IT Policies?

[TechieSooner]

Does anyone here implement one?

I am thinking I need to implement one.

One thing that made me think of this today was disposing of old computers. Instead of them throwing it away, they should all go through the IT Department (even if the IT Department chooses to throw it away- they need to look and see what kind of data is on it first).

Password policy, logon/logoff policy (logoff at end of day), things like that?

What items are included in yours?

 

[swatbat]

Varies by client.

Standard policy on an old machine for most companies I work with is that I take a drill to the hard drive. Usualy the drives are stored for a year or so after they are removed from a system first though. Some longer some less.

As far as like a group policy or what not most of our clients let their employees have admin rights on their work system(small business setups). The Group Policy that is deployed may open up some ports we know need to be, setup wsus, etc. Nothing too major. Some of the bigger clients have some major lock downs on their systems perventing users from changing pretty much anything.

 

[Jgedeon]

Every client has various IT Policies. Local government clients are pretty tight due to HIPPA and Retention of documents and data. SMB's vary from client to client. Some have pretty relaxed policies as others compare to the local government clients. They all have them to try and protect themselves. The ones that are pretty light on the policies and restrictions are my favorite clients... They provide me with a bigger paycheck. All of them have in common that all machine are checked out by us prior to taking them out of service, and all hard drives are stored for a period of time they are then destroyed or re-used in a company system.

 

[drgnCabe]

It really depends on what industry your company is in, what you want out of your users and how much you do/don't want to piss them off. Not that making them mad is always a bad thing, I view IT policies as a give/take relationship. If you bar the user from being able to do their job effectively, then in my opinion the policy is a failure but if you give them too much freedom very bad things could happen (can't get much broader than that, huh?).

My previous company was Healthcare and publicly traded so I had to deal both with HIPAA and Sarbanes-Oxley (SOX) requirement. With my new company, I only need to deal with HIPAA. There also PCI compliance depending on how many credit card transactions your company does, which adds even more into the mix.

My methodology for implementing policy is required/not-required-but-would-make-future-requirements-easier/easier-to-manage in that order.

So for me, I first implement HIPAA compliance requirements then, I implement the 'good' (if there is such a thing) policies that didn't annoy the hell out of the users from my previous SOX experience and then I implemented various security things that just seemed to make sense or make my life easier for future needs.

Should you have to deal with SOX, one thing I learned about SOX compliance is don't set draconion policies first, this was my previous companies mistake. The policies can be broad and a little lax and then tailored as needed. Its easier to add then it is to take away. Example would be a nice little policy I had to deal with on backups with SOX during an audit. The document specifically said "Jr. System Administrator handles backups" yet there was no Jr Admin, just me (the Sr Admin) and my normal Admin. While my Admin handled the backups, we actually failed this part of the audit because we had no Jr. Admin on staff. Generalization and broadness is the key to SOX it seems, because its a pain in the ass to change, and you have to explain in great detail (saying 'i screwed up' doesn't work here) why your making changes to your policy if your taking away items, but if your adding, its much, much easier.

So anyways, here's some generalization of my implementations; I work in healthcare so some of these may not apply to you but are generally a good thing to implement.

We implement a lot more than the following but it does give an idea;

• 90 day password expiration, no blank passwords at least 6 char long and they can't reuse any of their past 10 passwords. Complexity is enabled requiring at least 3 of the following; Upper Case, Lower Case, Numbers, Special Characters.
• If users don't need access to it, they don't have it. No shares use 'everyone' or 'anonymous user' as access, at the very least its Domain Users, mostly 'Authenticated Users' and security groups.
• For desktops, if they can't connect to the domain they only cache the last login.
• Users only have 'Local Admin' if required to perform their duites (some badly written software from time to time) though most workstations do have 'Domain Users' in the local power-users group.
• Any file transfers handled through a third party (ftp) use either Secure (SSH) FTP and/or pgp encryption (if using straight FTP, pgp is required), these commonly contain patient data. Most of these are dealt with automatically, if not only the user that deals with that specific transfer has access to those files.
• Laptops require encryption, right now we are using a combination of Windows file encryption and entrust desktop security. Unfortunately it can be very un-userfriendly at times but I don't want to be one of those companies that leaks out personal information, for many reasons. This was a lot harder to push through management than you'd think.
• When a PC is decommissioned, the hard drive is pulled, imaged and wiped with bcwipe. Usually we store these as extras if needed (my company is relatively new, so our smallest tend to be around 40gb).
• When a server is decommissioned, the hard drives are stored then destroyed if not reusable.
• Bad hard drives for either are only sent back during warranty if they can be wiped or we can be assured the data will be wiped. If not, we eat the cost and destroy the drive, this wasn't an easy one for management to swallow at first.
• Service account passwords are reset every year with a random generated password. These passwords are only known by the IT staff and rarely need to be used, yes it is a royal pain the change every year (or at any point).
• Our regular accounts in IT are not domain admin accounts, we have two, a standard user account and a domain admin service account (for those who's duites require it), same rules as standard accounts apply (being that they change every 90 days). Yes, its a pain in the ass but its really worked well for us and has actually helped in one issue with a user attempting to keylog so they can install itunes.
• Detailed 'logon' logs are used along with a popup that says 'the your last logon was <date> on <pc>.' We can tell every PC or Server an account has logged onto. I use a combination of the logon script and a javascript app to handle this.
• Local admin accounts are renamed and passworded, the default domain admin account has no access, a new account that looks like a user account was created in place of the administrator account and is never logged into, if it is alarms go off.
• IT room is locked and access controlled, backups are sent off-site using an off-site secure storage company (like Iron Mountain).
• Server logs are routinely looked into, especially those on the DMZ and firewalls.

These are the only ones that stick into my head right now though there are plenty others. We also have the standard written policies like internet surfing and appropriate computer usage (web surifing is not banned, but states to use common sense. If you get your job done, cool, if not it shouldn't be a technology issue anyways), emails, backup routines, etc.

Like I kinda hinted to earlier, I like to implement strong security that the users really don't notice, if they notice its probably because they are either doing something they are not suppose to or its effecting their ability to do their job and the policy needs to be modified. My IT team, though a little understaffed and overworked, still responds very quickly to issues and requests so we have a positive relationship with the business, this wasn't so in my last company. Communication is key and things are a lot easier if they don't view us as the 'assholes.' That's what the finance department is for.

 

[sc3252]

You most definitely want to have old pc's go through the IT department. There could be confidential data on the hard drives that need to be shredded. As far as logging off every day, you could implement a mandatory lock of the computer after 15-30mins of standing idle, instead of mandatory log off. For getting rid of data, where I work they do a 7 pass shred of the hard drives that they are going to get rid of.

There are lots of things that could be done that are not too intrusive that could save you from leaking confidential data, you just have to thinks about it for a few mins.

 

[the-one1]

"For getting rid of data, where I work they do a 7 pass shred of the hard drives that they are going to get rid of."

Couldn't you just take a drill and hammer to the drive before throwing it out. I reckon thats more fun than doing a 7 pass erase n it.

I dispose of laptop hard drives by taking a drill to it and shattering the glass/ceramic disks.