此为国外某大型企业的信息安全策略规范,涉及企业信息安全的各方面,共数十个策略,我将陆续翻译整理出来。这是第一篇:可接受使用策略。 欢迎转载,但请注明出处及译者。请不要用于商业用途。
原文:
InfoSec Acceptable Use Policy
1.0 Overview
InfoSec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to . established culture of openness, trust and integrity. InfoSec is committed to protecting 's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of . These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details.
Effective security is a team effort involving the participation and support of every employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
2.0 Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at . These rules are in place to protect the employee and . Inappropriate use exposes to risks including virus attacks, compromise of network systems and services, and legal issues.
3.0 Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers at , including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by .
4.0 Policy
4.1 General Use and Ownership
- While 's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of . Because of the need to protect 's network, management cannot guarantee the confidentiality of information stored on any network device belonging to .
- Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.
- InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see InfoSec's Information Sensitivity Policy. For guidelines on encrypting email and documents, go to InfoSec's Awareness Initiative.
- For security and network maintenance purposes, authorized individuals within may monitor equipment, systems and network traffic at any time, per InfoSec's Audit Policy.
- reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
4.2 Security and Proprietary Information
- The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information.
- Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months.
- All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended.
- Use encryption of information in compliance with InfoSec's Acceptable Encryption Use policy.
- Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips”.
- Postings by employees from a email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of , unless posting is in the course of business duties.
- All hosts used by the employee that are connected to the Internet/Intranet/Extranet, whether owned by the employee or , shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy.
- Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
4.3. Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing -owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
System and Network Activities
The following activities are strictly prohibited, with no exceptions:
- Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by .
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which or the end user does not have an active license is strictly prohibited.
- Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
- Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
- Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
- Using a computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
- Making fraudulent offers of products, items, or services originating from any account.
- Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
- Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is made.
- Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
- Circumventing user authentication or security of any host, network or account.
- Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).
- Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.
- Providing information about, or lists of, employees to parties outside .
Email and Communications Activities
- Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
- Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
- Unauthorized use, or forging, of email header information.
- Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
- Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
- Use of unsolicited email originating from within 's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by or connected via 's network.
- Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6.0 Definitions
Term
Definition
Spam
Unauthorized and/or unsolicited electronic mass mailings.
7.0 Revision History
译文:
信息安全可接受使用策略
1.0 概述
发布信息安全可接受使用策略的目的并不是为了强加一些与已建立的公开、可信、完整的企业文化相反的限制。信息安全是为了保障企业员工和合作伙伴的权益,使企业免受已知或未知的违法行为或破坏行为的损害。
Internet/Intranet/Extranet的相关系统包括但不仅限于计算机设备,软件,操作系统,存储介质,提供电子邮件、WWW浏览和FTP服务的网络账户,以及企业财产。这些系统被用来实现业务目标,保障企业和客户的利益。详情可参阅人力资源策略。
有效的安全是集体努力的结果,需要企业每位员工的参与和支持。每个计算机的使用者都需要了解这些规程,从而规范他们的行为。
2.0 目的
这份策略的目的是概要说明企业内计算机设备可接受的使用方法。这些规则是为了保障员工和企业的利益。不当的使用会使企业暴露在各种风险之下,包括病毒攻击,网络系统和服务的破坏,法律纠纷等。
3.0 范围
此份策略适用于企业的员工、承包人、顾问、临时雇员,以及其他工作者,也适用于所有相关第三方的人员。此策略适用于企业拥有或租赁的所有设备。
4.0 策略
4.1 普通应用和所有权
1、 尽管企业的网络管理部门会提供合适的隐私级别,但用户需要知道他们在公共系统中创建的数据仍然属于企业财产。由于需要保障企业网络的安全,管理部分无法保证存储在企业所有网络设备中的信息的机密性。
2、 员工需要对个人使用行为的合规性负责。每个部门负责建立各自的使用Internet/Intranet/Extranet系统的操作规程(guidelines)。当某类策略缺失时,员工需要遵守部门的相应策略,如果有任何不明确的地方,员工应与他们的主管或经理联系。
3、 建议用户将所有敏感的或易受攻击的信息加密。对于信息分级方面的规程,请参阅信息安全信息敏感性策略。对于email和文件机密方面的规程,请参阅InfoSec's Awareness Initiative。
4、 依照此策略,企业保有定期审查网络和系统的权利。
4.2安全和所有者信息
1、 如企业机密性规程中所规定,用户访问包含在Internet/Intranet/Extranet相关系统中的信息需要被分级为机密与非机密,详情请参阅人力资源策略。机密性信息包括但不限于:公司秘密、共同战略、竞争者信息、商业机密、客户列表,和研究数据等。员工们需要采取一切必要的措施阻止对于这些信息的非授权访问。
2、 保证口令安全并且不要共享账户。授权用户负责保证他们账户和口令的安全。系统级口令应每三个月更换,用户级口令用每六个月更换。
3、 所有的PC机,便携式电脑和工作站在无人使用时,应注销(对于Win2K用户,通过control-alt-delete)或由口令保护的屏幕保护程序保证其安全,屏幕保护应设定在10分钟之内自动出现。
4、 依照信息安全可接受加密策略中的规定加密信息。
5、 由于包含在移动计算机上的信息特别易受损害,对此应给与特别关注。请依据“便携计算机安全提示”中的规定加以保护。
6、 当员工通过企业邮箱加入到新闻组时,除非在业务职责期间加入,否则应有相应的非承诺声明,他们所发表的意见仅代表个人而非企业。
7、 除非与部门或组策略相冲突,否则员工使用的所有主机,只要连接在Internet/Intranet/Extranet上,不管是员工所有或企业所有,都应由具有最新病毒库的被认可的病毒扫描软件执行扫描。
8、 当员工接收未知发送者的邮件附件时,必须给以充分的警告,因为这些附件中可能含有病毒,e-mail炸弹,或特洛伊木马等。
4.3不可接受的应用
下列行为通常是被禁止的。员工在他们合法的工作职责过程中,(例如系统管理员或许需要中止一台主机对于网络的访问,如果该主机正在进行破坏)也可能免受这些限制。
无论什么情况,员工利用企业资源被授权从事的任何行为都不能违反地方,州,联邦政府或国际的法律规定。
下面所列出的是非接收应用行为类别的大致框架,可能会有遗漏。
系统和网络行为
下列行为不论何种情况都是被严格禁止的:
1、 侵犯任何个人或组织的著作权、商业机密、***或其它知识产权,或违反相关的法律和规章。这些行为包括但不仅限于:盗版软件或其他未授权使用软件的安装与分发。
2、 未授权拷贝受版权保护的资料。这些行为包括但不仅限于:书刊杂志图片、书籍、版权所有的音乐等受著作权保护的资料的扫描和分发,版权所有的软件的未授权安装,及终端用户没有使用合法的license。
3、 对于软件、技术信息、加密软件或技术的出口,如果违反了国际或地区的出口法律规定,则是非法的。对于任何有疑问的物资在出口之前应到相关管理部门进行咨询。
4、 将恶意程序引入网络或服务器。(如病毒、蠕虫、特洛伊木马、e-mail炸弹等)
5、 将账户口令泄露给其他人或允许他人使用自己的账户。包括在家工作时由家人使用。
6、 在用户本地权限内使用企业的计算资源主动获取或传播违反性骚扰法令的资料或敌对资料。
7、 对于企业账户的产品、条款、或服务等的欺诈性企图。
8、 除非是正常工作职责的一部分,否则需要直接或间接的授权声明。
9、 实施安全破坏或网络通信中断行为。安全破坏包括但不仅限于:正常职责之外的非授权访问数据或非授权登录服务器或账户。在这一节,网络通信中断包括但不仅限于:网络嗅探、ping洪流、包欺骗、拒绝服务攻击、以及恶意的伪造路由信息。
10、 除非预先向信息安全部门通告,否则端口扫描和安全扫描是明令禁止的。
11、 除非是员工正常工作职责的一部分,否则禁止实施任何形式的网络监控,因为通过监控可能实施数据拦截,使目标用户无法收到数据。
12、 盗取用户权限或侵犯任何主机、网络、服务器的安全。
13、 对员工个人主机之外的任何用户实施妨碍或拒绝服务。(例如拒绝服务攻击)
14、 通过本地或Internet/Intranet/Extranet,使用任何程序/脚本/命令,或发送任何种类的消息,妨碍或中断用户的终端会话。
15、 向外部组织提供企业信息或员工列表。
Email和通信行为
1、 主动向未明确提出需求的个人在发送广告资料或其他垃圾邮件。
2、 通过email、电话或书面实施任何形式的骚扰。
3、 非授权的使用或伪造email报头信息。
4、 为骚扰或收集信息而向其它email地址发送欺骗邮件。
5、 创建或转发“chain letters”,“Ponzi”,或其它类型的“pyramid”(类似传销?)
6、 利用企业网络服务或网络连接在企业网络内部主动发送其它Internet/Intranet/Extranet服务提供商的广告。
7、 在Usenet新闻组中加载大量的相同或相似的非业务相关的消息。(新闻组垃圾邮件)
5.0 执行
所有违反此策略的员工都会面临纪律处分,直至中止雇佣合同。
6.0 定义
术语 定义
Spam 未经许可主动发送大量的电子邮件。
7.0 修订历史
|