Local area network security, guidelines, and identity management procedures To gain access to the UWW internal network, there are a number of steps that must be taken before logging on. You must be employed at UWW as full time staff, intern, consultant, or contractor. You must first have your immediate supervisor, team lead, or contract manager send the HR department a completed “NEW HIRE & TRANSFER FORM” and “Request for Passkey” form which is found on the 701.unitedway.org intranet. HR will send these completed forms to the appropriate support staff in the IT and Facilities departments with the specifics of who you are, who you work for, and what resources you require access to on the UWW network and physically at UWW. IT will create your username and password and send you a “New Hire Orientation Package” that details what is expected of you with regard to acceptable use of IT equipment, policies and guidelines for working on the UWW network(s), and any other policy that you will be responsible for adhering to. You will receive standardized computer equipment that is pre‐configured for your job. The equipment will be configured with your username and password and will be secured by Active Directory Group Policies which will restrict you from doing any activities that require Administrator privileges. All users on the UWW network are restricted users, therefore, all admin functions on the desktop and or laptop will be disabled for the safety of you and the overall network health. Identity Management Usernames and passwords are user specific and are not to be shared with any other person within or outside of United Way of America. All your permissions and rights on the UWW network are granted and denied using your specific user name and password combinations. Your username and password is made a member of multiple security groups for group assigned permissions on certain network resources and your username is also made a member of multiple distribution lists that are used for group oriented email broadcasts. These username and password combinations and group membership permissions are also tied to critical and confidential areas of the network. If you are a member of the Human Resources Security Group, then you and your group have been granted specific access to Human Resources data. This also applies to Finance staff and Finance Security Groups. If you are not made a member of a group that has special permissions to see confidential data, then you will NOT have access to that confidential data. All UWW databases are currently using an authentication method that adheres to the same LAN username and password verifications. Database access is given and taken away using the same security groups as well as using individual usernames if applicable. If your username or security group is not assigned to a particular network resource, then you will NOT have access to it. Page 1 of 6 Windows 2008 Server Active Directory password management. When a user or service wants to access a computing resource, they must provide information that proves their identity. Their identity is typically in the form of their account’s user name. This might be the user name that is the Security Accounts Manager (SAM) account name or the User Principal Name (UPN). But to prove their identity, they must provide secret information, which is called the authenticator. An authenticator can take various forms depending on the authentication protocol and method. The combination of an identity and an authenticator is called an authentication credential. The process of creating, submitting, and verifying credentials is described simply as authentication, which is implemented through various authentication protocols, such as the Kerberos protocol. Authentication establishes the identity of the user, but not necessarily the user’s permission to access or change a specific computing resource. That process is known as authorization. The Active Directory Domain Services (AD DS) database is the authoritative store of credentials for all user and computer accounts in an AD DS domain. The two types of domain controllers in AD DS that manage credentials differently are: Writable Each writable domain controller in the domain contains a full copy of the domain’s AD DS database, including account credentials for all accounts in the domain. Read‐only Read‐only domain controllers (RODCs) house a partial local replica with credentials for a select subset of the accounts in the domain. By default, RODCs do not have a copy of privileged domain accounts. The database stores a number of attributes for each account, which includes user names types and the following: NT hash for the current password NT hashes for password history (if configured) NT hash values are also retained in AD DS for previous passwords to enforce password history during password change operations. The number of password history NT hash values retained is equal to the number of passwords configured in the password history enforcement policy. LM hashes may also be stored in the AD DS database depending on the domain controller operating system version, configuration settings, and password change frequency. Your password is unique to you alone. Nobody will ever know what your password is unless you tell them. Domain Administrators do not have access to see what your current password is. If you forget your password, it cannot be RETRIEVED; it can only be CHANGED by the domain administrator. IT will reset your password with a ‘one‐time’ password that they will give you over the phone or in person. Once you logon with this one‐time password, you will be required to change it immediately. When logging on the local area network (LAN), if you type your password incorrectly 3 times, your account will be locked for a duration of at least 10 minutes. If after 3 times you are not successful in logging on the LAN and you are unable to wait the 10 minutes to try again, please contact the help desk and the domain administrator in the IT group will verify your account is locked and if it is, they will unlock it after verifying that you are the actual individual requesting the unlock by calling you directly. Page 2 of 6 If you have been approved to access to the Great Plains (GP) financial application, you will be given a different unique user ID and password to remember. GP uses its own security structure that is administrated by the GP administrator in finance or by the GP administrator working in IT. They are the only persons who have the credentials to add, delete, and/or modify any GP credentials when requested. Gaining access to the GP application requires your supervisor, team lead, or contract manager to fill out the appropriate G:\Templates\Corporate\GreatPlainsRequestForm. This form needs to be signed by the CFO or comptroller in the finance department before any access to financial systems are granted. Administration of the Active Directory Schema is only able to be done at 4 domain controller servers. Domain administration tasks include usernames and passwords creation, modification, deletion, assigning security group membership, permission changes, or group policy modifications. Access to these servers is only possible from inside the computer room on the 4th floor behind doors that can only be opened by select IT staff that have had their Kastle security access keys programmed for data center entry. The key access list of staff allowed through the data center doors are checked 4 times a year and validated against the InfoSec list kept with the security officer in IT. These doors are protected by Kastle Security card readers as well as monitored by closed circuit camera that records movement 24 hours a day. The complexity rules that are currently in place for LAN password are: Passwords must be a minimum of 6 characters. Passwords must be different than the last 5 passwords you have used before. Once changed, your password cannot be changed for at least 3 days. If you mistype your password 3 times, your account will lock for approx. 10 minutes, then you can try 3 more times. Your password is automatically set to expire every 90 days with the first warning sent to you 14 days prior to it’s expiration. Data Backups All data on UWW production servers is backed up nightly. This includes your H: (home directory) and your G: (group drive). All data that is created, modified, or moved should remain on one of the UWW network drives assigned to you at logon. If data is not saved to a network drive (i.e. your desktop, local C: drive, CDRW, flash drive or Floppy) it will NOT be backed up each night. Since your local resources are not backed up nightly, there is no chance of recovery of any data due to equipment failure. Get in the habit of only saving corporate data to network drives. Backups are done every night Monday – Friday. UWW keeps 4 weeks of backups on site. Once a week, a daily tape from each server is locked in a strong box, barcode scanned, and transported off‐site to Iron Mountain, our preferred media vaulting vendor. There are also 4 tapes that are used for end‐of‐month backups. These tapes are kept on‐site and reused every 3 months. Lastly, a yearly tape is kept at Iron Mountain for the entire year and replaced the next year. Page 3 of 6 Personal Computer Use United Way of America computer systems may be used for limited personal use in the off hours provided that such use does not adversely affect UWW systems. Network Services cannot provide technical support for personal use. UWW does not guarantee the privacy of personal usage and reserves the right to monitor or terminate it at will. UWW computer resources may not be used for personal gain. UWW facilities may not be used to run a personal business, to perform work for hire for others, to gamble, to play the lottery, to auction items, or otherwise for personal monetary benefit. Users may not make any changes or ask IT to make any changes to computers to aid in personal use. Software to access personal accounts, such as America Online, may not be used on United Way of America computers except under very limited circumstances approved in advance by Network Services. Personal use applies only to regular UWW staff, not to temporary employees, family members, or others. Such personal use and all other personal use are prohibited. Web Filtering: Web Site Monitoring The IT department shall monitor Internet use from all computers and devices connected to the corporate network. For all traffic the monitoring system must record the source IP Address, the date, the time, the protocol, and the destination site or server. Where possible, the system should record the User ID of the person or account initiating the traffic. Internet Use records must be preserved for 180 days. Access to Web Site Monitoring Reports General trending and activity reports will be made available to any employee as needed upon request to the IT Department. Computer Security Incident Response Team (CSIRT) members may access all reports and data if necessary to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to associates outside the CSIRT upon written or email request to Information Systems from a Human Resources Representative. Internet Use Filtering System The IT Department shall block access to Internet websites and protocols that are deemed inappropriate for United Way Worldwide’s corporate environment. A Barracuda web filtering appliance is installed in‐line to all LAN traffic leaving the UWW network infrastructure. The following protocols and categories of websites should be blocked: Adult/Sexually Explicit Material Advertisements & Pop‐Ups Chat and Instant Messaging Gambling Hacking Illegal Drugs Intimate Apparel and Swimwear Peer to Peer File Sharing Personals and Dating Social Network Services Page 4 of 6 SPAM, Phishing and Fraud Spyware Tasteless and Offensive Content Violence, Intolerance and Hate Internet Use Filtering Rule Changes The IT Department shall periodically review and recommend changes to web and protocol filtering rules. Human Resources shall review these recommendations and decide if any changes are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering Policy. Internet Use Filtering Exceptions If a site is mis‐categorized, employees may request the site be un‐blocked by submitting a ticket to the IT help desk. An IT employee will review the request and un‐block the site if it is mis‐categorized. Employees may access blocked sites with permission if appropriate and necessary for business purposes. If an employee needs access to a site that is blocked and appropriately categorized, they must submit a request to the help desk requesting IT team to check and unblock the requested site in question. IT will unblock that site or category for that associate only. IT will track approved exceptions and report on them upon request. IT will return the site or category to being blocked when user employee or group is finished with it. Privacy UWW respects the privacy of its employees and will attempt to respect this privacy whenever possible. However, under the law, UWW owns all the computer resources you use including all information on your computers and may examine, monitor, or take any other action it chooses with or without notice to you and for or without cause. UWW will take any appropriate steps to ensure that its ethics and other policies are followed and that its business purposes are served. All users are expected to respect the privacy of others and follow the confidentiality policies of the organization. Network Services normally will not inspect your files, data, e‐mail, or other computer information that is not generally made available to staff unless you authorize us to do so. However, we may do so to ensure compliance with UWW policies or at the direction of your supervisor or a higher authority. From time to time, Network administrators and engineers may inadvertently see or specifically need to inspect such information in the course of network and security administration and may do so for such purposes. Network administrators and engineers are bound by UWW’s confidentiality policy regarding such information. UWW cannot guarantee that other users at UWW or outside UWW cannot gain access to any information on its computer systems. Network Services will implement reasonable security measures to limit exposure but cannot protect from every eventuality. At the present time, UWW does not routinely monitor the contents of e‐mail, but such monitoring is implemented and can be used at the direction of a higher authority. At the present time, UWW does not routinely monitor the Web access of all staff. However, such access is currently recorded as a consequence of the firewall and web filter in place to reduce unnecessary network traffic and bandwidth abuse. Such information, though, is only examined on an as‐needed basis, although additional monitoring may be implemented at a later time. Supervisors may Page 5 of 6 request such information about a specific employee if abuse is suspected; Network Services may, at its discretion, request the approval of a higher authority before releasing the information. Certain information about telephone calls is kept within the telephone system. Supervisors may request such information about a specific employee if abuse is suspected; Network Services may, at its discretion, request the approval of a higher authority before releasing the information. Page 6 of 6
© Copyright 2024 ExpyDoc
