National Training Systems IT Security Policy

 

 

 

 

 

 

 

National Training Systems

 

 

 

 

 

 

 

 

 

 

 

 

 

Information Security Policy

 

 

 

 

 

 

 

 

 

Table of Contents

1. POLICY STATEMENT

2. VIRUS PROTECTION

3. PHYSICAL SECURITY OF COMPUTER EQUIPMENT

4. ACCESS CONTROL

5. Voice System Security


I.T. Security Policy

 

1. POLICY STATEMENT

 

"It shall be the responsibility all National Training Systems management and employees to provide adequate protection and maintain confidentiality of all corporate and customer data, whether the data is held centrally, on local storage media, or remotely.  We will strive to ensure the continued availability of data and programs to all authorized members of staff and customers, and to ensure the integrity of all data and configuration controls."

 

Summary of Main Security Policies.

 

  1. Confidentiality of all data is to be maintained through discretionary and mandatory access controls, primarily based in Login and Password controls, but also including physical access limitations.
  2. Data held locally on NTS computers and servers will be protected primarily by login authorization.  Network file access will also be limited to users that need access to those files, using Windows security.
  3. Data held in off-site data center facilities will be protected by restricted physical access, as provided by the data center operations staff. Off-site data will also be protected by login authorization. 
  4. Remote Desktop connections will be used to manage off-site data from the NTS offices.
  5. Confidential customer data will not be maintained or stored on any laptop computers
  6. A hardware firewall will be deployed and maintained to limit access to the data stored in an external data center facility. 
  7. On external servers, only those Ports needed for web access and Remote Desktop will be set to “Open.” All other network ports will be closed.
  8. Virus-protection software will be employed on all workstations and servers, both with the NTS network and on external data center servers.
  9. Windows passwords for servers, whether internal or external, will be available to IT staff only and not to sales and other personnel.
  10. User passwords for internal servers will be available to sales and other staff, as needed, for the data environment in which they work. 
  11. FlexTraining Management Center roles will be used to limit access to software features for customers, prospects, and other users who are not internal staff.
  12. Server data will be backed up regularly and maintained in a location separate from the source location.

 

2. VIRUS PROTECTION

 

  1. The I.T. staff will keep virus software in place and current on all workstations and servers.
  2. Virus software will be set to “live mode to scan in real time for new viruses.  Any discovered viruses will be quarantined or removed immediately.
  3. Virus software licenses will be renewed upon expiration.
  4. CD copies of all workstation software, such as video editors, graphics software, and HTML editors, will be retained in the NTS offices in case of the loss of a disk drive or other incident necessitating a re-installation.
  5. All demonstrations by vendors will be run on their machines and not on NTS machines.  NTS computers will be used only to view such a demonstration.
  6. Shareware end-user software is not to be used as it is a common infection sources.  Exceptions must be approved by NTS management.
  7. New commercial software purchases and installations must be approved by NTS management.
  8. Users will be notified of virus incidents.
  9. In the event of a possible virus infection, the user must inform I.T. staff immediately. The I.T. department will then scan the infected machine and any removable media or other workstations to which the virus may have spread and eradicate it.

 

3. PHYSICAL SECURITY OF COMPUTER EQUIPMENT

 

For computers on NTS internal network:

 

The NTS offices will house any internal servers, with protections including:

 

 

For computers in an external data center facility:

 

Physical security at an external third-party data center facility will be defined, implemented, and managed by the data center company.  Our external data center facility partner is a SAS 70 Type II security site, which means it has been thoroughly vetted for possible security issues. Safeguards provided will consist of:

 

 

Physical and electronic security at the external data center facility will be stronger in all facets than security for our own internal NTS network infrastructure.

 

Although provided by an outside party, external data center security safeguards will be approved by NTS management before any customer data is deployed to the external site.

 

 

 

 

 

 

4. ACCESS CONTROL

 

  1. Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.
  2. File system access and Remote Desktop access to external data center servers will be granted to IT staff only.
  3. Access to the network/servers and systems will be by individual username and password.
  4. Log files will be periodically examined to identify intruder attempts.
  5. Windows network logins will be unique to each user.
  6. Dial-in modems will not be used to access any internal or external computer.
  7. Network logins will not be given to anyone outside the US.
  8. All workstations and servers, both internal and external, shall run Windows operating systems only.
  9. The FlexTraining software will log out inactive users after a configurable-length period of time.

 

 

5. Voice System Security

 

  1. A password will be required for all outgoing long-distance calls.
  2. Each user will have a unique password for checking messages, and another unique password for making long-distance calls.
  3. The feature that allows calls to be placed through the phone system from an outside location will remain disabled.
  4. Telephone bills will be checked carefully to identify any misuse of the telephone system.

 

 




Return to Resources | Home