This part explains some concepts and terminology that some technical elements of a policy were understandable even for the user for the reader. The general (common) principle of a network security in the Company is the interdiction of all kinds of access and all actions which are not allowed by obviously given policy. In other words, if there is no special sanction to carrying out of concrete actions or use of concrete network resources such actions or such use are forbidden, and the person, their carrying out are subject to the punishments described later in this policy.

This policy will consist of two basic parts – policies for work in a separate network and policies for work in the gateway environment. The gateway environment (Internet) is the term used at the description of a situation when more than one network are connected among themselves and two or more networks can exchange the data among themselves. An example of the gateway environment is the Internet, and this policy will use such notation at the link to it. This policy is applied equally to all Internets, but its some components are specially described for the Internet. Consideration of a situation of work in a network and the gateway environment further is divided on two problems - perimeter of security and internal security. For a network, which is not attached to the Internet, perimeter of security it is not necessary to protect, otherwise, connection with the Internet, it is necessary to realize elements of policies of perimeter of security. The internal security policy is equally applied both to networks, and to the Internets, the perimeter of security policy is applied only to the Internet.

The network part of a policy describes the approach to a security for one network, usually the LAN irrespective of, it is attached to the Internet whether or not. The gateway part of this policy describes the approach to a problem of security in any network connected to other network irrespective of, whether this connection through one LAN, group of the LAN or a wide-area network is carried out, such as the Internet. Connections through a wide-area network can be the allocated channels between the places removed from each other or connections through the Internet.

It is necessary to give some definitions for the best understanding of a policy of security readers who do not understand deeply technical questions of network work. Term of the LAN have already been explained, but it is required some more others for full understanding. The net point is the least network a component it is the machine or the device, which has a unique e-mail address. It can be big - the file server, or small - the printer, both in that, and in the other case one requirement - the unique address in a network is put forward only. The network report is a set an agreements by means of which network sites cooperate with each other and with the Internets. Examples of reports are TCP/IP (it is popular on the Internets and LBS ), IPX/SPX (is used in Novell Netware), AppleTalk (is most popular in the LANs usually consisting from Macintosh and printers) and SNA (is popular among networks from mainframes). There are a big number of other reports, but the purpose of this story is to acquaint the reader with the term, but not with reports. It is possible to tell, that network reports remind a human language that is sites, which use the same report, understand each other. Some sites can be the polyglots, capable to speak in more than one language.

So, new terms for no technical experts - the Internet, meaning two or more networks, connected with each other have been entered; the Internet, meaning a worldnet; the site, meaning the device with the unique address in a network; and the report, meaning electronic language on which sites among themselves communicate. Other terms will be entered further therein, but they will concern only to those sections into which they are entered. The concept of perimeter of the Internet is not the new term, nontechnical definition of perimeter is applied in a context in which it is used in the document.

2. Realization of a policy

This part will describe borders of the responsibility and the reporting at implementation of the policy described in the subsequent sections. IT determines policies responsible for realization after describes persons in the organization to which it is applied.

2.1 A scope

This policy is applied to all divisions of the Company and its offices, except for that it is applied to all sponsors and business partners of the Company. Divisions are recommended to specify these general recommendations in that measure in what they are applied to them, but additions to a policy should not clash with the recommendations described in this document. In case of dispute concerning correctness of interpretation or realization of a local policy in relation to the given policy, last word will be behind committee on security in the Company. The responsibility for performance of this of policies is assigned to the chief of a security of the Company who can shift in turn a part of this responsibility on other persons from the top control link. Specifications and interpretations of this policy can be received from committee on security when the obvious conflict between local requirements or various interpretations of positions of the basic policy takes place.

2. Realization

Each official and the employee of the Company which administers or uses network resources of the Company, responsible for strict observance of the given policy. Each person should inform necessarily on suspected or real weak spots in security to the immediate superior. In the Company there is a group of settling of incidents with computer security ( SICS) which can and should be notified without fail on the basic incidents at which have taken place compromised , misuse or damage of information values of the Company. Divisions are recommended to organize the SICS for faster revealing weak spots in protection and patch them. Though the employees who are included in SICS , have the basic official duties, security issues have a priority in relation to them, and should be solved first of all. Chiefs of divisions should appoint employees of the departments who will be part SICS , and to release them from the basic duties up to the end of investigation.

3. The description of a policy

This part will describe a security policy in that measure in what it is applied to everyone network and gateway a component in the Company. The part concerning to networks, is equally applied to the Internets, including criteria which should are executed for consideration of a network as Internet from the point of view of security.

3.1 Networks

Let's remind, that the Internets will consist of networks, therefore security policy described here, is equally applicable to all to network components of the Company. The network, which is not a part of the Internet, has no perimeter of defense (as it to anything it is not connected), but observance of requirements of an internal network policy of this part is required for all networks. Moreover, the network does not comprise a point of risk (described in the following chapter) and consequently is the most protected essence.

3.1.1 Interests of the organization

Network resources of the Company exist to support activity of the organization only. In some cases it is hard to draw a line between interests of the organization (service interests) and other interests. The system of conferences and email of the Internet are examples of mixture of interests of the organization and personal interests of employees on use of these resources. The company understands, that attempts of use of restrictions such as “ only in interests of the Company ” in these cases are senseless. Therefore it is necessary to give recommendations, instead of strict requirements concerning information resources, which serve for the decision not only the problems facing to the Company. Chiefs of departments have the right to make the decision on an admissibility of use of network resources employees for the decision of the problems which are distinct from only service, in the event that at it the overall performance of the given employee raises. On the other hand chiefs of departments should interfere with incorrect use of network resources, both for the personal purposes, and for the purposes of rest and entertainment of employees, but can allow such use of resources, there where it morally or raises an overall performance. Network managers have the right and should inform on the incidents connected to suspected or proved use of network resources not to destination, to the chief of a department which employees were participants of incident, and to inform on infringements of the given policy to the chief of a department.

3.1.2 A principle “ know only that you should know for work ”

Access to information values of the Company will not be carried out, if there will be no necessity to know this information. It means, that very critical information should be protected and shattered into parts so that it was unknown to a great bulk of employees. The personal information, for example, is required to heads of groups, but the full information on people, that is on employees is not necessary for them, work with which is not included into their circle of duties. In the certain cases can appear necessary to transform a network in the Internet so that around of critical information values the perimeter of security with the help of technical and organizational measures has been created.

Revealing of necessity to the employee to know any information it is carried out by younger chiefs, and the responsibility for realization of the accepted decisions is assigned to network managers within the framework of his responsibility. Disputes and conflicts will be resolved by committee on security, but access to the information which have shown a subject of the conflict, will be forbidden before the termination of the resolution of conflict. In other words, everyone should know only that is necessary to it.

3.1.3 Data exchange

One of the basic parameters of the importance of network resources is fast and exact data exchange, and also destruction of the superfluous and out-of-date data. In this question the Company supports and encourages sharing and information interchange between divisions of the Company there where this exchange is not included into the contradiction with a principle “ to know only that is necessary for you for work ”. There should not be an import and export of information values between net points without the obvious sanction to it according to the above-mentioned principle. The reason of allocation of separate item will consist in necessity to emphasize, that uncontrollable data exchange is the reason of occurrence of sources of damage of the information and their distribution (viruses, etc.) . For example, as investigation, is forbidden to bring the data received outside of a network infrastructure of the Company, without careful check on absence of sources of its damage. From stated be higher should clearly, that everything, that obviously is not authorized, - forbidden, as the area of data exchange creates risk of integrity of the data.

3.1.4 Authorization

Access to any information value of the Company should not be carried out without corresponding a uthorization , except for the cases described in this section. Heads of divisions can make the decision to give public access to some information of the Company for its advertising and promotion in the market. Networks can have the services of the general access similar to those that are available in BBS. These services do not demand a uthorization or have weak a uthorization . If such service is made) network accessible to users which are not constant employees of the Company or working in it (under the contract, or somehow differently falling under jurisdiction of the Company they should get to it access not from a network, and of the Internet with application of corresponding measures of protection of perimeter of security. In other words, if the information is opened outside of the Company it cannot be done through a network, and should be carried out through the Internet with use of corresponding means of protection, for example requirements a uthorization for reception of access to private information values.

Authorization should be carried out by the way coordinated with criticality of the used information. In most cases enough a traditional name and the password of the user. In other cases stronger a uthorization is required besides traditional. These cases concern the Internets and will not be considered regarding rather networks.

3.2 A gateway exchange

The interconnected networks create an own set of problems of security besides what are applied to all network resources. Components creations of effective gateway security definition of perimeter of the Internet are critical. Each component is described in this part together with special positions of a policy concerning it.

3.2.1 Definition of perimeter

It is impossible to protect adequately information values of the company without knowledge of each point of risk and development of corresponding measures of protection. For the purposes of this policy the perimeter is defined as set of all points of connection with the nearest neighbors on the Internet. The world of Internet leads to existence of some unique situations which are required to be considered separately. The point of risk has been determined as a point of connection, and this implies, that the risk exists only in a place of the connection. It - the most unpleasant consequence. Points of risk arise in each point of connection with a network or the site, which is not included in the LAN.

3.2.1.1 A point of risk

This term has been chosen instead of a point of attack as last assumes criminal activity on the other hand connections. Compromising or distortion of the information frequently does not grow out criminal activity though the result can appear same. The modem attached to the network site, represents a point of risk if responds on phone calls and gives an opportunity of connection to the removed user. Actually, if such modem is attached to a network, that is changes the status and becomes the Internet. In each point of access to the Internet management of access irrespective of, whether is connection with the Internet or the modem should be realized.

Other point of risk is a tunneling. Tunneling is a technology by means of which the information of one report gets in the other report for transportation and is unpacked in the usual report in destination. Report NETBEUI Windows NT frequently goes to report TCP/IP for use of his more advanced routing. If the point of departure or receptions of the tunnel are on the Internet the point that is taking place in a network of the Company, is a point of risk and demands management of access.

3.2.1.2 Management of access

In each point of risk of the Internet some form of management should be used by access. When the point of risk connects two essences to equivalent privileges of access, it can be declared by the trusted connection provided that all points of risk on both Internets are between with equivalent privileges of access. If there is a point of risk with essence with smaller privileges of access to all attached Internets the level of privileges equal to the lowest level of a point of risk is appointed.

Privileges of access of a point of risk can be raised by corresponding filtering or authorization . Filtering includes an interdiction of interaction with the sites having lower level of privileges, than that at the Internet on the other hand points of risk. Authorization it should be used when essence or the user can settle down on the site with smaller privileges, than what are available for the site on which there is an information to which there should be an access by a principle “ to know that is necessary for work ”.

There should not be precedents of reception of access through a point of risk between the Internets with various levels of privileges without use strong authorization . A traditional name and the password of the user are not considered strong authorization within the framework of this policy. This form authorization is sufficient only when both Internets have identical levels of privileges, but can be applied as addition to strong authorization , up to or after a session a strengthened authorization to the greater control of access.