...Richman Investment Richman Investment Remote Access Control Policy Document Remote Access Control Policy Document 01/14/14 01/14/14 Contents 1 Policy Statement 4 2 Purpose 4 3 Scope 4 4 Definition 4 5 Risks 4 6 Applying the Policy - Passwords 5 6.1 Choosing Passwords 5 6.1.1 Weak and strong passwords 5 6.2 Protecting Passwords 5 6.3 Changing Passwords 5 6.4 System Administration Standards 6 7 Applying the Policy – Employee Access 6 7.1 User Access Management 6 7.2 User Registration 6 7.3 User Responsibilities 6 7.4 Network Access Control 7 7.5 User Authentication for External Connections 7 7.6 Supplier’s Remote Access to the Council Network 7 7.7 Operating System Access Control 7 7.8 Application and Information Access 8 8 Policy Compliance 8 9 Policy Governance 8 10 Review and Revision 9 11 References 9 12 Key Messages 9 13 Appendix 1 10 Policy Statement Richman Investments will establish specific requirements for protecting information and information systems against unauthorised access. Richman Investments will effectively communicate the need for information and information system access control. Purpose Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of Richman Investments which must be managed with care. All information has a value to the Council. However, not all of this information has an equal...
Words: 2211 - Pages: 9
...Authorization- Richman Investments must define rules as to who has access to which computer and network resources. My suggestion is that RI implements either a group membership policy or an authority-level policy to achieve this. Group policy would allow the administrator to assign different privileges to different groups. The admin would then assign different individual users to those different groups. So the users permissions would depend on the permissions of the group they were a member of. With authority-level policy the admin would assign different permissions to individual users based on their position and authority level within the company and what access that position requires. Identification- Richman Investments needs to assign a unique identifier to each user in order to have accurate records of who is accessing, or trying to access, what applications, which network resource, and what data. The most common ID is the username, account number, or PIN Authentication- In order to keep the remote access to Richman Investments secure, there must be proof that the person trying to gain access to the network remotely is the same person who has been granted access by identification. To do this RI can choose one of the following knowledge type authentications: PIN, password, or passphrase along with one of the following ownership type of authentication: smart card, key, badge, or token. Using a combination of ownership authentication and knowledge authentication...
Words: 298 - Pages: 2
...Remote Access Control Policy 1. It is the responsibility of Richman Investments employees, third party contractors, vendors and agents with remote access privileges to Richman Investments networks to ensure that their remote access connection is given the same consideration as the user's on-site connection to Richman Investments. 2. General access to the Internet for recreational use by immediate household members is discouraged through the Investment Dial-In Network. The Richman Investments employee is responsible to ensure the family member does not violate any Richman Investment policies, does not perform illegal activities, and does not use the access for outside business interests. The Richman Investments employee bears responsibility for the consequences should the access be misused. 3. Access to the Richman Investments Trusted Network will only be allowed from Trusted Users and other special ITS administered subnets. 4. Remote or outside Trusted Users (defined below) may gain access to Trusted hosts in one of two ways: a. The outside Trusted user will initiate a connection and authenticate to the Richman Investments VPN endpoint (see VPN_Policy). Username and password pairs will be distributed to Third Parties upon receipt of a valid Third Party Connection Agreement. Currently supporting Windows 8 with Microsoft SQL Server 2014. Network Infrastructure and Control Systems will make client software available upon request. b. The Richman Investments...
Words: 362 - Pages: 2
...Existing IT Security Policy Framework Richman Investments Remote Access Standards Purpose: This document is designed to provide definition of the standards for connecting remotely to Richman Investments’ network outside of the company’s direct network connection. The standards defined here are designed to mitigate exposure to potential damage to Richman Investments’ network, resulting from the use of unauthorized use of network resources. Scope: All Richman Investments agents, vendors, contractors, and employees, who use either Richman Investments company property or their own personal property to connect to the Richman Investments network, are governed by this policy. The scope of this policy covers remote connections, used to access or do work on behalf of Richman Investments, including, but not limited to, the viewing or sending of e-mail, and the viewing of intranet resources. Policy: Richman Investments agents, vendors, contractors, and employees with privilege to remote access to Richman Investments’ corporate network are responsible for ensuring that they adhere to these standards, whether using company-owned or personal equipment for data access, and that they follow the same guidelines that would be followed for on-site connections to the Richman Investments network. General access to the Internet by household members via the Richman Investments network will be permitted, and should be used responsibly, such that all Richman Investments standards and guidelines...
Words: 474 - Pages: 2
...Richman Investments Remote Access Control Policy The purpose of this policy is to define standards on remote access to the Richman investments from any remote host, including all branch offices located in North America. The standards provided are to secure and prevent any possible unattended entry into the Richman Investments website, intranet or internal network. We are intending to ensure 100% accountability of our companies shared information, but most importantly our customers’ personal/financial information. It is urged that all remote access users refer to the acceptable use policy before accessing any network component of Richman Investments. Any use of a personal computer, company workstation or Blackberry/PDA to access the Richman Investments network will require the newest version update of our company anti-virus software. All remote access connections will be limited to do work on the behalf of Richman investments. Every workstation will be equipped with a required assigned user name, password authentication, and a access token authentication. The password minimum requirements will be limited to twelve characters, including two special characters, and three numeric characters. A user connecting to the network using a personal computer and/or PDA will require a network access password, with a minimum of ten characters, including two special characters and three numeric characters. All passwords will be kept confidential to the network user and network administrators...
Words: 317 - Pages: 2
...Authorization- Richman Investment has to define specific rules to dedicate who has access to which of the computers and its resources. The suggestion that I suggest is that Richman Investments implements a group policy. A group policy would allow an administrator the privilege to assign different access controls to different group users. The administrator could then assign different individuals to one or multiple groups. The permissions of the user is dictated by the administrator. Identification- Richman Investments must assign a unique identifier that compliments each user. This way they can keep track of who has access to what systems and data, the most commonly has used is a user identification number and password. Authentication- “In order to keep the remote access to Richman Investments secure, there must be proof that the person trying to gain access to the network remotely is the same person who has been granted access by identification.” (Technology, 2014)The best way for this company is to use a knowledge based system that includes PIN, pass phrase, or password along with a ownership authentication which includes but is not limited to a key, badge, token, or smart card. Using a combination of will provide the most adequate form of security. Accountability- Richman Investments has to hold all users responsible for what they do or not do on their systems. They must makes sure log systems can detect, prevent, and/or monitor the system due to all the laws that have...
Words: 282 - Pages: 2
...Richman Investments has decided to expand their business. We have been given their new growth projections of 10,000 employees in 20 countries, with 5,000 located within the U.S. Richman have also established eight branch offices located throughout the U.S. and have designated Phoenix, AZ being the main headquarters. With this scenario, I intend to design a remote access control policy for all systems, applications and data access within Richman Investments. With so many different modes of Access Control to choose from it is my assessment that by choosing only one model would not be appropriate for Richman Investments. My recommendation would be a combination of multiple Access Control Models that overlap to provide maximum coverage and overall security. Here are my suggestions for access controls. Role Based Access Control or RBAC, this will work well with the Non-Discretionary Access Control model, which will be detailed in the next paragraph. RBAC is defined as setting permissions or granting access to a group of people with the same job roles or responsibilities. With many different locations along with many different users it is important to identify the different users and different workstations within this network. Every effort should be dedicated towards preventing user to access information they should not have access to. Non-Discretionary Access Control is defined as controls that are monitored by a security administrator. While RBAC identifies those with permissions...
Words: 548 - Pages: 3
...Appropriate Access Controls for Systems, Applications, and Data Access Learning Objective Explain the role of access controls in implementing security policy. Key Concepts The authorization policies applying access control to systems, application, and data The role of identification in granting access to information systems The role of authentication in granting access to information systems The authentication factor types and the need for two- or three-factor authentication The pros and cons of the formal models used for access controls Reading Kim and Solomon, Chapter 5: Access Controls. Keywords Use the following keywords to search for additional materials to support your work: Biometrics Content Dependent Access Control Decentralized Access Control Discretionary Access Control Kerberos Mandatory Access Control Remote Authentication Dial In User Service (Radius) Role-Based Access Control Security Controls Secure European System for Applications in a Multi-Vendor Environment (SESAME) Single Sign-on Terminal Access Controller Access-Control System (TACACS) ------------------------------------------------- Week 3 Discussion * Access Control Models * Unit 3 Access Control Models (lT255.U3.TS2) Lab * Enable Windows Active Directory and User Access Controls Assignment * Remote Access Control Policy Definition ...
Words: 542 - Pages: 3
...Ken Schmid Unit 3 Assignment 1 Remote Access Control Policy for Richman Investments Authorization- Richman Investments must define rules as to who has access to which computer and network resources. My suggestion is that RI implements either a group membership policy or an authority-level policy to achieve this. Group policy would allow the administrator to assign different privileges to different groups. The admin would then assign different individual users to those different groups. So the users permissions would depend on the permissions of the group they were a member of. With authority-level policy the admin would assign different permissions to individual users based on their position and authority level within the company and what access that position requires. Identification- Richman Investments needs to assign a unique identifier to each user in order to have accurate records of who is accessing, or trying to access, what applications, which network resource, and what data. The most common ID is the username, account number, or PIN Authentication- In order to keep the remote access to Richman Investments secure, there must be proof that the person trying to gain access to the network remotely is the same person who has been granted access by identification. To do this RI can choose one of the following knowledge type authentications: PIN, password, or passphrase along with one of the following ownership type of authentication: smart card, key, badge...
Words: 312 - Pages: 2
...Remote access control policy definition Richman Investments firm Remote access control policy The following is the firm remote access control policy. The policy will be listing the appropriate access controls for systems, applications and data access. We will be providing a description on each type of access. It is our mission to preserve and protect the Confidentiality, Availability and Integrity of our Firms Information System. 1. Systems Access Control. A. Users are required to use a user ID with password and smart card for accessibility. B. Remote Users are required to use a user ID with password and software token for accessibility. C. All users most change user password every 30 days. D. Users will only have access to their branch office. E. User’s logins will be recorded. F. Only authorized users will be allowed access to their respected system. G. Management users will have access to their own branch office and also to Head Quarters office. H. Desk top, mobile and wireless devices most be loaded with up to date firm ware, OS software and patches. 2. Application Access Control. A. Users will be assigned rights to use individual application. B. Users will have to use first and second layer of authentication to gain access to their application. C. Users will be recorded using application. D. IT Administration is responsible for running monthly application test. E. Applications will be tested for security...
Words: 383 - Pages: 2
...Acceptable Use Policy (AUP) for use of WAN/LAN owned and maintained by Richman Investments Statement of Policy: The following Information Technology Acceptable Use Policies and Procedures are to be followed by ALL employees, contractors, vendors, and other authorized individuals who are granted access to any Local Area Network and/or Wide Area Network or other service maintained and provided by Richman Investments or its subsidiaries. It is expected that all departments will enforce these policies. ANY USER FOUND VIOLATING THESE POLICIES OR PROCEDURES WILL FACE PUNISHMENT WHICH MAY INCLUDE DISCIPLINARY ACTION, SERVICE ACCESS TERMINATION, AND/OR LEGAL ACTION. Users of the any Local Area Network and/or Wide Area Network owned and maintained by Richman Investments understand they are subject to monitoring by the Information Technology department in order to maintain systems security and prevent unauthorized access and usage of equipment. Richman Investments assumes no responsibility for actions performed by users which violate any laws, foreign or domestic. If discovered, these users will be reported to the proper authorities for prosecution. Prohibited Use of Equipment or System: * No peer-to-peer file sharing or externally reachable file transfer protocol (FTP) servers * No exporting internal software or technical material in violation of export control laws * No accessing unauthorized internal resources or information from external sources * No port...
Words: 339 - Pages: 2
...presents the fundamental solutions for the safety of data and information that belongs to Richman Investments. As part of the general security plan of the organization the IT department puts together a proposal to provide multi-layered security strategies that can be applied at every level of the IT structure. The plan will lay out the importance of improving and safeguarding the levels of each domain and the process of protecting the information of the organization. User Domain At Richman Investments the personnel is accountable for the appropriate use of IT assets. Therefore, it is in the best interest of the organization to ensure employees handle security procedures with integrity. It is essential to create a strong AUP (Acceptable Use Policy) procedure and as part of the process, require employees sign an agreement to guarantee they understand and conform to implemented rules and regulations. In addition, the company will conduct security awareness training, annual security exercises, notices about securing information, and constant reminders security is everyone’s responsibility. Workstation Domain The plan to secure the workstation domain enforces a strong password policy on each workstation and also enables screen lockout protection for inactive times. Keeping all workstations with an up to date antivirus is essential. Furthermore, content filtering features will arrange access of specific domain names according to AUP definitions. In addition, workstations will have...
Words: 779 - Pages: 4
...Richman Investments Acceptable Use Policy Introduction This acceptable use policy grants the right for users to gain access to the network of Richman Investments and also binds the said user to follow and abide accordingly to the agreements set forth for network access provided below. Policy guidelines * The use of peer-to-peer file sharing or externally reachable file transfer protocol (FTP) servers is stricly forbidden. * Downloading executable programs or software from any websites, even known sites, will not be tolerated * The user will not redistribute licensed or copyrighted material without first receiving authorization * Do not export internal software or technical material in violation of export control laws * Introduction of malicious programs into networks or onto systems will not be tolerated * Do not attempt to gain access to unauthorized company resources or information from external or internal sources * Port scanning or data interception on the network is forbidden * Legitimate users shall not have a denial of service or circumventing of authentication * Use of programs, scripts, or commands to interfere with other network users is strictly prohibited. * Sending unsolicited e-mail messages or junk mail to company recipients is prohibited * There will be no accessing of adult content from company resources * Remote connections from systems...
Words: 311 - Pages: 2
...IT-255 Part 1 Multi-Layer Security Outline Task at hand: Richman Investments Network Division has been handed the task of creating a general solutions outline for safety of data and information that belongs to their organization. This following outline will cover the security solutions of the seven domains that the IT infrastructure is made of. User Domain | The User Domain being the weakest link of the seven layers. This is from lack of users not aware of security policies and procedures. | To secure this link to its fullest. The employees should be trained and updated with security policies and procedures. The system should have firewall and antivirus software installed as well. | Workstation Domain | The Workstation Domain can be made up of desktops, laptops, iPods and or personal assisting tools like Smartphone’s. | The common threat to the Workstation is the unauthorized access to the system. The solution would be to enable password protection and automatic lockout during time of inactivity. | LAN Domain | LAN being a collection of computers connected to each other. The links can use several tools direct connected with a switch and wireless with a router being the most common. | Unauthorized access can tap into and work its way into workstations, data centers (servers). To put a block and set-up counter measures a Firewall and OS Security Software installed and monitored. | LAN-TO-WAN Domain | LAN-to-WAN is where the IT infrastructure links to a wide...
Words: 779 - Pages: 4
...strategic assets of the Richman Investments and must be treated and managed as valuable resources. Richman Investments provides various computer resources to its employees for the purpose of assisting them in the performance of their job-related duties. State law permits incidental access to state resources for personal use. This policy clearly documents expectations for appropriate use of Richman Investments assets. This Acceptable Use Policy in conjunction with the corresponding standards is established to achieve the following: 1. To establish appropriate and acceptable practices regarding the use of information resources. 2. To ensure compliance with applicable State law and other rules and regulations regarding the management of information resources. 3. To educate individuals who may use information resources with respect to their responsibilities associated with computer resource use. This Acceptable Use Policy contains four policy directives. Part I – Acceptable Use Management, Part II – Ownership, Part III – Acceptable Use, and Part IV – Incidental Use. Together, these directives form the foundation of the Richman Investments Acceptable Use Program. Section 2 – Roles & Responsibilities 1. Richman Investments management will establish a periodic reporting requirement to measure the compliance and effectiveness of this policy. 2. Richman Investments management is responsible for implementing the requirements of this policy, or documenting non-compliance...
Words: 1330 - Pages: 6