VGIPL: IT Company & Services | Digital Solution

CUSTOMER GRIEVANCE REDRESSAL POLICY

Virtual Galaxy Infotech Private Limited (herein after referred as “our” or “we” or “VGIPL”), as a Payment Aggregator concentrates on resolving customer grievances suitably and efficiently and assigns customer grievance at its top most priority. This policy is implemented with an intention to resolve the grievances and at the same time to minimize instances of customer complaints through proper review mechanism along with prompt redressal of various types of customer complaints.

The customers can reach us in multiple ways and each customer complaint shall be acknowledged by issue of specific reference number for proper tracking and resolution. Each such complaint shall be closed only after satisfactory resolution and confirmation from the Complainant. Unresolved complaints shall be escalated through the System for immediate attention and resolution. The Company’s Customer Grievance Redressal Policy has been designed and implemented with the sole intention that:

As a Service Organisation, Customers are the life-line of our Business and shall always be attended patiently and on priority
The website of the Company shall always display the modes through which the customers can register their complaints/ grievances with the Company along with details of Email ID, contact number, etc.
All the employees deputed for services in the Customer Grievance Redressal are well informed and trained to handle customer grievances and are aware that the Customers may feel dejected for on some wrong happening with them and may over react while registering their Complaint. Well informed and trained staff of the Company are in a better position to identify the root cause of the issues being faced by the Customers and shall address them positively by comforting the customers and registering their Complaints.
All registered complaint/ grievance shall be promptly dealt by the Company and the Customers shall always be treated compassionately until satisfactory resolution of their grievances. If the grievance/ complaint remains resolved, the Customer shall be provided with additional opportunity to escalate the issue.

The following process flow shall be followed by the Company for proper and timely redressal of Customers Grievances:

a) The Customer can lodge a complaint in the following three ways:

A customer can contact our Support Team : +91 7798880959, 7798880906 during working hours and register their complaints
By writing an email to Merchant.suppport@vgipl.in
By visiting the company’s Website through Contact us and lodging your complaint.

b) Once a complaint/ grievance is registered with the Company through any of the modes by the Customer, a unique complaint/ grievance registration number shall be allotted for the same for ease of tracking and future references.

c) If the grievance is received through an email or our website, such complaints shall be acknowledged by an immediate system generated response or via individual emails to the extent possible.

d) Any grievance received through any of the above modes will be routed to our dedicated customer complaint service desk who will immediately record your feedback/grievance.

e) The follow-up action taken in respect of such complaints shall be advised to customers by e-mail. The Customer Service Representative (CSR) will also attempt to contact the customer if additional information is required for effective resolution.

f) If the complaint remains unresolved within the given time or if the customer is not satisfied with the resolution provided, he/ she can refer to the escalation matrix mentioned in the policy and escalate the issue to the higher authority.

Customer Grievance Escalation Matrix

The escalation matrix to handle our customer grievances effectively and efficiently, where a customer has not received a response within the specified time frame or if the customer is dissatisfied with the response received at the first level, the customer can escalate the complaint to the next level as indicated below. Highest priority is given to escalation cases for faster resolution.

Level 2

Customer can address the grievance to the below address or an email for escalations:-

Name of the officer: Customer Service Head

Email ID: cs.head@vgipl.in

Office Address: Virtual Galaxy Infotech Pvt. Ltd. 3, Central Excise Colony, Chhatrapati Square, Ring Road, Nagpur – 440015, Maharashtra (INDIA)

Level 3

Customer can address the grievance to the below address or an email for escalations:-

Name of the officer: Nodal Officer

Email ID: rbi.nodalofficer@vgipl.in

Office Address: Virtual Galaxy Infotech Pvt. Ltd. 3, Central Excise Colony, Chhatrapati Square, Ring Road, Nagpur – 440015, Maharashtra (INDIA)

Upon receiving the complaint, we will acknowledge within 3 business days. Further response to the escalated issue will be sent within 7 business days post acknowledgement.

Cyber Security Policy

The Cyber Security Policy should be distinct from the IT/IS policy of the UCB so that it highlights the risks from cyber threats and the measures to address/reduce these risks. While identifying and assessing the inherent risks, UCBs should keep in view.

The technologies adopted - Security incident event management (SIEM), Privilege Identity Management (PIM), Database activity monitoring
Delivery channels - Delivery channels: ATM, PoS, IMPS, etc
Digital products being offered - Digital products: m-Banking, UPI, e-Wallet, etc
Internal and external threats etc… - Internal threats: Critical & sensitive data compromise, password theft, internal source code review, etc.
Rate each of these risks as Low, Medium, High and Very High - External threat: DDoS, Ransomware, etc

IT Architecture/Framework should be security compliant

The IT architecture/ framework which includes network, server, database and application, end user systems, etc., should take care of security measures at all times and this should be reviewed by the Board or IT Sub-committee of the Board periodically. For this purpose, UCBs may carry out the following steps:

Network

Identify weak/vulnerable areas in IT systems and processes by schedule VAPT test.
Cyber crises Management plan. Plan to be execute after attack happened
Cyber Security awareness to Board/Management/Employee
Do encourage communication within your organization when something happens or seems suspicious.
Do testing and auditing of logs and security system so that you make sure people’s awareness is high
Apply updated firewall and Allow / restricted access to networks. Proper firewall should be deployed and all the traffic in/out should be filtered, Public IP access should be on white list basis. Internet access to office should be restricted from firewall. Intrusion Prevention System Should be active.
USB Flash Drive, Careful on what you plug into your computer. Ever use a USB whose source you don’t know! It can be infected with malware that can even resist formatting
You still need antivirus (yes, really), Get protection for your connection! Do a bit of research and choose an antivirus you trust. Antivirus is still very necessary, so don’t skip it
Emails, emails are the big gateway for cyber criminals, never access .zip attachments in e-mails from unknown senders, don’t click links in e-mails from unknown senders
Do you https? Added “s” is key here. A website starting with https encrypts the data you put in the website and the data you get from it, so that no one can eavesdrop or tamper with the data flow
Use private network such as MPLS, other leased lines, VPN, with proper encryption for communication of branches to DC. Inter office network by using IPv6
Router configuration should be backup and reviewed timely
Restrict unauthorized user, Login banner should be active on all network devices

Server

Allow restricted access to applications wherever permitted, through well-defined processes and approvals including rationale for permitting such access
Assess the cost of impact in case of breaches/failures in these areas
Separate server for Bank application servers which are not having internet, and separate server for internet
Internal server to server accessibility and permissions (LAN)
Domain creation – set properties to domain regarding password policy, change frequency
Creation of VMware

Database

Allow /restricted access to databases
Creation individual user
Database access log
Database password encryption
Archive log, audit mode
DR site
Backup
Backup restoration and testing
DR drill activity
Allow /restrict access of external devices

Application

Allow restricted access to applications wherever role wise access permitted
Required software installation on Application server
Encryption of database link, configuration files, user name passwords
User name password change frequency
Allow /restrict access of external devices

End User Systems

Allow restricted access to applications wherever permitted, through well-defined processes and approvals including rationale for permitting such access

Cyber Security Policy Systems review

Cyber Security Policy should be review every year
Documentation, training and awareness program related Bank staff

Roles and responsibilities
Put in place suitable Cyber Security System to address them,
Specify and document clearly the responsibility for each of above steps.

Basic Cyber Security Controls for Primary (Urban) Cooperative Banks (UCBs)

1) Inventory Management of Business IT Assets
1.1 UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.) Details of systems where customer data are stored Associated business applications, if any Criticality of the IT asset (For example, High/Medium/Low)
2) Preventing access of unauthorized software
3) Environmental Controls
4) Network Management and Security
5) Secure Configuration
6) Anti-virus and Patch Management
7) User Access Control / Management
8) Secure mail and messaging systems
9) Removable Media
10) User/Employee/Management Awareness
11) Customer Education and Awareness
13) Vendor/Outsourcing Risk Management

Description of some of the cyber security threats

Denial of service attack:
Distributed denial of service:
Ransom ware:
Malware:
Phishing:
Pear phishing:
Whaling:
Vishing:
Drive-by downloads:
Browser Gateway frauds:
Ghost administrator exploit:

Information Technology Policy and Procedure Manual

Introduction

The {Business Name} IT Policy and Procedure Manual provides the policies and procedures for selection and use of IT within the business which must be followed by all staff. It also provides guidelines {Business name} will use to administer these policies, with the correct procedure to follow. {Business Name} will keep all IT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies and procedures, or to add new procedures. Any suggestions, recommendations or feedback on the policies and procedures specified in this manual are welcome. These policies and procedures apply to all employees.

Technology Hardware Purchasing Policy

Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.
Computer hardware refers to the physical parts of a computer and related devices. Internal hardware devices include motherboards, hard drives, and RAM. External hardware devices include monitors, keyboards, mice, printers, and scanners.

Purpose of the Policy

This policy provides guidelines for the purchase of hardware for the business to ensure that all hardware technology for the business is appropriate, value for money and where applicable integrates with other technology for the business. The objective of this policy is to ensure that there is minimum diversity of hardware within the business Procedures

Purchase of Hardware

Guidance: The purchase of all desktops, servers, portable computers, computer peripherals and mobile devices must adhere to this policy. Edit this statement to cover the relevant technology for your business.

Purchasing desktop computer systems

Guidance: For assistance with Choosing hardware and software, including desktop computers, the Business Victoria’s Choosing hardware and software page on the Business Victoria website. The desktop computer systems purchased must run a {insert relevant operating system here e.g. Windows} and integrate with existing hardware { insert names of existing technology such as the business server}. The desktop computer systems must be purchased as standard desktop system bundle and must be {insert manufacturer type here, such as HP, Dell, Acer etc.}. The desktop computer system bundle must include: Desktop tower Desktop screen of {insert screen size here}

Keyboard and mouse You may like to consider stating if these are to be wireless

{insert name of operating system, e.g. Windows 7, and software e.g. Office 2013 here}
{insert other items here, such as speakers, microphone, webcam, printers etc.}

The minimum capacity of the desktop must be:

{insert speed of computer size (GHz -gigahertz)here}
{insert memory (RAM) size here}
{insert number of USB ports here}
{insert other specifications for desktop here, such as DVD drive, microphone port, etc.}

Any change from the above requirements must be authorised by {insert relevant job title here} All purchases of desktops must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the business’s server system. All purchases for desktops must be in line with the purchasing policy in the Financial policies and procedures manual.

Purchasing portable computer systems

The purchase of portable computer systems includes {insert names of portable devices here, such as notebooks, laptops, tablets etc.} Portable computer systems purchased must run a {insert relevant operating system here e.g. Windows} and integrate with existing hardware { insert names of existing technology such as the business server}. The portable computer systems purchased must be {insert manufacturer type here, such as HP, Dell, Acer, etc.}. The minimum capacity of the portable computer system must be:

{insert speed of computer size (GHz -gigahertz)here}
{insert memory (RAM) size here}
{insert number of USB ports here}
{insert other specifications for the portable device here, such as DVD drive, microphone port, webcam, speakers, etc.}

The portable computer system must include the following software provided:

{insert names of software e.g. Office 2013, Adobe, Reader, Internet Explorer here}
{insert names of software e.g. Office 2013, Adobe, Reader, Internet Explorer here}
{insert names of software e.g. Office 2013, Adobe, Reader, Internet Explorer here}

Any change from the above requirements must be authorised by {insert relevant job title here} All purchases of all portable computer systems must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the business’s server system. All purchases for portable computer systems must be in line with the purchasing policy in the Financial policies and procedures manual.

Purchasing server systems

Server systems can only be purchased by {insert relevant job title here, recommended IT specialist}. Server systems purchased must be compatible with all other computer hardware in the business. All purchases of server systems must be supported by {insert guarantee and/or warranty requirements here} and be compatible with the business’s other server systems. Any change from the above requirements must be authorized by {insert relevant job title here} All purchases for server systems must be in line with the purchasing policy in the Financial policies and procedures manual.

Purchasing computer peripherals

Computer system peripherals include {insert names of add-on devices such as printers, scanners, external hard drives etc. here} Computer peripherals can only be purchased where they are not included in any hardware purchase or are considered to be an additional requirement to existing peripherals. Computer peripherals purchased must be compatible with all other computer hardware and software in the business. The purchase of computer peripherals can only be authorized by {insert relevant job title here, recommended IT specialist or department manager}. All purchases of computer peripherals must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the business’s other hardware and software systems. Any change from the above requirements must be authorized by {insert relevant job title here} All purchases for computer peripherals must be in line with the purchasing policy in the Financial policies and procedures manual.

Purchasing mobile telephones

A mobile phone will only be purchased once the eligibility criteria is met. Refer to the Mobile Phone Usage policy in this document. The purchase of a mobile phone must be from {insert names authorized suppliers here, such as Telstra, etc.} to ensure the business takes advantage of volume pricing based discounts provided by {insert names authorized suppliers here, such as Telstra, etc.}. Such discounts should include the purchase of the phone, the phone call and internet charges, etc. The mobile phone must be compatible with the business’s current hardware and software systems. The mobile phone purchased must be {insert manufacturer type here, such as iPhone, Blackberry, Samsung, etc.}. The request for accessories (a hands-free kit etc.) must be included as part of the initial request for a phone. The purchase of a mobile phone must be approved by {insert relevant job title here} prior to purchase. Any change from the above requirements must be authorised by {insert relevant job title here} All purchases of all mobile phones must be supported by{insert guarantee and/or warranty requirements here}. All purchases for mobile phones must be in line with the purchasing policy in the Financial policies and procedures manual.

Additional Policies for Purchasing Hardware

Guidance: add, link or remove the policies listed below as required.
Purchasing Policy
Mobile phone policy

Policy for Getting Software

Policy Number: {insert unique number} Policy Date: {insert date of policy} Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

Purpose of the Policy

This policy provides guidelines for the purchase of software for the business to ensure that all software used by the business is appropriate, value for money and where applicable integrates with other technology for the business. This policy applies to software obtained as part of hardware bundle or pre-loaded software.

Procedures

Request for Software

All software, including {insert relevant other types of non-commercial software such as open source, freeware, etc. here} must be approved by {insert relevant job title here} prior to the use or download of such software.

Purchase of software

The purchase of all software must adhere to this policy. All purchased software must be purchased by {insert relevant job title here} All purchased software must be purchased from {insert relevant suppliers names or the words ‘reputable software sellers’ here} All purchases of software must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the business’s server and/or hardware system. Any changes from the above requirements must be authorised by {insert relevant job title here} All purchases for software must be in line with the purchasing policy in the Financial policies and procedures manual.

Obtaining open source or freeware software

Open source or freeware software can be obtained without payment and usually downloaded directly from the internet. In the event that open source or freeware software is required, approval from {insert relevant job title here} must be obtained prior to the download or use of such software. All open source or freeware must be compatible with the business’s hardware and software systems. Any change from the above requirements must be authorised by {insert relevant job title here}

Additional Policies for Obtaining Software

Guidance: add, link or remove the policies listed below as required.
Purchasing Policy
Use of Software policy

Policy for Use of Software

Policy Number: {insert unique number} Policy Date: {insert date of policy} Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

Purpose of the Policy

This policy provides guidelines for the use of software for all employees within the business to ensure that all software use is appropriate. Under this policy, the use of all open source and freeware software will be conducted under the same procedures outlined for commercial software.

Procedures

Software Licensing

All computer software copyrights and terms of all software licences will be followed by all employees of the business. Where licensing states limited usage (i.e. the number of computers or users etc.), then it is the responsibility of {insert relevant job title here} to ensure these terms are followed. {insert relevant job title here} is responsible for completing a software audit of all hardware twice a year to ensure that software copyrights and license agreements are adhered to.

Software Installation

All software must be appropriately registered with the supplier where this is a requirement. {Business Name} is to be the registered owner of all software. Only software obtained in accordance with the getting software policy is to be installed on the business’s computers. All software installation is to be carried out by {insert relevant job title here} A software upgrade shall not be installed on a computer that does not already have a copy of the original version of the software loaded on it.

Software Usage

Only software purchased in accordance with the getting software policy is to be used within the business. Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on the use of the software. All employees must receive training for all new software. This includes new employees to be trained to use existing software appropriately. This will be the responsibility of {insert relevant job title here} Employees are prohibited from bringing software from home and loading it onto the business’s computer hardware. Unless express approval from {insert relevant job title here} is obtained, the software cannot be taken home and loaded on a employees’ home computer Where an employee is required to use the software at home, an evaluation of providing the employee with a portable computer should be undertaken in the first instance. Where it is found that software can be used on the employee’s home computer, authorization from {insert relevant job title here} is required to purchase separate software if licensing or copyright restrictions apply. Where software is purchased in this circumstance, it remains the property of the business and must be recorded on the software register by {insert relevant job title here} Unauthorized software is prohibited from being used in the business. This includes the use of software owned by an employee and used within the business. The unauthorized duplicating, acquiring or use of software copies is prohibited. Any employee who makes, acquires, or uses unauthorized copies of the software will be referred to {insert relevant job title here} for {insert consequence here, such as further consultation, reprimand action, etc.}. The illegal duplication of software or other copyrighted works is not condoned within this business and {insert relevant job title here} is authorized to undertake disciplinary action where such an event occurs.

Breach of Policy

Where there is a breach of this policy by an employee, that employee will be referred to {insert relevant job title here} for {insert consequence here, such as further consultation, reprimand action, etc.} Where an employee is aware of a breach of the use of software in accordance with this policy, they are obliged to notify {insert relevant job title here} immediately. In the event that the breach is not reported and it is determined that an employee failed to report the breach, then that employee will be referred to {insert relevant job title here} for {insert consequence here, such as further consultation, reprimand action, etc.}

Additional Policies for Use of Software

Guidance: add, link or remove the policies listed below as required.
Technology Hardware Policy
Obtaining Software policy

Bring Your Own Device Policy

Policy Number: {insert unique number}
Policy Date: {insert date of policy}}
Guidance: Edit this policy so it suits the needs of your business.}
At {Business Name} we acknowledge the importance of mobile technologies in improving business communication and productivity. In addition to the increased use of mobile devices, staff members have requested the option of connecting their own mobile devices to {Business Name}'s network and equipment. We encourage you to read this document in full and to act upon the recommendations. This policy should be read and carried out by all staff.

Purpose of the Policy

This policy provides guidelines for the use of personally owned notebooks, smart phones, tablets and {insert other types of mobile devices} for business purposes. All staff who use or access {Business Name}'s technology equipment and/or services are bound by the conditions of this Policy.

Procedures

Current mobile devices approved for business use

The following personally owned mobile devices are approved to be used for business purposes:

{insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}
{insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}
{insert type of approved mobile devices such as smart phones, tablets, iPhone etc.}
{insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}.

Registration of personal mobile devices for business use

Guidance: You will need to consider if the business is to have any control over the applications that are used for business purposes and/or used on the personal devices. Employees when using personal devices for business use will register the device with {insert relevant job title or department here}. {insert relevant job title or department here} will record the device and all applications used by the device. Personal mobile devices can only be used for the following business purposes:

{insert each type of approved use such as email access, business internet access, business telephone calls etc.}
{insert each type of approved use such as email access, business internet access, business telephone calls etc.}
{insert each type of approved use such as email access, business internet access, business telephone calls etc.}.

Each employee who utilises personal mobile devices agrees:

Not to download or transfer business or personal sensitive information to the device. Sensitive information includes {insert types of business or personal information that you consider sensitive to the business, for example intellectual property, other employee details etc.}
Not to use the registered mobile device as the sole repository for {Business Name}'s information. All business information stored on mobile devices should be backed up
To make every reasonable effort to ensure that {Business Name}'s information is not compromised through the use of mobile equipment in a public place. Screens displaying sensitive or critical information should not be seen by unauthorised persons and all registered devices should be password protected
To maintain the device with {insert maintenance requirements of mobile devices such as current operating software, current security software etc.}
Not to share the device with other individuals to protect the business data access through the device
To abide by {Business Name}'s internet policy for appropriate use and access of internet sites etc.
To notify {Business Name} immediately in the event of loss or theft of the registered device

Not to connect USB memory sticks from an untrusted or unknown source to {Business Name}'s equipment.

All employees who have a registered personal mobile device for business use acknowledge that the business:

Owns all intellectual property created on the device
Can access all data held on the device, including personal data
Will regularly back-up data held on the device
Will delete all data held on the device in the event of loss or theft of the device
Has first right to buy the device where the employee wants to sell the device
Will delete all data held on the device upon termination of the employee. The terminated employee can request personal data be reinstated from back up data
Has the right to deregister the device for business use at any time.

Keeping mobile devices secure

The following must be observed when handling mobile computing devices (such as notebooks and iPads):

Mobile computer devices must never be left unattended in a public place, or in an unlocked house, or in a motor vehicle, even if it is locked. Wherever possible they should be kept on the person or securely locked away
Cable locking devices should also be considered for use with laptop computers in public places, e.g. in a seminar or conference, even when the laptop is attended
Mobile devices should be carried as hand luggage when travelling by aircraft.

Exemptions

This policy is mandatory unless {insert relevant job title or department here} grants an exemption. Any requests for exemptions from any of these directives, should be referred to the {insert relevant job title or department here}.

Breach of this policy

Any breach of this policy will be referred to {insert relevant job title} who will review the breach and determine adequate consequences, which can include { insert consequences here such as confiscation of the device and or termination of employment.}

Indemnity

{Business Name} bears no responsibility whatsoever for any legal action threatened or started due to conduct and activities of staff in accessing or using these resources or facilities. All staff indemnify {Business Name} against any and all damages, costs and expenses suffered by {Business Name} arising out of any unlawful or improper conduct and activity, and in respect of any action, settlement or compromise, or any statutory infringement. Legal prosecution following a breach of these conditions may result independently from any action by {Business Name}.

Additional Policies for Business Mobile Phone Use

Guidance: add, link or remove the policies listed below as required. Technology Hardware Purchasing Policy
Use of Software policy
Purchasing Policy

Information Technology Security Policy

Policy Number: {insert unique number} Policy Date: {insert date of policy} Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

Purpose of the Policy

This policy provides guidelines for the protection and use of information technology assets and resources within the business to ensure integrity, confidentiality and availability of data and assets.

Procedures

Physical Security

For all servers, mainframes and other network assets, the area must be secured with adequate ventilation and appropriate access through {insert relevant security measure here, such as keypad, lock etc.} It will be the responsibility of {insert relevant job title here} to ensure that this requirement is followed at all times. Any employee becoming aware of a breach to this security requirement is obliged to notify {insert relevant job title here} immediately. All security and safety of all portable technology, {insert relevant types here, such as laptop, notepads, iPad etc.} will be the responsibility of the employee who has been issued with the {insert relevant types here, such as laptop, notepads, iPads, mobile phones etc.}. Each employee is required to use {insert relevant types here, such as locks, passwords, etc.} and to ensure the asset is kept safely at all times to protect the security of the asset issued to them. In the event of loss or damage, {insert relevant job title here} will assess the security measures undertaken to determine if the employee will be required to reimburse the business for the loss or damage. All {insert relevant types here, such as laptop, notepads, iPads etc.} when kept at the office desk is to be secured by {insert relevant security measure here, such as keypad, lock etc.} provided by {insert relevant job title here}

Information Security

All {insert relevant data to be backed up here – either general such as sensitive, valuable, or critical business data or provide a checklist of all data to be backed up } is to be backed-up. It is the responsibility of {insert relevant job title here} to ensure that data back-ups are conducted {insert frequency of back-ups here} and the backed up data is kept {insert where back up data is to be kept e.g. cloud, offsite venue, employees home etc. here} All technology that has internet access must have anti-virus software installed. It is the responsibility of {insert relevant job title here} to install all anti-virus software and ensure that this software remains up to date on all technology used by the business. All information used within the business is to adhere to the privacy laws and the business’s confidentiality requirements. Any employee breaching this will be {insert relevant consequence here}

Technology Access

Every employee will be issued with a unique identification code to access the business technology and will be required to set a password for access every {insert frequency here} Each password is to be {insert rules relating to password creation here, such as number of alpha and numeric etc.} and is not to be shared with any employee within the business. {insert relevant job title here} is responsible for the issuing of the identification code and initial password for all employees. Where an employee forgets the password or is ‘locked out’ after {insert a number here e.g. three attempts}, then {insert relevant job title here} is authorised to reissue a new initial password that will be required to be changed when the employee logs in using the new initial password. The following table provides the authorisation of access:

Technology – Hardware/ Software	Persons authorised for access
{insert name or type of technology here}	{insert authorised persons or job titles here}
{insert name or type of technology here}	{insert authorised persons or job titles here}
{insert name or type of technology here}	{insert authorised persons or job titles here}
{insert name or type of technology here}	{insert authorised persons or job titles here}

Employees are only authorised to use business computers for personal use {insert when this is allowable and what they can personally use it for here, such as internet usage etc.} For internet and social media usage, refer to the Human Resources Manual. It is the responsibility of {insert relevant job title here} to keep all procedures for this policy up to date.

Additional Policies for Information Technology Security

Guidance: add, link or remove the policies listed below as required.
Emergency Management of Information Technology Policy
Information Technology Administration Policy

Information Technology Administration Policy

Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

Purpose of the Policy

This policy provides guidelines for the administration of information technology assets and resources within the business.

Procedures

All software installed and the licence information must be registered on the {insert where these records are to be kept}. It is the responsibility of {insert relevant job title here} to ensure that this registered is maintained. The register must record the following information:

What software is installed on every machine
What licence agreements are in place for each software package
Renewal dates if applicable.

{insert relevant job title here} is responsible for the maintenance and management of all service agreements for the business technology. Any service requirements must first be approved by {insert relevant job title here}. {insert relevant job title here} is responsible for maintaining adequate technology spare parts and other requirements including {insert specific technology requirements here, such as toners, printing paper etc.} A technology audit is to be conducted {insert frequency here e.g. annually} by {insert relevant job title here} to ensure that all information technology policies are being adhered to. Any unspecified technology administration requirements should be directed to {insert relevant job title here}

Additional Policies for Information Technology Administration

Guidance: add, link or remove the policies listed below as required.
IT Service Agreements Policy
Purchasing Policy

Website Policy

Policy Number: {insert unique number} Policy Date: {insert date of policy} Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

Purpose of the Policy

This policy provides guidelines for the maintenance of all relevant technical issues related to the business website.

Procedures

Website Register

The website register must record the following details:

List of domain names registered to the business
Dates of renewal for domain names
List of hosting service providers
Expiry dates of hosting

{insert any other records to be kept in relation to your business website here}. The keeping the register up to date will be the responsibility of {insert relevant job title here}. {insert relevant job title here} will be responsible for any renewal of items listed in the register. Website Content All content on the business website is to be accurate, appropriate and current. This will be the responsibility of {insert relevant job title here} All content on the website must follow {insert relevant business requirements here where applicable, such as a business or content plan, etc.} The content of the website is to be reviewed {insert frequency here} The following persons are authorized to make changes to the business website:
{insert relevant job title here}
{insert relevant job title here}
{insert relevant job title here}
Basic branding guidelines must be followed on websites to ensure a consistent and cohesive image for the business. All data collected from the website is to adhere to the Privacy Act

Additional Policies for Website Policy

Guidance: add, link or remove the policies listed below as required.
Information Technology Security Policy
Emergency Management of Information Technology policy

Electronic Transactions Policy

Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

Purpose of the Policy

This policy provides guidelines for all electronic transactions undertaken on behalf of the business. The objective of this policy is to ensure that use of electronic funds transfers and receipts are started, carried out, and approved in a secure manner.

Procedures

Electronic Funds Transfer (EFT)

It is the policy of {Business Name} that all payments and receipts should be made by EFT where appropriate. All EFT payments and receipts must adhere to all finance policies in the Financial policies and procedures manual. All EFT arrangements, including receipts and payments must be submitted to {insert relevant department of the business here, e.g. finance department}. EFT payments must have the appropriate authorisation for payment in line with the financial transactions policy in the Financial policies and procedures manual. EFT payments must be appropriately recorded in line with finance policy in the Financial policies and procedures manual. EFT payments once authorised, will be entered into the {insert title of payment system here e.g. NAB online system} by {insert relevant job title here} EFT payments can only be released for payment once pending payments have been authorised by {insert relevant job title here} For good control over EFT payments, ensure that the persons authorising the payments and making the payment are not the same person. All EFT receipts must be reconciled to customer records {insert frequency here e.g. once a week etc.} Where EFT receipt cannot be allocated to customer account, it is responsibility of {insert relevant job title here} to investigate. In the event that the customer account cannot be identified within {insert length of time here, such as one month} the receipted funds must be {insert action here such as allocated to suspense account or returned to source etc.}. {insert relevant job title here} must authorise this transaction. It is the responsibility of {insert relevant job title here} to annually review EFT authorisations for initial entry, alterations, or deletion of EFT records, including supplier payment records and customer receipt records.

Electronic Purchases

All electronic purchases by any authorised employee must adhere to the purchasing policy in the Financial policies and procedures manual. Where an electronic purchase is being considered, the person authorising this transaction must ensure that the internet sales site is secure and safe and be able to demonstrate that this has been reviewed. All electronic purchases must be undertaken using business credit cards only and therefore adhere to the business credit card policy in the Financial policies and procedures manual.

Additional Policies for Electronic Transactions Policy

Guidance: add, link or remove the policies listed below as required.
Information Technology Security Policy
Finance Policies

IT Service Agreements Policy

Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

Purpose of the Policy

This policy provides guidelines for all IT service agreements entered into on behalf of the business.

Procedures

The following IT service agreements can be entered into on behalf of the business: Guidance: Insert the acceptable IT services for your business – the following dot points will assist.

Provision of general IT services
Provision of network hardware and software
Repairs and maintenance of IT equipment
Provision of business software
Provision of mobile phones and relevant plans
Website design, maintenance etc.
{insert type of IT service here}.

All IT service agreements must be reviewed by {insert who should review, recommended lawyer or solicitor} before the agreement is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by {insert relevant job title here} All IT service agreements, obligations and renewals must be recorded {insert where the agreements are to be recorded here} Where an IT service agreement renewal is required, in the event that the agreement is substantially unchanged from the previous agreement, then this agreement renewal can be authorised by {insert relevant job title here}. Where an IT service agreement renewal is required, in the event that the agreement has substantially changed from the previous agreement, {insert who should review, recommended lawyer or solicitor} before the renewal is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by {insert relevant job title here} In the event that there is a dispute to the provision of IT services covered by an IT service agreement, it must be referred to {insert relevant job title here} who will be responsible for the settlement of such dispute.

Additional Policies for IT Services Policy

Guidance: add, link or remove the policies listed below as required.
Technology Hardware Purchasing Policy

Emergency Management of Information Technology

Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

Purpose of the Policy

This policy provides guidelines for emergency management of all information technology within the business.

Procedures

IT Hardware Failure

Where there is failure of any of the business’s hardware, this must be referred to {insert relevant job title here} immediately. It is the responsibility of {insert relevant job title here} to {insert relevant actions that should be undertaken here} in the event of IT hardware failure. It is the responsibility of {insert relevant job title here} to undertake tests on planned emergency procedures {insert frequency here, recommended quarterly} to ensure that all planned emergency procedures are appropriate and minimise disruption to business operations.

Point of Sale Disruptions

In the event that point of sale (POS) system is disrupted, the following actions must be immediately undertaken: Guidance: Insert the actions required for your business – the following dot points will assist.

POS provider to be notified

{insert relevant job title here} must be notified immediately
All POS transactions to be taken using the manual machine located below the counter
For all manual POS transactions, customer signatures must be verified

{insert other relevant emergency actions here}
{insert other relevant emergency actions here}.

Virus or other security breach

In the event that the business’s information technology is compromised by software virus or {insert other relevant possible security breaches here} such breaches are to be reported to {insert relevant job title here} immediately. {insert relevant job title here} is responsible for ensuring that any security breach is dealt with within {insert relevant timeframe here} to minimise disruption to business operations.

Website Disruption

In the event that business website is disrupted, the following actions must be immediately undertaken: Guidance: Insert the actions required for your business – the following dot points will assist.

Website host to be notified
{insert relevant job title here} must be notified immediately
{insert other relevant emergency actions here}

Windows Group Policy

MS Windows Server 2012 R2 Baseline Security Standards

Version 1.3

References:

6.100 – Information Technology and Security Policy 6.101 – Use of County Information Technology Resources

Developed:

Host Strengthening & Isolation Work Group, Mitigation of Cyber Terrorism

RELEASE NOTES AND HISTORY LOG

The content in this document will be periodically updated to reflect the changes in the County environment as well as the Microsoft Windows Server 2012 software features and capabilities. In addition, this document will be constantly maintained to capture industry best practices as the technology and standards continues to evolve.

DATE	NEW VERSION NUMBER	MODIFIED BY	DESCRIPTION of CHANGE
11/14/2014	1.0	C. Hinton (ISD-ITSS)	1) SET team developed initial document.
12/15/2014	1.1	C. Hinton	1) Remove Password Section and Workstation Section
2/17/2015	1.2	C. Hinton	1) Update Member Server Section
4/01/2015	1.3	C. Hinton	1) Added User Account Control value 2) Re-numbered all sections
4/29/2015		C. Hinton	Confirmation of settings applied on live server from Anthony Phung, ISD – Mid-Range Computing.

1 – Purpose

2 – Overview

3 – Windows Server 2012 IT Security Policy Checklist – Member Server Policy

4 – Windows Server 2012 IT Security Policy Checklist – User Policy

5 – Windows Server 2012 IT Security Policy Checklist – DHCP Hardening

6 – Windows Server 2012 IT Security Policy Checklist – DNS Hardening

7 – Windows Server 2012 IT Security Policy Checklist – Web Services

Hardening

1 Purpose

The purpose of this document is to establish baseline security standards specific to host strengthening. These standards identify the baseline security settings when using Microsoft Windows Server 2012.

2 Overview

This document, with accompanying Windows Server 2012 Security Checklists, outlines the settings that are to be implemented to provide a baseline level of security for each server running Microsoft Windows Server 2012 either stand alone or as part of a Windows Active Directory/Domain Group Policy. Descriptions of the settings are found in the Microsoft Windows Server 2012 Security Guide, Version 3.0 and the Center for Internet Security’s Microsoft Windows Server 2012 R2 Benchmark v 1.1. The settings are divided into categories that correspond to the intended role of the Windows Server. The roles being configured are as follows:

Member Server Policy
User Policy
DHCP Services
DNS Services
Web Service

Microsoft recommends using a new core installation of the operating system to start your configuration work so that Server Manager optimally configures just the roles and features that you select. However, if you cannot perform a new installation, ensure to check the following common security configurations before you start a role-specific setup. This approach helps to minimize the possibility of settings from previous configurations interfering with the server's security settings for its new role. The settings in this standards document are grouped into two categories, “Mandatory” and “Recommended.” These categories are defined as follows:

Mandatory

– All Mandatory settings (in red) must be applied with no exception.

3 WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – MEMBER SERVER POLICY

This checklist notes the steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Microsoft Windows Server 2012 Security Guide Version 1.0 and the Center for Internet Security’s Microsoft Windows Server 2012 R2 Benchmark v 1.1 provides detailed explanation of these settings. Copies of this completed checklist may prove useful for long-term documentation of preventative measures.

Organization Name: Date: Contact Information:

	Computer Configuration (Enabled)	Mandatory	Recommended
3.0	Local Policies/Audit Policy
3.0.1	Audit account logon events – Success, Failure	X
3.0.2	Audit account management – Success, Failure	X
3.0.3	Audit logon events – Success, Failure	X
3.0.4	Audit policy change – Success	X
3.0.5	Audit system events – Success *and Failure	X
3.1	Local Policies/User Rights Assignment
3.1.1	Access credential manager as a trusted caller – No One*	X
3.1.2	Access this computer from the network – Administrators, Authenticated Users		X
3.1.3	Act as part of the operating system – No One*		X
3.1.4	Adjust memory quotas for a process – Administrators, Local Service, Network Service*		X
3.1.5	Allow log on locally – Administrators		X
3.1.6	Allow log on through Remote Desktop Services – Administrators, Remote Desktop Users*		X
3.1.7	Back up files and directories - Administrators		X
3.1.8	Change the system time – Administrators, Local Service*		X
3.1.9	Change the time zone – Administrators, Local Service*
3.1.10	Create a pagefile – Administrators*		X
3.1.11	Create a token object – No One*		X
3.1.12	Create global objects – Administrators, Local Service, Network Service, Service*		X
3.1.13	Create permanent shared objects – No One*		X
3.1.14	Create symbolic links – Administrators*		X
3.1.15	Debug programs – Administrators*		X
3.1.16	Deny access to this computer from the network – Guests	X
3.1.17	Deny log on as a batch job – Guests	X
3.1.18	Deny log on as a service – Guests	X
3.1.19	Deny log on locally – Guests*	X
3.1.20	Deny log on through Remote Desktop Services – Guests	X
3.1.21	Enable computer and user accounts to be trusted for delegation – No One*		X
3.1.22	Force shutdown from a remote system – Administrators*		X
3.1.23	Generate security audits – Local Service, Network Service*		X
3.1.24	Impersonate a client after authentication – Administrators, Local Service, Network Service, Service*		X
3.1.25	Increase scheduling priority – Administrators*		X
3.1.26	Load and unload device drivers – Administrators*		X
3.1.27	Lock pages in memory – No One*		X
3.1.28	Manage auditing and security log – Administrators*		X
3.1.29	Modify an object label – No One		X
3.1.30	Modify firmware environment values – Administrators*		X
3.1.31	Perform volume maintenance tasks – Administrators*		X
3.1.32	Profile single process – Administrators*	X
3.1.33	Profile system performance – Administrators, NT Service\WdiServiceHost*	X
3.1.34	Replace a process level token – Local Service, Network Service*		X
3.1.35	Restore files and directories – Administrators		X
3.1.36	Shutdown the system - Administrators	X
3.1.37	Take ownership of files or other objects – Administrators*		X
3.2	Local Policies/Security Options
3.2.1	Accounts
3.2.1.1	Block Microsoft accounts - Users can’t add or log on with Microsoft accounts		X
3.2.1.2	Guests account status – Disabled*	X
3.2.1.3	Limit local account use of blank passwords to console logon only – Enabled*	X
3.2.1.4	Rename administrator account	X
3.2.1.5	Rename Guest account		X
3.2.2	Audit
3.2.2.1	Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings - Enabled		X
3.2.2.2	Shut down system immediately if unable to log security audits – Disabled*		X
3.2.3	Devices
3.2.3.1	Allowed to format and eject removable media – Administrators*		X
3.2.3.2	Prevent users from installing printer drivers – Enabled*	X
3.2.4	Domain Member
3.2.4.1	Digitally encrypt or sign secure channel data (always) – Enabled*		X
3.2.4.2	Digitally encrypt secure channel data (when possible) – Enabled*		X
3.2.4.3	Digitally sign secure channel data (when possible) – Enabled*		X
3.2.4.4	Disable machine account password changes – Disabled*	X
3.2.4.5	Maximum machine account password age – 30 days or fewer	X
3.2.4.6	Require h4 (Windows 2000 or later) session key – Enabled	X
3.2.5	Interactive Logon
3.2.5.1	Do not display last user name – Enabled	X
3.2.5.2	Do not require CTRL+ALT+DEL – Disabled*	X
3.2.5.3	Machine inactivity limit – 300 to 600 seconds	X
3.2.5.4	Message text for users attempting to log on –		X
	This computer system, including all related equipment, networks, and networked devices, are the property of Los Angeles County. This computer system is intended for authorized use only, and is being monitored for all lawful purposes. All information received, sent or stored on Los Angeles County computer systems may be, examined, recorded, copied, and used for authorized purposes. Evidence of illegal or unauthorized use may be used for criminal, administrative, or other adverse action. Unauthorized users are subject to prosecution. Click OK if you agree to the above terms.
3.2.5.5	Message title for users attempting to log on – Not Defined		X
3.2.5.6	Number of previous logons to cache (in case domain controller is not available) – 4 logon or fewer	X
3.2.5.7	Prompt user to change password before expiration – 14 days*	X
3.2.5.8	Smart card removal behavior – Lock Workstation		X
3.2.6	Microsoft Network Client
3.2.6.1	Digitally sign communications (always) – Enabled		X
3.2.6.2	Digitally sign communications (if server agrees) – Enabled*		X
3.2.6.3	Send unencrypted password to third-party SMB servers – Disabled*	X
3.2.7	Microsoft Network Server
3.2.7.1	Amount of idle time required before suspending session – 15 minutes*		X
3.2.7.2	Digitally sign communications (always) – Enabled		X
3.2.7.3	Digitally sign communications (if client agrees) – Enabled		X
3.2.7.4	Disconnect clients when logon hours expire - Enabled*		X
3.2.7.5	Server SPN target name validation level – Accept if provided by client		X
3.2.8	Network Access
3.2.8.1	Allow anonymous SID/Name translation – Disabled*	X
3.2.8.2	Do not allow anonymous enumeration of SAM accounts – Enabled*	X
3.2.8.3	Do not allow anonymous enumeration of SAM accounts and shares – Enabled	X
3.2.8.4	Let Everyone permissions apply to anonymous users – Disabled*	X
3.2.8.5	Named Pipes that can be accessed anonymously – None*
3.2.8.6	Remotely accessible registry paths - * System\CurrentControlSet\Control\ProductOptions Systems\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion		X
3.2.8.7	Remotely accessible registry paths and sub-paths – * System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog.		X
3.2.8.8	Restrict anonymous access to Named Pipes and Shares – Enabled*	X
3.2.8.9	Shares that can be accessed anonymously – None*	X
3.2.8.10	Sharing and security model for local accounts – Classic – local users authenticate as themselves*		X
3.2.9	Network Security
3.2.9.1	Allow Local System to use computer identity for NTLM - Enabled		X
3.2.9.2	Allow LocalSystem NULL session fallback - Disabled		X
3.2.9.3	Allow PKU2U authentication requests to this computer to use online identities – Disabled*	X
3.2.9.4	Configure encryption types allowed for Kerberos – RC4\AES128\AES256\Future types		X
3.2.9.5	Do not store LAN Manager hash value on next password change – Enabled*	X
3.2.9.6	Force logoff when logon hours expire - Enabled		X
3.2.9.7	LAN Manager authentication level – Send NTLMv2 response only. Refuse LM & NTLM	X
3.2.9.8	LDAP client signing requirements – Negotiate signing*		X
3.2.9.9	Minimum session security for NTLM SSP based (including secure RPC) clients – Require NTLMv2 session security Require 128-bit encryption	X
3.2.9.10	Minimum session security for NTLM SSP based (including secure RPC) servers – Require NTLMv2 session security Require 128-bit encryption	X
3.2.10	Recovery Console
3.2.10.1	Allow automatic administrative logon – Disabled*	X
3.2.10.2	Allow floppy copy and access to all drives and all folders – Disabled*		X
3.2.11	Shutdown
3.2.11.1	Allow system to be shut down without having to log on – Disabled*	X
3.2.12	Cryptography
3.2.12.1	Use FIPS compliant algorithms for encryption, hashing, and signing - Disabled		X
3.2.13	System Objects
3.2.13.1	Require case insensitivity for non-Windows subsystems – Enabled*		X
3.2.13.2	Strengthen default permissions of internal system objects (e.g., Symbolic Links) – Enabled*		X
3.2.14	System Settings
3.2.14.1	Optional subsystems – None		X
3.2.14.2	Use Certificate Rules on Windows Executables for Software Restriction Policies – Enabled		X
3.2.15	User Account Control
3.2.15.1	Admin Approval Mode for the Built-in Administrator account - Enabled		X
3.2.15.2	Allow UIAccess application to prompt for elevation without using the secure desktop – Disabled*		X
3.2.15.3	Behavior of the elevation prompt for administrators in Admin Approval Mode – Prompt for consent on the secure desktop		X
3.2.15.4	Behavior of the elevation prompt for standard users – Automatically deny elevation requests		X
3.2.15.5	Detect application installation and prompt for elevation – Enabled*		X
3.2.15.6	Only elevate UIAccess applications that are installed in secure locations – Enabled*		X
3.2.15.7	Run all administrators in Admin Approval Mode – Enabled*		X
3.2.15.8	Switch to the secure desktop when prompting for elevation – Enabled*		X
3.2.15.9	Virtualize file and registry write failures to per-user locations – Enabled*		X
3.2.16	Event Log
3.2.16.1	Maximum application log size – 32,768 KB		X
3.2.16.2	Maximum security log size –196,608 KB		X
3.2.16.3	Maximum system log size –32,768 KB		X
3.2.16.4	Retention method for application log – As needed		X
3.2.16.5	Retention method for security log – As needed		X
3.2.16.6	Retention method for system log – As needed		X
3.17	Registry
	MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
3.17.1	Permissions
3.17.1.1	Deny – BUILTIN\Users – Full control – This key and subkeys	X
3.17.1.2	Allow – CREATOR OWNER – Full control – Subkeys only		X
3.17.1.3	Allow – NT AUTHORITY\SYSTEM – Full control – This key and subkeys		X
3.17.1.4	Allow – BUILTIN\Administrators – Full control – This key and subkeys		X
4.4	Administrative Templates
4.4.1	Systems/Internet Communication Management/Internet Communication Settings
4.4.1.1	Turn off the Windows Messenger Customer Experience Improvement Program - Enabled		X
4.4.4	Windows Components/Terminal Services/Remote Desktop Connection Client
4.4.4.1	Do not allow passwords to be saved - Enabled	X
4.5	User Configuration (Disabled)
	Policies
	Administrative Templates
	Policy definitions (ADMX files) retrieved from the local machine
4.5.1	Windows Components/Attachment Manager
4.5.1.1	Notify antivirus programs when opening attachments - Enabled	X
Document reviewed and approved by responsible Department manager: Signature: Date:

4 WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – USER POLICY

This checklist notes the additional steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Windows Server 2012 Security Guide provides detailed explanation of these settings. Your Domain Controller should follow the checklist below in addition to or instead of Member Server Policies. Copies of this completed checklist may prove useful for long-term documentation of preventative measures.

Organization Name: Date: Contact Information:

4.0	General	Mandatory	Recommended
4.1	Delegation
	These groups and users have the specified permission for this GPO
4.1.1	Domain Admins – Edit settings, delete, modify security – Not inherited		X
4.1.2	\Enterprise Admins – Edit settings, delete, modify security – Not inherited		X
4.1.3	NT AUTHORITY\Authenticated Users – Read (from Security Filtering) – Not inherited		X
4.1.4	NT AUTHORITY\ENTERPRISE DOMAIN Controllers – Read – Not inherited		X
4.1.5	NT AUTHORITY\SYSTEM – Edit settings, delete, modify security – Not inherited		X
4.2	Computer Configuration (Disabled)
4.3	User Configuration (Enabled)
4.3.1	Windows Settings/Internet Explorer Maintenance/URLs
4.3.1.1	Home page URL – Department discretion		X
4.3.1.2	Search bar URL – Not configured		X
4.3.1.3	Online Support page URL – Not configured		X
Document reviewed and approved by responsible Department manager: Signature: Date:

5 WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – DHCP Hardening

This checklist notes the steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Windows Server 2012 Security Guide provides detailed explanation of these settings. Copies of this completed checklist may prove useful for long-term documentation of preventative measures. This checklist does not represent a complete solution, and should not be taken as such.

Organization Name: Date: Contact Information:

5.0	General	Mandatory	Recommended
5.0.1	Dedicate a computer to running the DHCP Server role.		X
5.0.2	Deploy a Server Core installation of Windows Server 2012.		X
5.0.3	Use DHCPv6 functionality		X
5.0.4	Eliminate computers running rogue DHCP services.		X
5.0.5	Add DHCP reservation and exclusion ranges for IP Addresses	X
5.0.6	Use NAP to enforce Computer Configuration Health		X
5.0.7	Restrict DHCP security group membership	X
5.0.8	Configure DNS record ownership to help prevent stale DNS records		X
5.0.9	Relevant Group Policy Settings
5.0.10	DHCP Administrators – Domain Admins	X
5.0.11	DHCP Users – Not created		X
Document reviewed and approved by responsible Department manager: Signature: Date:

6 WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – DNS Hardening

This checklist notes the steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Windows Server 2012 Security Guide provides detailed explanation of these settings. Copies of this completed checklist may prove useful for long-term documentation of preventative measures. This checklist does not represent a complete solution, and should not be taken as such.

Organization Name: Date: Contact Information:

6.0	General	Mandatory	Recommended
6.0.1	Deploy a Server Core installation of Windows Server 2012		X
6.0.2	Protect DNS zones in unsecured locations by using read-only domain controllers (RODCs).		X
6.0.3	Combine the DNS and AD DS server roles on the same server		X
6.0.4	Configure zones to use secure dynamic updates		X
6.0.5	Restrict zone transfers to specific server computers running DNS.	X
6.0.6	Deploy separate server computers for internal and external DNS resolution.		X
6.0.7	Configure the firewall to protect the internal DNS namespace		X
6.0.8	Enable recursion to only the appropriate DNS servers.		X
6.0.9	Configure DNS to ignore non-authoritative resource records.		X
6.0.10	Configure root hints for the internal DNS namespace.		X
Document reviewed and approved by responsible Department manager: Signature: Date:

7 WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – Web Services Hardening

This checklist notes the steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Windows Server 2012 Security Guide provides detailed explanation of these settings. Copies of this completed checklist may prove useful for long-term documentation of preventative measures. This checklist does not represent a complete solution, and should not be taken as such. Organization Name: Date: Contact Information:

7.0	General	Mandatory	Recommended
7.0.1	Deploy a Server Core installation of Windows Server 2012		X
7.0.2	Install the application development environment		X
7.0.3	Set the authentication mechanism		X
7.0.4	Remove unused IIS components	X
7.0.5	Configure a unique binding		X
7.0.6	Move Root Directories to a separate data partition	X
7.0.7	Configuring user account permissions	X
7.0.8	Enable Secure Sockets Layers (SSL)		X
7.0.9	Consider additional specialized security configuration measures
7.0.10	Access control list hardening by specifying particular users in the ACL for content directory instead of allowing all domain users access to the site.		X
7.0.11	Limit access to the Web site by using the built-in IIS7 URL Authorization feature		X
7.0.12	Restrict the IP Addresses of the client browsers you allow to connect to the Web server using the IPv4 Restriction Lists feature.		X
7.0.13	Control many HTTP features, such as HTTP verbs, HTTP headers and URL size using the Request Filtering feature.		X

Document reviewed and approved by responsible Department manager: Signature: Date:

Windows Server Hardening

Virtual Galaxy Info Tech Pvt Ltd Checklist

Step	√	To Do	MFD	UT Note	Cat I	Cat II/III	Min Std
		Preparation and Installation
1		If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.		§	!	!	4.5.1
2		Consider using the Security Configuration Wizard to assist in hardening the host.		§
		Service Packs and Hotfixes
3		Install the latest service packs and hotfixes from Microsoft.		§	!	!	4.5.2
4		Enable automatic notification of patch availability.		§	!	!	4.5.5
		User Account Policies
5		Set minimum password length.	1.1.4	§	!	!
6		Enable password complexity requirements.	1.1.5	§	!
7		Do not store passwords using reversible encryption. (Default)	1.1.6	§	!	!
8		Configure account lockout policy.	1.2	§	!	!
		User Rights Assignment
9		Restrict the ability to access this computer from the network to Administrators and Authenticated Users.	2.2.2
10		Do not grant any users the 'act as part of the operating system' right. (Default)	2.2.3		!	!
11		Restrict local logon access to Administrators.	2.2.6	§
12		Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP.	2.2.18-21		!
		Security Settings
13		Place the University warning banner in the Message Text for users attempting to log on.	2.3.7.4	§	!	!	4.5.10
14		Disallow users from creating and logging in with Microsoft accounts.	2.3.1.1	§	!	!
15		Disable the guest account. (Default)	2.3.1.2		!	!
16		Require Ctrl+Alt+Del for interactive logins. (Default)	2.3.7.2		!	!
17		Configure machine inactivity limit to protect idle interactive sessions.	2.3.7.3		!	!
18		Configure Microsoft Network Client to always digitally sign communications.	2.3.8.1		!
19		Configure Microsoft Network Client to digitally sign communications if server agrees. (Default)	2.3.8.2		!	!
20		Disable the sending of unencrypted passwords to third party SMB servers.	2.3.8.3		!	!	4.5.6
21		Configure Microsoft Network Server to always digitally sign communications.	2.3.9.2		!
22		Configure Microsoft Network Server to digitally sign communications if client agrees.	2.3.9.3		!
		Network Access Controls
23		Disable anonymous SID/Name translation. (Default)	2.3.11.1		!	!
24		Do not allow anonymous enumeration of SAM accounts. (Default)	2.3.11.2		!	!	4.5.5
25		Do not allow anonymous enumeration of SAM accounts and shares.	2.3.11.3		!		4.5.5
26		Do not allow everyone permissions to apply to anonymous users. (Default)	2.3.11.4		!	!	4.5.12
27		Do not allow any named pipes to be accessed anonymously.	2.3.11.5		!		4.5.12
28		Restrict anonymous access to named pipes and shares. (Default)	2.3.11.8		!	!	4.5.12
29		Do not allow any shares to be accessed anonymously.	2.3.11.9		!
30		Require the "Classic" sharing and security model for local accounts. (Default)	2.3.11.10		!	!	4.5.12
		Network Security Settings
31		Allow Local System to use computer identity for NTLM.	2.3.12.1
32		Disable Local System NULL session fall-back.	2.3.12.2
33		Configure allowable encryption types for Kerberos.	2.3.12.4
34		Do not store LAN Manager hash values.	2.3.12.5		!	!	4.5.13
35		Set LAN Manager authentication level to only allow NTLMv2 and refuse LM and NTLM.	2.3.12.7		!		4.5.13
36		Enable the Windows Firewall in all profiles (domain, private, public). (Default)	9.{{1-3}}.1		!	!	4.5.5
37		Configure the Windows Firewall in all profiles to block inbound traffic by default. (Default)	9.{{1-3}}.2		!	!
		Active Directory Domain Member Security Settings
38		Digitally encrypt or sign secure channel data (always). (Default)	2.3.6.1		!		4.5.6
39		Digitally encrypt secure channel data (when possible). (Default)	2.3.6.2		!	!	4.5.6
40		Digitally sign secure channel data (when possible). (Default)	2.3.6.3		!	!	4.5.6
41		Require h4 (Windows 2000 or later) session keys.	2.3.6.6		!
42		Configure the number of previous logons to cache.	2.3.7.6	§
		Audit Policy Settings
43		Configure Account Logon audit policy.	17.1	§	!
44		Configure Account Management audit policy.	17.2	§	!	!
45		Configure Logon/Logoff audit policy.	17.5	§	!	!
46		Configure Policy Change audit policy.	17.7	§	!	!
47		Configure Privilege Use audit policy.	17.8	§	!
		Event Log Settings
48		Configure Event Log retention method and size.	18.7.19	§	!	!	4.6.1
49		Configure log shipping (e.g. to Spunk).		§
		Additional Security Protection
50		Disable or uninstall unused services.			!
51		Disable or delete unused users.			!
52		Configure user rights to be as secure as possible.		§	!
53		Ensure all volumes are using the NTFS file system.		§	!
54		Configure file system permissions.		§	!
55		Configure registry permissions.		§	!
56		Disallow remote registry access if not required.	2.3.11.6	§
		Additional Steps
57		Set the system date/time and configure it to synchronize against campus time servers.		§	!
58		Install and enable anti-virus software.		§	!	!
59		Install and enable anti-spyware software.		§	!
60		Configure anti-virus software to update daily.		§	!	!
61		Configure anti-spyware software to update daily.		§	!
62		Provide secure storage for Confidential (category-I) Data as required. Security can be provided by means such as, but not limited to, encryption, access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate.		§	!
63		Install software to check the integrity of critical operating system files.		§	!
64		If RDP is utilized, set RDP connection encryption level to high. Make sure to restrict RDP access to local VPN group and local campus management subnets. Do not allow RDP to be available to the Internet at large.		§	!
		Physical Security
65		Set a BIOS/firmware password to prevent alterations in system start up settings.					4.4.1
66		Disable automatic administrative logon to recovery console.	2.3.13.1		!
67		Do not allow the system to be shut down without having to log on. (Default)	2.3.14.1		!	!
68		Configure the device boot order to prevent unauthorized booting from alternate media.			!		4.4.1
69		Configure a screen-saver to lock the console's screen automatically if the host is left unattended.		§	!	!

UT NOTE: ADDENDUM

This list provides specific tasks related to the computing environment at The University of Texas at Austin.

UT Note: Addendum
1	If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.
2	The Security Configuration Wizard can greatly simplify the hardening of the server. Once the role for the host is defined, the Security Configuration Wizard can help create a system configuration based specifically on that role. It does not completely get rid of the need to make other configuration changes, though. More information is available at: Security Configuration Wizard.
3	There are several methods available to assist you in applying patches in a timely fashion: Microsoft Update Service Microsoft Update checks your machine to identify missing patches and allows you to download and install them. This is different than the "Windows Update" that is the default on Windows. Microsoft Update includes updates for many more Microsoft products, such as Office and Forefront Client Security. This service is compatible with Internet Explorer only. Windows AutoUpdate via WSUS ITS offers a Windows Server Update Services Server for campus use using Microsoft's own update servers. It includes updates for additional Microsoft products, just like Microsoft Update, and provides additional administrative control for software deployment. Microsoft Baseline Security Analyzer This is a free host-based application that is available to download from Microsoft. In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found.
4	Configure Automatic Updates from the Automatic Updates control panel On most servers, you should choose either "Download updates for me, but let me choose when to install them," or "Notify me but don't automatically download or install them." The campus Windows Server Update Services server can be used as the source of automatic updates.
5	Configuring the minimum password length settings is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires passwords be a minimum of 8 characters in length. It is h4ly recommended that passwords be at least 14 characters in length (which is also the recommendation of CIS). Longer passwords (e.g., more than 20 characters) offer much more protection (entropy) in the event a password hash is obtained and an attacker is attempting to crack it.
6	Configuring the password complexity setting is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires that passwords contain letters, numbers, and special characters.
7	If this option is enabled, the system will store passwords using a weak form of encryption that is susceptible to compromise. This configuration is disabled by default.
8	Instead of the CIS recommended values, the account lockout policy should be configured as follows: Account lockout duration — 5 minutes Account lockout threshold — 5 failed attempts Reset account lockout counter — 5 minutes
11	Any account with this role is permitted to log in to the console. By default, this includes users in the Administrators, Users, and Backup Operators groups. It's unlikely that non-administrative users require this level of access and, in cases where the server is not physically secured, granting this right may facilitate a compromise of the device.
13	The text of the university's official warning banner can be found on the ISO's web site. You may add localized information to the banner as long as the university banner is included.
14	The use of Microsoft accounts can be blocked by configuring the group policy object at: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Accounts: Block Microsoft accounts This setting can be verified by auditing the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser
42	Logon information for domain accounts can be cached locally to allow users who have previously authenticated to do so again even if a domain controller cannot be contacted. By default 10 accounts will be cached locally, but there is a risk that in the event of a compromise an attacker could locate the cached credentials and use a brute force attack to discover the passwords. Therefore, it is recommended that this value be reduced so that fewer credentials will be placed at risk, and credentials will be cached for shorter periods of time in the case of devices that are logged into frequently by multiple users. The group policy object below should be set to 4 or fewer logins: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)
43	The Account Logon audit policy logs the results of validation tests of credentials submitted for user account logon requests. The server that is authoritative for the credentials must have this audit policy enabled. For domain member machines, this policy will only log events for local user accounts. Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Account Logon\ Credential Validation — Success and Failure
44	Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Account Management\ Computer Account Management — Success and Failure Other Account Management Events — Success and Failures Security Group Management — Success and Failure User Account Management — Success and Failure
45	Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\ Account Lockout — Success Logoff — Success Logon — Success and Failure Other Logon/Logoff Events — Success and Failure Special Logon — Success
46	Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Policy Change\ Audit Policy Change — Success and Failure Authentication Policy Change — Success
47	Configure the group policy object below to match the listed audit settings: Computer Configuration\Windows Settings\Security Settings\ Advanced Audit Policy Configuration\Audit Policies\Privilege Use\ · Sensitive Privilege Use — Success and Failure
48	The university requires the following event log settings instead of those recommended by the CIS Benchmark: Application: Maximum log size — 32,768 KB Security: Maximum log size — 196,608 KB Setup: Maximum log size — 32,768 KB System: Maximum log size — 32,768 KB The recommended retention method for all logs is: Overwrite events older than 14 days These are minimum requirements. The most important log here is the security log. 100 MB is a suggested minimum, but if you have a high-volume service, make the file as large as necessary to make sure at least 14 days of security logs are available. You may increase the number of days that you keep, or you may set the log files to not overwrite events. Note that if the event log reaches its maximum size and no events older than the number of days you specified exist to be deleted, or if you have disabled overwriting of events, no new events will be logged. This may happen deliberately as an attempt by an attacker to cover his tracks. For critical services working with Cat 1 or other sensitive data, you should use Syslog, Splunk, Intrust, or a similar service to ship logs to another device. Another option is to configure Windows to rotate event log files automatically when an event log reaches its maximum size as described in the article http://support.microsoft.com/kb/312571 using the AutoBackupLogFiles registry entry.
49	It is highly recommended that logs are shipped from any Category I devices to a service like Splunk, which provides log aggregation, processing, and real-time monitoring of events among many other things. This helps to ensure that logs are preserved and unaltered in the event of a compromise, in addition to allowing proactive log analysis of multiple devices. The ISO maintains a centrally-managed Splunk service that may be leveraged. Please see the on-boarding form for more details.
52	Configure user rights to be as secure as possible, following the recommendations in section 2.2 of the CIS benchmark. Every attempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from the user rights lists.
53	Volumes formatted as FAT or FAT32 can be converted to NTFS, by using the convert.exe utility provided by Microsoft. Microsoft has provided instructions on how to perform the conversion. Windows servers used with Category I data must use the NTFS file system for all partitions where Category I data is to be stored.
54	Be extremely careful, as setting incorrect permissions on system files and folders can render a system unusable.
55	Be extremely careful, as setting incorrect permissions on registry entries can render a system unusable.
56	Some remote administration tools, such as Microsoft Systems Management Server, require remote registry access to managed devices. Disabling remote registry access may cause such services to fail. If remote registry access is not required, it is recommended that the remote registry service be stopped and disabled. If remote registry access is required, the remotely accessible registry paths should still be configured to be as restrictive as possible. The group policy object below controls which registry paths are available remotely: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Network access: Remotely accessible registry paths This object should be set to allow access only to: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Further restrictions on the registry paths and subpaths that are remotely accessible can be configured with the group policy object: Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\Network access: Remotely accessible registry paths and sub-paths
57	By default, domain members synchronize their time with domain controllers using Microsoft's Windows Time Service. The domain controller should be configured to synchronize its time with an external time source, such as the university's network time servers. ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators.
58	ISO provides Cisco AMP, a managed, cloud-based malware protection service, free of charge for all university-owned devices. More information about obtaining and using AMP is at https://security.utexas.edu/education-outreach/anti-virus.
59	Anti-spyware software is only required to be installed if the server is used to browse Web sites not specifically related to the administration of the server, which is not recommended. At a minimum, SpyBot Search and Destroy should be installed. Consider installing a secondary anti-spyware application, such as SpyWare Blaster, EMS Free Surfer, or AdAware. An additional measure that can be taken is to install Firefox with the NoScript and uBlock add-ons.
60	Cisco AMP is the recommended anti-virus solution. Microsoft Forefront may also be used, and can be configured directly or through the use of GPOs, which can simplify the management of multiple servers.
61	Spyware Blaster - Enabling auto-update functionality requires the purchase of an additional subscription. SpyBot Search and Destroy - Automatic update tasks can be created inside the program itself and are scheduled using the Windows Task Scheduler. 1. In the Spybot Application, click on Mode --> Advanced View. 2. Click Settings on the left hand side of the window. 3. You should now see an option labeled "Scheduler." Select that option. 4. Adding the task to update automatically is relatively straightforward. o Click Add to create a task. o Click Edit to edit the task schedule. o In the Scheduled Task window that pops up, enter the following In the Run field: § C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /AUTOUPDATE /TASKBARHIDE /AUTOCLOSE o Click the Schedule tab and choose a time for it to update. The duration of the update is very brief, but it is processor intensive, so consider scheduling it to occur during periods of low usage. The task should be scheduled daily.
62	Windows provides the Encrypting File System as a built-in mechanism to allow the encryption of individual users' files and folders. Be aware of the caveats involved in the use of EFS before implementing it for general use, though. Other options such as PGP and GNUPG also exist. Another encryption option to consider is whole-disk encryption, which encrypts the entire contents of the drive instead of just specific files and folders. Windows comes with BitLocker for this. If encryption is being used in conjunction with Category I data, one of the solutions listed in the Approved Encryption Methods (EID required) must be implemented.
63	Windows has a feature called Windows Resource Protection which automatically checks certain key files and replaces them if they become corrupted. It is enabled by default. You can audit in much more in depth using Tripwire. Modern versions of Tripwire require the purchase of licenses in order to use it. The Tripwire management console can be very helpful for managing more complex installations.
64	This setting is configured by group policy object at: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security This policy object should be configured as below: Set client connection encryption level — High Require use of specific security layer for remote (RDP) connections — SSL (TLS 1.0) Require user authentication for remote connections by using Network Level Authentication — Enabled
69	1. Open the Display Properties control panel. 2. Select the Screen Saver tab. 3. Select a screen saver from the list. Although there are several available, consider using a simple one such as "Blank." 4. The value for Wait should be no more than 15 minutes. 5. Select the On resume, password protect option.

Data Security Policy

Introduction

With each new piece of technology comes new potential for data security breach. The dangers inherent in using a smartphone or tablet are quite different from those associated with a laptop. Even the convenience of wireless internet has more opportunities for attack than traditional hard-wired systems. While most security measures focus on external threats from hackers and malicious downloads, internal threats account for twice as much monetary loss as external threats. An internal threat could be the deletion or dissemination of computer files related to a client’s case. One employee could also share their password with another, granting someone access beyond the scope of their position. To prevent the intentional or unintentional problems created by employee use of software and equipment, developing a thorough data securities policy is more important than ever. This policy should provide employees with information regarding the acceptable use of mobile technology as well as password security and wireless access policies to protect confidential data.

While most security measures focus on external threats from hackers and malicious downloads, internal threats account for twice as much monetary loss as external threats.

Elements of a data security policy

A law firm depends on protecting confidential client information. Most of this information is available in electronic format for accessibility in and out of the office. Preventing client information from mysteriously growing legs or disappearing is crucial to a law firm’s well-being.

11 Office Computers and Server

There are some truths that should be self-evident but need to be spelled out in a written policy, because inevitably an employee will otherwise do the unthinkable. Some may ignore the Not Safe for Work (NSFW) tag and view pornography if they are ‘off the clock’ during a break or lunch hour, while others may decide to run a personal business or game server using the firm’s servers. Both of these activities expose the office to security risks. Some less obvious but equally risky behavior is the desire to download software from the internet onto company computers and/or servers. An employee could simply be looking for a tool to make them more efficient in their job. However, looking in the wrong place and downloading the wrong file could install malicious software onto your system. Perhaps the scariest danger is the easiest one to complete: deleting files. Deleting a file can sometimes be as simple as hitting the wrong key combination, resulting in a mad dash to the IT specialist with the order to “retrieve!” said file from the trash bin. On those occasions that the deletion wasn’t noticed right away, IT can spend a significant amount of time with the backup locating the document to hopefully restore it. To prevent these and other related computer and server nightmares, create an acceptable use policy as part of your data security package. Restrict who has the right to download executable files (programs) and who can modify items in certain folders. Firewalls, virus scan and anti- spam software should be installed, updated and the system regularly scanned. DATA-SECURITY TIPS Create an acceptable use policy as party of your data security package. Restrict who can download files. Make sure you have virus scan and anti-spam software installed.

Secure Backups

Is losing a day’s worth of work acceptable, let alone a week? Backing up the office servers every night and storing that data off-site can save a law firm. Disasters don’t wait for you to be prepared before they strike. Servers, like other computers, can die without warning. Having a full backup available allows you to upload your data onto a new server (after a new server is acquired and built) and continue working without having to reinvent lost work. It’s even better when you have a redundant system, and you can simply switch to your backup server and continue on as if nothing has happened. There are different varieties of backup systems available. Cloud backups remove the need for equipment but require extra vigilance regarding security when selecting a company. USB backups give the convenience of a portable backup, but proper security must be maintained since they are small and easily lost. Older tape backups require special equipment, someone diligently managing the process, and secure storage.

DATA SECURITY TOOLKIT

When planning your backup system, budget may be a factor in deciding which route you take. However, you have to pick a system you will use. Saving money isn’t a value if it’s tedious work that never actually gets done and you don’t have a current backup when you need it. Your backup policy should include determination for how long backup copies will be kept. Additional USB drives can be purchased to maintain offsite backups. If using the tape system, have a series of tapes that you rotate. Because tapes deteriorate, replace them on a regular basis to prevent problems. Keeping end of month or end of year backups offsite may be helpful as well.

Password Security

Recent headlines highlight the continued problem of creating simple passwords that are quickly hacked because they are easier to remember. If a site requires a complicated password, some people will write it down and attach the post-it note to their computer so they have easy access to it when they need it. Others save a document in the system with their list of passwords to various sites. Any of these methods are hazards that can provide unauthorized access to your system. To combat the dangers of password accessibility, provide minimum requirements of at least eight characters and combinations of the following: lowercase letters, uppercase letters, numbers, and special characters. Simple common words or the individual’s name and date of birth should be prohibited. Provide some examples of possible h4 passwords that would be easy to remember, such as word combinations (previous addresses: Main#202ParkDrive). Passwords should be scheduled to be changed on a regular basis, and passwords should not be able to be used over and over again in succession. In addition to making sure individual passwords are truly secure, be sure that the system passwords for wireless access and other equipment are also changed. These hidden passwords can open up the entire system to hackers even if you think you’ve created a secure system with layers of access.

internet use

Preventing employees from ever surfing to a non- work-related website can be cost prohibitive for small and medium sized firms. However, having a clear internet use policy can help limit the types of sites they visit. Streaming music and video use a lot of bandwidth, and downloaded files from file sharing sites can contain malware or expose the firm to liability if material was copyrighted. Some employees may be tempted to spend too much time on activities such as online shopping, social media or travel planning, Again, use the theory that if it isn’t forbidden, they will do it. Specifically list any types of sites that you do not want your employees visiting on your office computer. Security settings can be set to block porn sites, gambling sites, social media and even web- based email sites

DATA -SECURITY TIPS.

Make sure you have a clear internet use policy which can limit the types of sites your employees visit. Streaming music and video uses a lot of bandwidth and downloading files can expose you to malware or copyright issues.

Risk Management Practice Guide of Lawyers

The logic behind blocking personal, web-based email is prevention of employees from opening emails and visiting a nefarious site or opening an infected attachment, thereby compromising your system because their personal email was not as secure. Employees may inadvertently or maliciously transmit client confidential or law firm proprietary information using their personal webmail, circumventing other safeguards the firm has established concerning such information. Remind employees that, like email, browsing history is subject to being reviewed.

E-mail

Misuse of company email is one of the most common problems faced, and covers a large variety of actions. Sending a free “Happy Birthday!” card from a free website can introduce massive spamming into your system and bog down your server. Employees may use company e-mail for running a personal business with less thought than storing hard files on the computers or servers. A good Samaritan employee may send out emails to everyone in the firm regarding a fundraising event for a local charity, and follow up with four or five reminders. Personal use of the firm email system should be addressed to reduce the amount of server space such items consume. E-mail policies should also include limits on the size of attachments as appropriate. Consider this: an e-mail with a 10MB attachment is received and then forwarded to ten other employees. This attachment now consumes 120MB of server space as each individual copy of the e-mail is stored on the server, plus the copy in the sent folder. Depending on your e-mail client, a copy of the e-mail may also be stored on each and every computer. The above space consumption issue illustrates the reasoning behind another policy: e-mail retention policy. Case-related e-mails and attachments should be uploaded into a practice management system or database, protecting them from accidental deletion and making them accessible to all employees who may need the information. Storing emails that need to be saved outside of the e-mail system also prevents the dreaded moment when the recipient is out of the office and IT has to search their e-mail so another employee can access the information. An essential element of an e-mail policy is reminding employees that the office email system is firm property and not their personal account. As such, any office email account is subject to review. Remind employees that office e-mail is representative of the firm and should present a professional image.

Metadata

Perhaps the most overlooked data security danger is metadata contained in document editing programs. Both Microsoft Word and WordPerfect contain information regarding previous edits made to a document. This means that deleting confidential information from one client document to reuse for another could expose the former client’s information to the latter if the recipient knows where to look. These features can be turned off, preventing data from being stored in the first place. Files sent electronically should be scrubbed for metadata. Special programs can be purchased to ensure that this information is not forwarded along with your document and can be integrated into your email system. If you do not want the recipient to make changes to your document, send the document as a PDF. Sending as a PDF strips most of the metadata from a file, but a PDF contains some of its own. Be sure to adjust the security options as appropriate.

Remote access

Employees may need to access the firm’s system when they are out of the office occasionally. Prohibiting employees from using public computers or using wireless access in public places removes the exposure of client data from hackers because security settings in these circumstances are often lower than those created for the office. To make connecting to the office more secure, consider establishing a virtual private network (VPN). A VPN connects you to your office computer over the internet, alleviating the need to actually access files through a questionable internet connection. Communications sent through the VPN are encrypted, so any data intercepted would not be usable.

Smartphones, Tablets and Remote Storage Devices

The trickiest part of data security is protecting the mobile data that leaves the building. Smartphones and tablets all contain internet connections but often do not have all of their security measures activated as a firm laptop would provide. A USB drive often contains pure, unencrypted files available for anyone who plugs the drive into their computer; worse yet, it is small enough to easily lose. Any device used to access client data should have password protection requirements. Even a USB device can be purchased that requires password access. For smartphones and tablets, require passwords at start up and after a period of idle time. Also, develop a remote wipe program protocol should any device ever be lost or stolen. Any document downloaded and stored should be encrypted. When travelling, be careful not to leave your device in ‘airplane mode as this often disables the ability to enact a remote wipe program as it disconnects the device from data systems used to locate it. Upon return to the office, require that remote storage devices such as USB and flash drives be scanned by virus and malware scanners to prevent infection from any outside sources. Have protocols in place regarding the use of personal USB devices with office computers to avoid inadvertently infecting office computers with unprotected devices. Consider restricting access to USB ports to certain employees, or even disable ports to prevent misuse.

The trickiest part of data security is protecting the mobile data that leaves the building. Smartphones and tablets all contain internet connections but often do not have all of their security measures activated as a firm laptop would provide.

When an employee Leaves

Often the biggest threat to your data is within your own company. A disgruntled or exiting employee can easily delete files from your system or take files out of the office without notice. Locking down data from employees can be the hardest part of data security. When an employee leaves, immediately lock their computer, e-mail, remote access and any other access privilege to prevent them from accessing information. Create protocols within the firm for who may need to access an employee’s files. If the employee has any equipment, such as a laptop or USB drive, at home, verify that it is returned before they exit the premises on their final day. Visitors and Contractors From time to time, office visitors may need to use office computers or email. Any temporary account established should have a notice regarding expectation of privacy. Passcodes for these accounts should also expire immediately after use. This ensures someone temporarily allowed into your system won’t be able to access your confidential data later, when you’re not looking. System contractors obviously need access to keep everything up-to-date and running smoothly. However, they may not understand the importance of the confidentiality of the information they may access in the process of completing their work. A Vendor/ Contractor Confidentiality Agreement should be completed by all of those who will be accessing your system to ensure that confidentiality is maintained.

Security Audit

To ensure all facets of your system are properly secure, consider a third party security audit. A trained professional will see any holes in your protection that could leak confidential information. The auditor will be able to provide you with suggestions to improve your security to prevent data security breaches in the future. This may include the purchase of additional security software, or simply changing internet usage habits. The end result will be a safer practice.

Sample Policy Table of Contents

Overview

Purpose
Scope

Network/Server Security

Server Configuration Guidelines
Security-related Events
Router Security
Server Malware Protection
Backup Procedures

Workstation Security

Authorized Users
Safeguards
Software Installation
Malware Protection

Password Security

Requirements
Standards
Protective Measures
Passphrases

Acceptable Use

General Use and Ownership Security and Proprietary Information Unacceptable Use
Wireless

Encryption

Standards
Mobile Device Encryption

E-mail

Prohibited Use
Personal Use
E-mail Retention
Monitoring

Metadata

Definition.
Removing Metadata

Remote access

Persons Affected General Standards Requirements
Mobile Computing and Storage Devices
Virtual Private Network (VPN) Employee Termination Removing access
Returning mobile devices Visitor and Contractor Access Permission
Contractors Remote Access Enforcement

OVER VIEW

Purpose - <Firm Name> is entrusted with the responsibility to provide professional legal advice to clients who provide us with confidential information. Inherent in this responsibility is an obligation to provide appropriate protection against theft of data and malware threats, such as viruses and spyware applications. The purpose of this policy is to establish standards for the base configuration of equipment that is owned and/or operated by <Firm Name> or equipment that accesses <Firm Name>’s internal systems. Effective implementation of this policy will minimize unauthorized access to <Firm Name> proprietary information and technology and protect confidential client information.
Scope - This policy applies to equipment owned and/or operated by <Firm Name>, and to employees

connecting to any <Firm Name>-owned network domain. NETWORK/SERVER SECURITY

Server Configuration Guidelines
the most recent security patches must be installed on the system as soon as practical, the only exception

being when immediate application would interfere with business requirements.

Servers should be physically located in an access-controlled environment.

iii. Servers are specifically prohibited from being operated from uncontrolled cubicle areas.

Security-related Events - Security-related events will be reported to the It management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
Port-scan attacks
Evidence of unauthorized access to privileged accounts

iii. Anomalous occurrences that are not related to specific applications on the host.

Router Security
the enable password on the router must be kept in a secure encrypted form. the router must have the

enable password set to the current production router password from the router’s support organization.

Disallow the following:
IP directed broadcasts
Incoming packets at the router sourced with invalid addresses such as RFC1918 address
TCP small services
UDP small services
All source routing
Web services running on router

iii. Access rules are to be added as business needs arise.

Each router must have the following statement posted in clear view: “Unauthorized ACCESS to THIS Network DEVICE IS Prohibited. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. there is no right to privacy on this device.”
Server Malware Protection
Anti-Virus - All servers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions:
Non-administrative users have remote access capability
The system is a file server
Share access is open to this server from systems used by non-administrative users
HTTP/FTP access is open from the Internet

Other “risky” protocols/applications are available to this system from the Internet at the discretion of the <Firm Name> IT department.

Mail Server Anti-Virus - If the target system is a mail server it MUST have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server. Local anti-virus scanning applications MAY be disabled during backups if an external anti-virus application still scans inbound e-mails while the backup is being performed.

iii. Anti-Spyware - All servers MUST have an anti-spyware application installed that offers real-time protection to the target system if they meet one or more of the following conditions:

Any system where non-technical or non-administrative users have remote access to the system and ANY outbound access is permitted to the Internet
Any system where non-technical or non-administrative users have the ability to install software on their own
Notable Exceptions - Exceptions to above requirements may be deemed acceptable with proper documentation if one of the following notable conditions applies to this system:
the system is a SQL server
the system is used as a dedicated mail server
the system is not a Windows based platform
backup Procedures
Daily backups - backup software shall be scheduled to run nightly to capture all data from the previous day.
backup logs are to be reviewed to verify that the backup was successfully completed.
One responsible party should be available to supervise backups each day. If the designated backup specialist is not available, an alternative should be named to oversee the process.
Backup data storage shall not be on the <Firm Name>’s premises. In case of a disaster, backup tapes

should be available for retrieval and not subject to destruction. iii. Data on hard drives will be backed up daily, and mobile devices shall be brought in to be backed up on a weekly basis or as soon as practical if on an extended travel arrangement.

test restoration process regularly and create written instructions in the event It personnel are not available to restore data when needed.

III. work Station Security

Authorized Users - Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information is restricted to authorized users.
Safeguards - <Firm Name> will implement physical and technical safeguards for all workstations that access

electronic confidential information to restrict access to authorized users. Appropriate measures include:

Restricting physical access to workstations to only authorized personnel.
Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.

iii. Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.

Complying with all applicable password policies and procedures.
Ensuring workstations are used for authorized business purposes only vi. Never installing unauthorized software on workstations.

vii. Storing all confidential information on network servers. viii. Keeping food and drink away from workstations in order to avoid accidental spills.

Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets.

Complying with the Portable Workstation Encryption policy.
Complying with the Anti-Virus policy.

xii. Ensuring that monitors are positioned away from public view. If necessary, install privacy screen filters or other physical barriers to public viewing. xiii. Ensuring workstations are left on but logged off in order to facilitate after-hours updates. Exit running applications and close open documents. xiv. Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup). xv. If wireless network access is used, ensure access is secure by following the Wireless Access policy.

Software Installation
Employees may not install software on <Firm Name’s> computing devices operated within the <Firm Name> network. Software requests must first be approved by the requester’s manager and then be made to the It department in writing or via e-mail. Software must be selected from an approved software list, maintained by the IT department, unless no selection on the list meets the requester’s need. The IT department will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.
This policy covers all computers, servers, and other computing devices operating within <Firm Name>’s

network.

Malware Protection
Anti-Virus - All <Firm Name> computers must have <Firm Name>’s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into <Firm Name>’s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use policy.

PASSWORD SECURITY
Requirements
All system-level passwords (Administrator, etc.) must be changed on a quarterly basis, at a minimum.
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months.

iii. All user-level and system-level passwords must conform to the standards described below.

Standards - All users at <Firm Name> should be aware of how to select strong passwords. Strong passwords have the following characteristics:
Contain at least three of the five following character classes:
Lower case characters
Upper case characters
Numbers
Punctuation
“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc.)
Contain at least eight to fifteen alphanumeric characters.

iii. the password is NOT a word found in a dictionary (English or foreign).

the password is NOT a common usage word such as:
Computer terms and names, commands, sites, companies, hardware, software. Passwords should NEVER be “Password1” or any derivation.
the words “<Firm Name>”, “<City>”, or any derivation.
Names of family, pets, friends, co-workers, etc.

birthdays and other personal information such as addresses and phone numbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
Any of the above spelled backwards.
Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
try to create passwords that can be easily remembered. One way to do this is create a password based on

a song title, affirmation, or other phrase.

Protective Measures
Do not share <Firm Name> passwords with anyone, including administrative assistants or secretaries. All

passwords are to be treated as sensitive, confidential <Firm Name> information.

Passwords should never be written down or stored on-line without encryption.

iii. Do not reveal a password in email, chat, or other electronic communication.

Do not speak about a password in front of others.
Do not hint at the format of a password (e.g., “my family name”).
Do not reveal a password on questionnaires or security forms.

vii. If someone demands a password, refer them to this document and direct them to the It Department. viii. Always decline the use of the “Remember Password” feature of applications.

Passphrases - Access to the <Firm Name> Networks via remote access is to be controlled using either a one- time password authentication or a public/private key system with a strong passphrase.
A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: “Joe&Me1Rbudz”
All of the rules above that apply to passwords apply to passphrases.

ACCEPTABLE USE

General Use and Ownership
While <Firm Name>’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of <Firm Name>.
Any information that users consider sensitive or vulnerable be encrypted.

iii. For security and network maintenance purposes, authorized individuals within <Firm Name> may monitor equipment, systems and network traffic at any time.

Security and Proprietary Information
The user interface for information contained on <Firm Name>’s systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines. Employees should take all necessary steps to prevent unauthorized access to this information.
Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months.

iii. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when unattended.

All PCs, laptops and workstations used by the employee that are connected to the <Firm Name> network, whether owned by the employee or <Firm Name>, shall be continually executing approved virus-scanning software with a current virus database unless overridden by departmental or group policy.
Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or trojan horse code.

Unacceptable Use

the following activities are, in general, prohibited. the lists below are by no means exhaustive, but

attempt to provide a framework for activities which fall into the category of unacceptable use.

Under no circumstances is an employee of <Firm Name> authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing <Firm Name>-owned resources.
Violations of the rights of any person or Firm protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by

<Firm Name>.

Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which <Firm Name> or the end user does not have an active license is strictly prohibited.
Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. the appropriate management should be consulted prior to export of any material that is in question.
Introduction of malicious programs into the network or server (e.g., viruses, worms, trojan horses, e-mail bombs, etc.).
Revealing your account password to others or allowing use of your account by others. this includes family and other household members when work is being done at home
Using a <Firm Name> computing asset to actively engage in procuring or transmitting material that

is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.

Making fraudulent offers of products, items, or services originating from any <Firm Name> account.
Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
Port scanning or security scanning is expressly prohibited unless prior notification to the IT

department is made.

Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
Circumventing user authentication or security of any host, network or account
Interfering with or denying service to any user other than the employee’s host (for example, denial of

service attack)

Using any program/script/command, or sending messages of any kind, with the intent to interfere

with, or disable, a user’s terminal session, via any means, locally or via the Internet.

Providing information about, or lists of, <Firm Name> employees to parties outside <Firm Name>.
Wireless Access
<Firm Name> Device Requirements - All wireless devices that reside at a <Firm Name> site and

connect to a <Firm Name> network must:

be installed, supported, and maintained by the It department.
Use <Firm Name> approved authentication protocols and infrastructure.
Use <Firm Name> approved encryption protocols.
Maintain a hardware address (MAC address) that can be registered and tracked.

DATA SECURITY TOOLKIT Home Wireless Device Requirements

Wireless devices that provide direct access to the <Firm Name> corporate network, must conform to the security protocols as detailed for <Firm Name> wireless devices.
Wireless devices that fail to conform to security protocols must be installed in a manner that prohibits direct access to the <Firm Name> corporate network. Access to the <Firm Name> corporate network through this device must use standard remote access authentication.

ENCRYPTION
Standards - Proven, standard algorithms should be used as the basis for encryption technologies. these algorithms represent the actual cipher used for an approved application. Key lengths must be at least 128 bits.

<Firm Name>’s key length requirements will be reviewed annually and upgraded as technology allows.

Mobile Device Encryption
Scope - All mobile devices containing stored data owned by <Firm Name> must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, tablets, and smartphones.
Laptops - Laptops must employ full disk encryption with an approved software encryption package. No

<Firm Name> data may exist on a laptop in clear text. iii. tablet and smartphones - Any <Firm Name> data stored on a smartphone or tablet must be saved to an encrypted file system using <Firm Name>-approved software. <Firm Name> shall also employ remote wipe technology to remotely disable and delete any data stored on a <Firm Name> tablet or smartphone which is reported lost or stolen.

Keys - All keys used for encryption and decryption must meet complexity requirements described in

<Firm Name>’s Password Security policy. VII. E-MAIL

Prohibited Use - <FIRM NAME> e-mail system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any e-mails with this content from any <FIRM NAME> employee should report the matter to their supervisor immediately. the following activities are strictly prohibited, with no exceptions:
Sending unsolicited e-mail messages, including the sending of “junk mail” or other advertising material to

individuals who did not specifically request such material (e-mail spam).

Any form of harassment via e-mail, telephone or paging, whether through language, frequency, or size of

messages. iii. Unauthorized use, or forging, of e-mail header information.

Solicitation of e-mail for any other e-mail address, other than that of the poster’s account, with the intent

to harass or to collect replies.

Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.

Use of unsolicited e-mail originating from within <Firm Name>’s networks of other Internet/Intranet/ Extranet service providers on behalf of, or to advertise, any service hosted by <Firm Name> or connected via <Firm Name>’s network.

vii. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

Personal Use - Using a reasonable amount of <FIRM NAME> resources for personal e-mails is acceptable, but non work related e-mail shall be saved in a separate folder from work related e-mail. Sending chain letters or joke e-mails from a <FIRM NAME> e-mail account is prohibited. Virus or other malware warnings and mass mailings

from <FIRM NAME> shall be approved by <FIRM NAME> It department before sending. these restrictions also apply to the forwarding of mail received by a <FIRM NAME> employee.

E-mail Retention
Administrative Correspondence - <Firm Name> Administrative Correspondence includes, though is not limited to clarification of established Firm policy, including holidays, time card information, dress code, work place behavior and any legal issues such as intellectual property violations. All e-mail with the information sensitivity label Management Only shall be treated as Administrative Correspondence.

<Firm Name> Administration is responsible for e-mail retention of Administrative Correspondence.

Fiscal Correspondence - <Firm Name> Fiscal Correspondence is all information related to revenue and expense for the Firm. <Firm Name> bookkeeper is responsible for all fiscal correspondence.

iii. General Correspondence - <Firm Name> General Correspondence covers information that relates to customer interaction and the operational decisions of the business. <Firm Name> is responsible for e-mail retention of General Correspondence.

Ephemeral Correspondence - <Firm Name> Ephemeral Correspondence is by far the largest category and includes personal e-mail, requests for recommendations or review, e-mail related to product development, updates and status reports.
Encrypted Communications - <Firm Name> encrypted communications should be stored in a manner that protects the confidentiality of the information, but in general, information should be stored in a decrypted format.
Recovering Deleted E-mail via backup Media - <Firm Name> maintains backups from the e-mail server and once a quarter a set of backups is taken out of the rotation and they are moved offsite. No effort will be made to remove e-mail from the offsite backups.
Monitoring - <FIRM NAME> employees shall have no expectation of privacy in anything they store, send or receive on the Firm’s e-mail system. <FIRM NAME> may monitor messages without prior notice. <FIRM NAME> is not obliged to monitor e-mail messages.

VIII. METADATA

Definition - When you create and edit your documents, information about you and the edits you make is automatically created and hidden within the document file. Metadata can often be sensitive or confidential information, and can be potentially damaging or embarrassing. On its Web site, Microsoft indicates that the following metadata may be stored in documents created in all versions of Word, Excel and PowerPoint:
your name and initials (or those of the person who created the file)
the name of your computer

iii. your firm or organization name

the name and type of the printer you printed the document on document revisions, including deleted text that is no longer visible on the screen vi. document versions

vii. information about any template used to create the file viii. hidden text ix. comments

Removing Metadata
Microsoft
Disable “allow fast saves” feature.
“Inspect Document” and remove flagged items. “Inspect Document” will vary depending on your

software version. In 2010, it is located under File->Info->Check For issues.

Third party software will help identify and clean metadata from your documents if it is necessary to send documents in native format. Verify appropriate software with the It department.
WordPerfect

Uncheck Save Undo/Redo items with document. It can allow you to view hundreds of past changes in terms of what text was cut, copied and even deleted from the document.
There is no software program that easily and automatically removes metadata from WordPerfect documents.

iii. Converting to PDF

Converting files to PDF format with Adobe Acrobat or other PDF creators will usually strip out most metadata.
In Acrobat, Select File, then Document Properties to view the summary metadata information within a PDF file. Add further restrictions on how the document can be accessed, used, copied and printed in the Security Options settings as needed.

REMOTE ACCESS
Persons Affected - <FIRM NAME> employees, consultants, vendors, contractors, students, and others who use mobile computing and storage devices on the network at the <FIRM NAME>.
General Standards - It is the responsibility of <Firm Name> employees, contractors, vendors and agents with remote access privileges to <Firm Name>’s corporate network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to <Firm Name>.
Requirements
Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass- phrase see the Password policy.
At no time should any <Firm Name> employee provide their login or e-mail password to anyone, not even family members.

iii. <Firm Name> employees and contractors with remote access privileges must ensure that their <Firm Name>-owned or personal computer or workstation, which is remotely connected to <Firm Name>’s corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

<Firm Name> employees and contractors with remote access privileges to <Firm Name>’s corporate network must not use non-<Firm Name> e-mail accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct <Firm Name> business, thereby ensuring that official business is never confused with personal business.

Routers configured for access to the <Firm Name> network must meet minimum authentication requirements .
Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual homing is not permitted at any time.

vii. Non-standard hardware configurations must be approved by the IT department, and <Firm Name> must approve security configurations for access to hardware. viii. All PCs, laptops and workstations that are connected to <Firm Name> internal networks via remote access technologies must use the most up-to-date anti-virus software (place URL to corporate software site here), this includes personal computers.

Personal equipment that is used to connect to <Firm Name>’s networks must meet the requirements of

<Firm Name>-owned equipment for remote access.

Individuals who wish to implement non-standard Remote Access solutions to the <Firm Name>

production network must obtain prior approval from the It department. d. Mobile Computing and Storage Devices.

Items covered - Mobile computing and storage devices include, but are not limited to: laptop computers,

plug-ins, Universal Serial bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, smartphones, tablets, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or <Firm Name> owned, that may connect to or access the information systems at the <FIRM NAME>.

Risks - Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to the network at the <FIRM NAME>. these risks must be mitigated to acceptable levels.

iii. Encryption - Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive <FIRM NAME> information must use encryption or equally strong measures to protect the data while it is being stored.

Database - Databases or portions thereof, which reside on the network at the <FIRM NAME>, shall not be downloaded to mobile computing or storage devices.
Minimum Requirements:
Report lost or stolen mobile computing and storage devices to the It department.
Non-departmental owned device that may connect to the <FIRM NAME> network must first be approved by the It department.
Compliance with the Remote Access policy is mandatory. e. Virtual Private Network (VPN)
Persons affected - this policy applies to all <Firm Name> employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the <Firm Name> network.
Connectivity - Approved <Firm Name> employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a “user managed” service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.

iii. Requirements

It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to <Firm Name> internal networks.
VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.

When actively connected to the corporate network, VPNs will force all traffic to and from the PC

over the VPN tunnel: all other traffic will be dropped.

Dual (split) tunneling is NOT permitted; only one network connection is allowed.
VPN gateways will be set up and managed by <Firm Name>’s IT department.
All computers connected to <Firm Name> internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers.
VPN users will be automatically disconnected from <Firm Name>’s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
the VPN concentrator is limited to an absolute connection time of 24 hours.
Users of computers that are not <Firm Name>-owned equipment must configure the equipment to comply with <Firm Name>’s VPN and Network policies.
Only <Firm Name>-approved VPN clients may be used.

11. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of <Firm Name>’s network, and as such are subject to the same rules regulations that apply to <Firm Name>-owned equipment, i.e., their machines must be configured to comply with <Firm Name>’s Security Policies.

EMPLOYEE TERMINATION
Removing access - An employee’s credentials shall be inactivated immediately upon termination of

employment. this includes, but is not limited to the following:

<Firm Name’s> database
Workstation access iii. E-mail access
Remote access to <Firm Name>’s network
VPN client access
Any other access to <Firm Name>’s network or programs
Returning mobile devices - Any employee in possession of firm portable devices shall return such devices before exiting the premises on their final day of employment. Mobile devices include, but are not limited to, the following:
<Firm Name>-owned smartphone ii. <Firm Name>-owned tablet

iii. Laptop

USB drive
CD or DVD containing <Firm Name> client information

VISITOR AND CONTRACTOR ACCESS
Permission - Visitors who require internet network access will need permission the IT department. After credentials are arranged, activities on the network will be subject to the Acceptable Use policy. Visitor use of employee credentials is not permitted under any circumstances.
Contractors - Contractors making changes to the network should notify the It department if any interruption of services is anticipated. Prior arrangement should be made to notify all staff of the interruption if possible.
Remote Access - Remote Access to <Firm Name> networks are governed by the <Firm Name> Remote Access policy.

XII. ENFORCEMENT

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment

AEPS Privacy Policy

1. Introduction

Welcome to Virtual Galaxy Infotech Private Limited’s VPAY (AEPS Service).

VPAY (AEPS Service) (“us”, “we”, or “our”) operates https://vgipl.com (hereinafter referred to as “AEPS Service”).

Our Privacy Policy governs your visit to https://vgipl.com, and explains how we collect, safeguard and disclose information that results from your use of our AEPS Service.

We use your data to provide and improve our AEPS Services. By using AEPS Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined herein, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.

Our Terms and Conditions (“Terms”) govern all use of our AEPS Service and together with this Privacy Policy constitutes your agreement with us (“agreement”).

2. Definitions

a) ‘AEPS SERVICE’ means the https://vgipl.com website operated by VPAY (AEPS Service).
b) ‘PERSONAL DATA’ means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
c) ‘USAGE DATA’ is data collected automatically either generated by the use of AEPS Service or from AEPS Service infrastructure itself (for example, the duration of a page visit).
d)‘COOKIES’ are small files stored on your device (computer or mobile device).
e)‘DATA CONTROLLER’ means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your data.
f) ‘DATA PROCESSORS (OR AEPS SERVICE PROVIDERS)’ means any natural or legal person who processes the data on behalf of the Data Controller. We may use the AEPS Services of various AEPS Service Providers in order to process your data more effectively.
g) 'DATA SUBJECT’ is any living individual who is the subject of Personal Data.
h) ‘THE USER’ is the individual using our AEPS Service. The User corresponds to the Data Subject, who is the subject of Personal Data.

3. Collection of information and its Use

We collect several different types of information as permitted by governing authorities for and work on improving and enhancing your AEPS Service experience.

4. Types of Data Collected

Personal Data

While using our AEPS Service, you may be required to provide us with some information related to personal identification that can be used to contact or identify you (“Personal Data”). Such personal data may include, but is not limited to:

a) First name and last name
b) Date of Birth, Age, sex, marital status,
c) Residential/ Business Address, Country, State, Province, ZIP/Postal code, City
d) Phone number (Home/ Business)
e) Email address
f) Education
g) Income
h) Cookies and Usage Data, etc

We may use your Personal contact Data to share with you some business promotional materials and other information that may be of interest to you. You may unsubscribe anytime and stop receiving any, or all, of these communications from us as per your discretion.

Usage Data

We may also collect information that your browser sends whenever you visit/ access/ utilize our AEPS Service through any device (“Usage Data”).

This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our AEPS Service that you access, the time and date of your visit, the time spent on those pages, unique device identifiers and other such data.

Location Data

We may use and store information about your location if you give us permission to do so (“Location Data”). We use this data to provide features of our AEPS Service, to improve and customize our AEPS Service.
You can enable or disable location AEPS Services when you use our AEPS Service at any time by way of your device settings.

Tracking Cookies Data

Cookies and similar tracking technologies are adopted to track the activity on our AEPS Service and some of this information is retained by us.

5. Use of Data

VPAY (AEPS Service) uses the collected data for various purposes:

a) to provide, maintain and customize our AEPS Service;
b) to monitor the usage of our AEPS Service;
c) to detect, prevent and address technical issues through customer support;
d) to update you about changes to our AEPS Service and its Privacy Policy;
e) to allow you to utilize interactive features of our AEPS Service if you opt so;
f) to carry out regular billing and collection in connection with the Agreement signed between us for AEPS Services;
e) to allow you to utilize interactive features of our AEPS Service if you opt so;
g) to provide you with notices about your account and/or subscription, including expiration and renewal notices, email-instructions, etc.;
h) to provide you with information about add-on services, promotional offers, and general information on relevant matters of your concern;
i) to fulfill any other obligation as may be required for statutory compliances.

6. Storage/ Retention of Data

Your personal data/ usage data, etc shall be stored with us in consonance with the statutory guidelines and only until the required purpose is achieved. We shall store the personal data and/or usage data only with an intention to analyse and customize the services, to strengthen the security, to enhance the service functionality and to comply with any legal obligations, including but not limited to resolution of disputes, enforcement of our legal contracts and policies, etc.

7. Transfer of Data

Your information, including Personal Data, is stored and maintained in India as per the guidelines of concerned Authorities

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

We will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your data and other personal information.

8. Disclosure of Data

We may disclose personal information that we collect, or you provide only under the following circumstances:

a) Disclosure for Law Enforcement.
b) Other cases. We may disclose your information also:
i. to our subsidiaries and affiliates;
ii. to contractors, AEPS Service providers, and other third parties we use to support our business;
iii. to fulfill the purpose for which you provide it;
iv. for the purpose of including your company’s logo on our website;
v. for any other purpose disclosed by us when you provide the information;
vi. with your consent in any other cases;
vii. if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of the Company, our customers, or others.

9. Security of Data

We take utmost care about the security of your data, at the same time no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Data, we cannot guarantee its absolute security.

10. AEPS Service Providers

We may during the course of our Services to you, engage third party companies and individuals to provide AEPS Service on our behalf in different capacities viz., payment processors, Sub-contractors, service providers, analytics, CI/ CD tools, etc. All these third parties involved in the services shall have access to your Personal Data only for the purpose assigned to them, and are obligated not to disclose or use it for any other purpose.

11. Payments

In case we use third-party AEPS Services for payment processing by using paid products or AEPS Services, we will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

12. Links to Other Sites

Our AEPS Service may contain links of third party sites that are not operated by us. If you click a third party link, you will be directed to that third party’s site. We strongly advise you to review their respective Privacy Policies for every such site you visit/ access. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or AEPS Services.

13. Children’s Privacy

Our AEPS Services are intended for use only by an adult of a minimum age of 18 years and is not intended to be used by any person below the age of 18 years.

14. Changes/ upgradation to This Privacy Policy

We may update/ modify our Privacy Policy from time to time. We will notify you of any updates or changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our AEPS Service, prior to the change becoming effective and update “effective date” at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective from the date of its posting on this page.

15. Contact Us

If you have any queries/ feedback about this Privacy Policy, please contact us by email: info@vgipl.com