
|
|
|
|
|
|
|
java applets (specific
sites/programs) |
|
|
|
|
|
|
|
|
Sun J2RE (java virtual
machine) |
|
|
|
|
|
|
|
|
business applications* |
|
|
|
|
|
|
|
|
Adobe Macromedia
Flash/Shockwave |
|
|
|
|
|
|
|
|
Microsoft LiveMeeting
(Placeware) |
|
|
|
|
|
|
|
|
Webex |
|
|
|
|
|
|
|
|
Business-related
site-specific active-X |
|
|
|
|
|
|
|
|
Approved online
"security scan" |
|
|
|
|
|
|
|
|
pcAnywhere Active-X |
|
|
|
|
|
|
|
|
Visiting Web Sites |
A |
S |
C |
B |
T |
D |
O |
L |
online/downloaded games |
|
|
|
|
|
|
|
|
gambling |
|
|
|
|
|
|
|
|
pornography |
|
|
|
|
|
|
|
|
music download |
|
|
|
|
|
|
|
|
celebrity sites |
|
|
|
|
|
|
|
|
job search/resume |
|
|
|
|
|
|
|
|
stock quotes/portfolio management |
|
|
|
|
|
|
|
|
auction |
|
|
|
|
|
|
|
|
shopping |
|
|
|
|
|
|
|
|
sports, hobby, entertainment & leisure
activities |
|
|
|
|
|
|
|
|
streaming radio/video |
|
|
|
|
|
|
|
|
news & weather (during breaks,
while on-hold) |
|
|
|
|
|
|
|
|
personal email via web (occasional
check) |
|
|
|
|
|
|
|
|
Risk
Factors |
A |
Attack Risk |
S |
Stability
(compatibility issues) |
C |
Confidentiality
(Info Leak) |
B |
Bandwidth
Consumption |
T |
Time Waster |
D |
Distractions |
O |
Offensiveness to
co-workers |
L |
Legal Liability
to the firm |
|
|
Risk
Level |
Red |
Extremely High |
Pink |
High |
Yellow |
Moderate |
Green |
Acceptable |
Grey |
Not Applicable (none) |
Dos & Don'ts: Generally,
anything with one or more Red is automatically banned.
Anything with
all Green/Grey is generally allowed. Most pinks are also
banned. |
* Approved programs only, preformed by
DIFA
The following items are not allowed:
- Unauthorized backup/copy of company files onto any storage media,
including diskettes, USB drives, CD or DVD discs.
- Unauthorized replication of folders onto personal
laptop/notebook/handheld devices.
- Disabling or otherwise tempering with security devices and software
settings, including firewall, changing of pre-assigned IP address, MAC
address, etc.
- Sharing account password with unauthorized co-workers.
- Withholding security incident information from IT personnel.
- "Borrow" company software for installation at home.
- Disclosing forbidden items (per checks & balances rules) to IT
personnel:
- line-of-business operational secrets
- confidential client data
- financial information, including company credit cards, etc.
Checks and Balances Rules:
- CTO/IT director has clearance and access to all user
accounts on domain/server and all physical files, but not
password to financial software.
- CFO/office manager in charge of bookkeeping has
clearance to all financial matters but not physical file
access.
- CTO must disclose master administrator password with
CEO/owner, so that in the event IT key person is
incapacitated or is terminated, the firm is not in limbo.
- CTO, CFO & CEO must disclose any personal friendship or
joint business ventures with any staff members.
Social Engineering Precautions:
- Beware of spoofed
email. When in doubt, voice verify.
- Do not disclose any information to in-bound
telephone calls, no matter how urgent- and authoritative
sounding the party is.
- Do not allow stranger with seemingly convincing
"uniforms" and/or stories to have physical access of IT
infrastructure: server, workstations, routers, power
panel.
|