A Network Security Policy include the elements that are required for most network security policies: privacy

policy, acceptable use policy, authentication policy, Internet use policy, access policy, auditing policy, and data protection policy. The security policy should also protect an organization legally, and it should be a continual work in progress.
In compliance with the Convergys and DirecTv rules, the Convergys Corporation, and generally accepted industry best practices, Convergys provides for the security and privacy of the data stored on, redirected through, or processed by its technology resources. Convergys encourages the use of these technology resources, however they remain the property of Convergys and are offered on a privilege basis only. Throughout this policy, the term ³staff´ identifies full- and part-time employees, contractors, consultants, temporaries, student assistants, volunteers, retired annuitants, vendors and other users including those affiliated with third parties who access Convergys technology resources due to their job responsibilities. Management expects staff to comply with this and other applicable Convergys policies, procedures, and local, state, federal, and international laws. Failure to abide by these conditions may result in forfeiture of the privilege to use technology resources, disciplinary action, and/or legal action. The IT Policy Review Team regularly modifies this and other IT security related policies to reflect changes in industry standards, legislation, technology and/or products, services, and processes at Convergys. Privacy Convergys reserves the right to monitor, duplicate, record and/or log all staff use of Convergys technology resources with or without notice. This includes but is not limited to e-mail, Internet access, keystrokes, file access, logins, and/or changes to access levels. Staff shall have no expectation of privacy in the use of these technology resources. Liability Convergys makes no warranties of any kind, whether expressed or implied for the services in this policy. In addition, Convergys is not responsible for any damages which staff may suffer or cause arising from or related to their use of any Convergys technology resources. Staff must recognize that Convergys technology resource usage is a privilege and that the policies implementing said usage are requirements that mandate adherence. Staff Responsibilities and Accountability Effective information security requires staff involvement as it relates to their jobs. Staff is accountable for their actions and therefore they own any events occurring under their user identification code(s). It is staff¶s responsibility to abide by policies and procedures of all networks and systems with which they communicate. Access of personal or private Internet Service Providers while using Convergys provided information technology resources or using non- Convergys provided information technology resources to conduct Convergys business does not indemnify any entity from the responsibilities, accountability and/or compliance with this or other Convergys policies. Staff responsibilities include but are not limited to: yAccess and release only the data for which you have authorized privileges and a need to know (including misdirected e-mail) yAbide by and be aware of all policies and laws (local, state, federal, and international) applicable to computer system use yReport information security violations to the Information Security Officer or designee and cooperate fully with all investigations regarding the abuse or misuse of state owned information technology resources yProtect assigned user IDs, passwords, and other access keys from disclosure ySecure and maintain confidential printed information, magnetic media or electronic storage mechanisms in approved storage containers when not in use and dispose of these items in accordance with Convergys policy yLog off of systems (or initiate a password protected screensaver) before leaving a workstation unattended yUse only Convergys acquired and licensed software yAttend periodic information security training provided by Convergys IT Security Branch yFollow all applicable procedures and policies

© SANS Institute 2001, Author retains full rights
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Electronic Mail (E-Mail) Policy Convergys electronic mail services (e-mail) policy provides staff with guidelines for permitted use of the Convergys e-mail technology resource. The policy covers e-mail coming from or going to all Convergys owned personal computers, servers, laptops, paging systems, cellular phones, and any other resource capable of sending or receiving e-mail. Ownership Convergys owns all e-mail systems, messages generated on or processed by e-mail systems (including backup copies), and the information they contain. Although staff members receive an individual password to access the email systems, e-mail and e-mail resources remain the property of Convergys. Monitoring Convergys monitors, with or without notice, the content of e-mail for problem resolution, providing security, or investigative activities. Consistent with generally accepted business practices Convergys collects statistical data about its technology resources. Convergys technical staff monitors the use of e-mail to ensure the ongoing availability and reliability of the systems. Accountability Staff may be subject to loss of e-mail privileges and/or disciplinary action if found using e-mail contrary to this policy. Staff must maintain the confidentiality of passwords and, regardless of the circumstances, never share or reveal them to anyone. The Information Security Officer (ISO) must provide express written permission before sensitive information is forwarded to any party outside of the Convergys. Staff should contact the ISO with questions regarding the appropriateness of information sent through e-mail. Ethical Behavior and Responsible Use Convergys provides e-mail systems to staff to facilitate business communications and assist in performing daily work activities. Ethical and Acceptable yCommunications and information exchanges directly relating to the mission, charter, and work tasks of Convergys yAnnouncements of laws, procedures, hearings, policies, services, or activities yNotifying staff of Convergys sanctioned employee events, such as the holiday party, bake sales, arts and craft fairs, retirement luncheons, and similar approved activities yRespecting the legal protection provided by all applicable copyrights and licenses yPracticing good housekeeping by deleting obsolete messages Unethical and Unacceptable yViolating any laws or Convergys policies or regulations (e.g. those prohibiting sexual harassment, incompatible activities, or discrimination) ySubmit, publish, display, or transmit any information or data that contains defamatory, false, inaccurate, abusive, obscene, pornographic, profane, sexually oriented, threatening, racially offensive, discriminatory, or illegal material yCompromising the privacy of staff, customers, or data and/or using personal information maintained by Convergys for private interest or advantage yEngaging in any activities for personal gain, performing personal business transactions, or other personal matters (e.g. sending sports pool or other gambling messages, jokes, poems, limericks, or chain letters) yIntentionally propagating, developing, or executing malicious software in any form (e.g. viruses, worms, trojans, etc.) yViewing, intercepting, disclosing, or assisting in viewing, intercepting, or disclosing e-mail not addressed to you yDistributing unsolicited advertising yAccessing non-Convergys e-mail systems (e.g. Hotmail, Yahoo!) using Convergys owned resources

1.0 Purpose The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the <Company Name> corporate network. 2.0 Scope This policy applies to all <Company Name> employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the <Company Name>

network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator. 3.0 Policy Approved <Company Name> employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy. Additionally, 1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to <Company Name> internal networks. 2. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. 3. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. 4. Dual (split) tunneling is NOT permitted; only one network connection is allowed. 5. VPN gateways will be set up and managed by <Company Name> network operational groups. 6. All computers connected to <Company Name> internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers. 7. VPN users will be automatically disconnected from <Company Name>'s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open. 8. The VPN concentrator is limited to an absolute connection time of 24 hours. 9. Users of computers that are not <Company Name>-owned equipment must configure the equipment to comply with <Company Name>'s VPN and Network policies. 10. Only InfoSec-approved VPN clients may be used. 11. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of <Company Name>'s network, and as such are subject to the same rules and regulations that apply to <Company Name>-owned equipment, i.e., their machines must be configured to comply with InfoSec's Security Policies. 4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Sign up to vote on this title
UsefulNot useful