{Author Name [first-name middle-name-initials last-name]}
{Institution Affiliation [name of Author’s institute]}
2.7 Network Access Policy
Overview
Network access is essential to company’s workflow. However, sometimes an access originates from a network that may be compromised. A part of World-Wide Trading Company (WWTC) policy is to mitigate the external threats and protect the data integrity of the company.
Purpose
The purpose and intention of this policy is to define regulations for accessing the WWTC network, using the network, intellectual property and using secure passwords. The policy also defines sanctions in the event of a violation of the policy.
Scope
This policy applies to all of WWTC employees, vendors, contractors and agents who have access to the company’s network. It covers all technical implementations of access.
Policy
The policy terms are defined as under. Any exceptions must be approved in advance.
I. General
It is an obligation of the user to connect to the Company’s network with authorized credentials.
A prior understanding of the device must be there before connecting it to the network.
A valid and proper IP address must be used for connecting to the company network.
II. Responsibilities related to Network Resources Usage
The employee/user bears responsibility in the event of misuse of the network.
The employee and contractors must ensure that while being connected to company’s network their machine is not connected to some other network simultaneously.
III. Copyright and Intellectual Property
The employee/user bears responsibility in the event of misuse of the network.
A user cannot distribute any of copyright, confidential or sensitive data.
IV. Password Policy
A Strong password must be created for user access to network resources with at least eight characters consisting of at least one alphanumeric and one special character.
All system level and intranet passwords must be changed on a quarterly basis.
All user-level passwords must be changed on a half-yearly basis.
Password must not be shared with friends, family, or colleagues either in person or through email or chat messages.
V. Policy Violation Sanctions
Any employee found violating any or all of the policies will be subject to disciplinary action up to termination of the employment.
2.8 Backup policy
Overview
Backup of data is an essential part of data security and data maintenance activity. World-Wide Trading Company (WWTC) being an online broker firm generates frequent and large amounts of data. The data also generate subject to scrutiny and clarification at a later stage. The backup policy of WWTC ensures the safeguard of data in any untoward incident.
Purpose
The purpose of the data backup policy is to secure data assets critical for functioning of WWTC workflows. The policy prevents data loss in an event of accidental deletion, corruption of data resulting from system failure, malicious attack or natural disasters. The backup policy purpose is to enable timely restoration of the archived data in the event of a disaster.
Scope
The scope of the policy is all locations including database systems, hardware data, and company-specific data defined in the automatic backup locations. Any location outside of the automatic backup profiles must be added after approval. Backups are not meant for versioning of data, and the scope does not include personal data of employees. Any lost data not backed up is not included in the scope of this document.
Policy
The policy terms are defined as under. Any exceptions must be approved in advance.
I. General
Full backups of WWTC data are scheduled every Monday of the week at 12 AM.
Backup of WWTC’s online trading data is performed at 10 PM daily.
It will be the IT department's responsibility to ensure the validity of the backup data.
II. Backup Data Security
All the backed up data must be encrypted before storage. Data backups retained for one year.
Two copies of the same data backup must exist and at two separate locations.
Authorized personnel of IT staff may access the backup after proper authentications.
III. Audit and Policy Violation Sanctions
IT department of WWTC must perform every six months an audit for backup data sanity.
Monitor and log the system activities for backup and access of data.
WWTC network team must investigate any suspicious activity or system security incidents.
Any employee or staff found manipulating, mutating or damaging backup would be subject to disciplinary action up to termination of the employment.
Audit reports must be published to CTO, CFO and CEO of WWTC and IT managers.
2.10 Security Awareness Training Policy
Overview
The security awareness policy of World-Wide Trading Company (WWTC) related to security awareness and training programs to be conducted by the company.
Purpose
The policy purpose is to define all security related training for user awareness and protection of Company assets and increase the knowledge base.
Scope
The scope of training policy is limited to the employees and agents of the World-Wide Trading Company.
Policy
The policy terms are defined as under. Any exceptions must be approved in advance.
I. General
Educate users on robust password creation.
Educate and train users on the maintenance of workstations.
Inform and educate users on the Internet and email access policies.
Inform and educate users about emergency procedures, reporting security issues and threats.
Educate and inform users about phishing attacks, preventive measures, and common information.
Educate and inform users about technical skills, upcoming technologies, and related skills that are beneficial for both the company and the employees.
Training must be at all levels including processes oriented, technical and informational.
There must be a mix of classroom based and online self-paced training.
II. Targeted Audience Training
There must be profile based training programs based on a user's exposure and nature of work.
Some users might require basic level while some might require an advanced level of training.
III. Enforcement of Trainings
Some training programs must be made mandatory for all users and employees.
A track of all training done by employees must be performed.
Annual performance and appraisal must be linked to training done by employees.