Table of Contents
1 INTRODUCTION 8
1.1 PURPOSE OF DOCUMENT 8 1.2 POLICY OVERVIEW 8 2 WHY SECURITY?
8 2.3 PHILOSOPHY OF PROTECTION 9
2.3.1 SECURITY IS EVERYONE’S RESPONSIBILITY 9 2.3.2 SECURITY IS INTEGRAL TO THE
ORGANIZATION. 9 2.3.3 SECURITY IS A BUSINESS ENABLER. 9
2.4 CRITICAL SUCCESS FACTORS 9 2.5 IT SECURITY STRUCTURE 10 3 SECURITY POLICY 11 3.1
INFORMATION POLICY DOCUMENT 11 3.2 REVIEW OF SECURITY POLICY 11 4 SECURITY
ORGANIZATION 12 4.1 INFORMATION SECURITY INFRASTRUCTURE 12
4.1.1 ALLOCATION OF INFORMATION SECURITY RESPONSIBILITIES 12 4.1.2
AUTHORIZATION PROCESS FOR INFORMATION PROCESSING FACILITIES 12 4.1.3
SPECIALIST INFORMATION SECURITY ADVICE 12 4.1.4 SENDING INFORMATION OUTSIDE
THE COMPANY 13
4.2 SECURITY OF THIRD-PARTY ACCESS 13 4.2.1 IDENTIFICATION OF RISKS FROM THIRD PARTY
ACCESS 13 4.2.2 SECURITY REQUIREMENTS IN THIRD PARTY CONTRACTS 13 4.2.3 ACCESS
CONTROL AGREEMENTS, COVERING: 14
4.3 OUTSOURCING 15 4.3.1 SECURITY REQUIREMENTS IN OUTSOURCING CONTRACTS 15
ASSET CLASSIFICATION AND CONTROL 15 5.1 ACCOUNTABILITY FOR ASSETS 15 5.2
INFORMATION CLASSIFICATION 16
5.2.1 CLASSIFICATION GUIDELINES 16 5.2.2 CLASSIFYING INFORMATION 16 5.2.3
HANDLING AND PROTECTION RULES 16
5.2.4 INFORMATION LABELING AND HANDLING 17 5.3 INFORMATION RETENTION 17 6
PHYSICAL AND ENVIRONMENTAL SECURITY 18 6.1 SECURE AREAS 18
6.1.1 PHYSICAL SECURITY CONTROLS 18 6.1.2 SITE RISK ASSESSMENT 18 6.1.3
RESTRICTED ACCESS TO SITES 18 6.1.4 VISITOR PROCEDURES 19 6.1.5 THIRD PARTY
PHYSICAL SECURITY AT RIGHTREV FACILITIES 19 6.1.6 CONTROL OF PHYSICAL
SECURITY CONTROLS 19 6.1.7 SECURING OFFICES, ROOMS, AND FACILITIES 19 6.1.8
SITE RISK ASSESSMENT 20 6.1.9 SECURING SITES WHEN UNOCCUPIED 20
6.2 MONITORING OF FACILITIES FOR PHYSICAL SECURITY 20 6.2.1 OTHER SITE SECURITY
ISSUES 20 7 COMMUNICATIONS AND OPERATIONS MANAGEMENT 21 7.1 OPERATIONAL
PROCEDURES AND RESPONSIBILITIES 21 7.1.1 DOCUMENTED OPERATING PROCEDURES 21
7.1.2 OPERATIONAL CHANGE CONTROL 21 7.2 SYSTEM PLANNING AND ACCEPTANCE 22 7.2.1
CAPACITY PLANNING 22 7.2.1 PROVISIONING OF HARDWARE AND SOFTWARE 22 7.2.2
MANAGEMENT OF NETWORK STORAGE 22
7.2.3 SYSTEM ACCEPTANCE 22 7.3 PROTECTION AGAINST MALICIOUS SOFTWARE 23 7.4
HOUSEKEEPING 24 7.4.1 INFORMATION BACKUP 24 7.4.1 PC DATA BACKUP 24 7.5
NETWORK MANAGEMENT 24 7.5.1 NETWORK CONTROLS 24 7.6 EXCHANGE OF INFORMATION
AND SOFTWARE 25 7.6.1 INFORMATION AND SOFTWARE EXCHANGE AGREEMENTS 25 7.6.2
SECURITY OF PHYSICAL MEDIA IN TRANSIT 25 7.6.3 SECURITY OF ELECTRONIC MEDIA IN
TRANSIT 25 7.6.4 OTHER FORMS OF INFORMATION EXCHANGE 26 7.6.5 PROTECTION OF
SPAM 26 7.7 VULNERABILITY MANAGEMENT 27 8 ACCESS CONTROL 27 8.1 BUSINESS
REQUIREMENT FOR ACCESS CONTROL 27 8.1.1 ACCESS CONTROLS AND NEED TO KNOW 27 8.2
USER ACCESS MANAGEMENT 28 8.2.1 USER REGISTRATION 28 8.2.2 PRIVILEGE MANAGEMENT
28 8.2.3 USER PASSWORD MANAGEMENT 29 8.2.4 REVIEW OF USER ACCESS RIGHTS 29 8.3
USER RESPONSIBILITIES 29 8.3.1 PASSWORD USE 29 8.3.1.1 USER PASSWORD RULES 30 8.3.1.2
SYSTEM PASSWORD RULES 30 8.3.1.3 PASSWORD COMPOSITION 30 8.3.2 UNATTENDED USER
EQUIPMENT 31
8.4 NETWORK ACCESS CONTROL 31 8.4.1 POLICY ON USE OF NETWORK SERVICES 31 8.4.2
USER AUTHENTICATION FOR EXTERNAL CONNECTIONS 31 8.4.3 REMOTE DIAGNOSTIC
PORT PROTECTION 32 8.4.4 SEGREGATION IN NETWORKS 32
8.4.4.1 EXTERNAL SEGREGATION 32 8.4.4.2 INTERNAL SEGREGATION 32 8.4.4.3 SEGREGATION
OF DEVELOPMENT AND PRODUCTION ENVIRONMENTS 32 8.4.5 NETWORK CONNECTION
CONTROL 32 8.4.6 WIRELESS NETWORK POLICY FOR RIGHTREV FACILITIES 33 8.5 OPERATING
SYSTEM ACCESS CONTROL 33 8.5.1 USER IDENTIFICATION AND AUTHENTICATION 33 8.5.2
PASSWORD PROGRAM 33 8.5.2.1 SYSTEM PASSWORD RULES 33 8.5.3 USER ACCOUNT
REVIEW/AUDIT 34 8.5.4 USE OF SYSTEM UTILITIES 34 8.6 APPLICATION ACCESS CONTROL 34
8.6.1 INFORMATION ACCESS RESTRICTION 34 8.7 MONITORING SYSTEM ACCESS AND USE 35
8.7.1 EVENT LOGGING 35 8.7.2 MONITORING SYSTEM USE 35 8.7.2.1 MONITORED ITEMS 35
8.7.2.2 REVIEW OF MONITORED INFORMATION 36 8.7.2.3 PROTECTION OF MONITORED
INFORMATION 36 8.7.3 CLOCK SYNCHRONIZATION 37 8.7.4 E-MAIL, VOICE-MAIL AND
INTERNET ACCESS MONITORING 37 8.8 MOBILE COMPUTING AND TELEWORKING 37
8.8.1 MOBILE COMPUTING 37 8.8.1.1 PHYSICAL PROTECTION OF MOBILE DEVICES 38 8.8.1.2
ACCESS CONTROL REQUIREMENTS 38 8.8.1.3 USE OF ENCRYPTION 38 8.8.1.4 INFORMATION
BACKUP 38 8.8.1.5 PROTECTION FROM VIRUSES/MALICIOUS SOFTWARE 38 8.8.1.6
CONNECTING TO THE RIGHTREV NETWORK AT RIGHTREV FACILITIES 39 8.8.1.7 CONNECTING
TO THE INTERNAL RIGHTREV NETWORK FROM PUBLIC PLACES 39 8.8.1.8 WIRELESS
CONNECTIONS (ANY) 39
8.8.2 TELECOMMUTING AND REMOTE ACCESS 39 8.8.2.1 AUTHORIZATION FOR USE OF
PERSONAL REMOTE SYSTEMS 40 8.8.2.2 APPLICABILITY OF RIGHTREV POLICY DURING
TELECOMMUTING 40 8.8.2.3 REMOTE ACCESS METHODS AND AUTHENTICATION OF
CONNECTIONS 40 8.8.2.4 REMOTE MANAGEMENT OF SYSTEMS 40 8.9 ACCEPTABLE USE OF
RIGHTREV COMPUTER SYSTEMS 41
8.9.1 GENERAL USE AND OWNERSHIP 41 8.9.2 SECURITY AND PROPRIETARY
INFORMATION 41 8.9.3 UNACCEPTABLE USE 42 8.9.4 ENFORCEMENT 44
9 SYSTEMS DEVELOPMENT AND MAINTENANCE 44 9.1 SECURITY REQUIREMENTS OF SYSTEMS
44 9.1.1 SECURITY REQUIREMENTS ANALYSIS AND SPECIFICATION 44 9.2 SECURITY IN
APPLICATION SYSTEMS 45 10 COMPLIANCES 45 10.1 COMPLIANCE WITH LEGAL
REQUIREMENTS 45 10.1.1 IDENTIFICATION OF APPLICABLE LEGISLATION 45 10.1.2
INTELLECTUAL PROPERTY RIGHTS 45
10.1.2.1 INTELLECTUAL PROPERTY STANDARDS AND TRAINING 45 10.1.2.2 USING SOFTWARE
FROM OUTSIDE SOURCES 46 10.1.2.3 COPYRIGHTED MATERIAL AND PEER-TO-PEER FILE
SHARING AT RIGHTREV 46
10.1.3 DATA PROTECTION AND PRIVACY OF PERSONAL INFORMATION 46 10.1.4 PREVENTION
OF MISUSE OF INFORMATION PROCESSING FACILITIES 47 10.2 REVIEWS OF SECURITY POLICY
AND TECHNICAL COMPLIANCE 47 10.2.1 COMPLIANCE WITH SECURITY POLICY 47 10.3 SYSTEM
AUDIT CONSIDERATIONS 48 10.3.1 SYSTEM AUDIT CONTROLS 48 10.3.2 PROTECTION OF
SYSTEM AUDIT TOOLS 48 11 Training 48
1 INTRODUCTION
1.1 PURPOSE OF DOCUMENT
This document Talks about our policies and procedures for RightRev Security, as well as our process-level plans for recovering critical technology platforms and RightRev infrastructure. This Document speaks about the actual security policy which RightRev Follow and how it is performed.
RightRev and its employees have an inherent responsibility to protect the physical and intangible
(intellectual property and other confidential information) assets of the company, as well its customer’s
confidential data. These critical assets must be safeguarded to mitigate any potential impacts to
RightRev and its customers. Information security at RightRev is, therefore, a critical business function
that should be incorporated into all aspects of business practices and operations.
To achieve this objective, policies, procedures, and standards have been created to ensure secure
business practices are in place. Information security is a foundational business practice that must be
incorporated into planning, development, operations, administration, sales, and marketing, as each of
these business functions requires specific safeguards to be in place to mitigate the risk associated with
normal business activities.
1.2 POLICY OVERVIEW
Everyone at RightRev is responsible for familiarizing themselves, and complying, with all RightRev’s
policies, procedures and standards dealing with information security.
Respective Managers Ensure their reporters are aware of the RightRev Policy and educate them on the
policies and make sure every 6 months this document is re-visited on their service lines.
All Regular and contract employees must go through this program every six months once. So, they are
aware if there are any changes in the Policy.
2 WHY SECURITY?
RightRev requires information security to protect information assets from security threats. It is critical to
protect the system environment to maintain a competitive advantage in the marketplace, to ensure
profitability, and to secure and maintain the trust and confidence of our customers and partners.
Security threats originate from a wide variety of sources, including computer-assisted fraud, industrial
espionage, sabotage, vandalism, and natural disasters. Computer viruses, hacking and denial of service
attacks are examples of threats encountered while operating over the Internet. These types of threats
are becoming increasingly more common, more ambitious and more sophisticated.
2.3 PHILOSOPHY OF PROTECTION
RightRev’s philosophy of protection provides the intent and direction behind our protection policies,
procedures, and control. Our protection philosophy is comprised of three tenets:
2.3.1 SECURITY IS EVERYONE’S RESPONSIBILITY
Maintaining an effective and efficient security posture for RightRev requires a proactive stance on
security issues from everyone. Security is not “somebody else’s problem”. as a member of the RightRev
team, you have the responsibility to adhere to the security policies and procedures of the company and
to take issue with those who are not doing the same.
2.3.2 SECURITY IS INTEGRAL TO THE ORGANIZATION.
Security is not just focused on physical and technical “border control.” Rather, RightRev seeks to ensure
reasonable and appropriate levels of security awareness and protection throughout our organization and
infrastructure. There is no place in our business where security is not a consideration.
2.3.3 SECURITY IS A BUSINESS ENABLER.
A strong security foundation, proactively enabled and maintained, becomes an effective market
differentiator for RightRev. Security has a direct impact on our viability within the marketplace and must
be treated as a valued commodity.
The tenets of our philosophy of protection are mutually supportive. ignoring any one tenet in favor of
another undermines the overall security posture of our organization.
2.4 CRITICAL SUCCESS FACTORS
The following factors are critical to the successful implementation of security within RightRev:
• Comprehensive security policies, objectives, and initiatives clearly reflect RightRev’s business
objectives.
• A security approach that is consistent with RightRev’s culture.
• Highly visible support from RightRev’s executive management team.
• Firm understanding of security requirements and risk management practices.
• Effective communication and guidance on security to all RightRev managers, developers, associates,
partners, clients, and vendors.
• Training and information on security awareness.
• Continual review and measurement of the effectiveness and efficiency of security controls and
mechanisms.
• Timely adjustments to security measures by addressing deficiencies and by adapting to changes in
RightRev’s business objectives, as necessary.
• Regular review of the information security policy to make updates and other changes as needed to
reflect changes to business objectives or the risk environment.
2.5 IT SECURITY STRUCTURE
RightRev’s information security is structured in such a way as to support its business objectives while
providing the flexibility needed to adapt to changing needs and requirements.
Information security follows this tiered structure:
• Information security mission statement.
• Information security policy.
• Information security standards and processes.
• Information security specific configurations and procedures.
• Regular audits (both internal and external) and reviews of the efficacy of then-current practices and
procedures.
By using this approach, all actions taken have a basis in policy and directly support the policies by which
they are governed. To illustrate, descriptions of the various levels are given below.
• Information Security Mission Statement – This is the overall management direction in regard to
information security at RightRev. It is broad in scope and sets the expectations for protecting
RightRev’s information resources.
• Information Security Policy – This is the collection of practices and procedures that implement the
overall guidance of the mission statement.
• Security Management – This incorporates standards-based methods/approaches (e.g., ISO 270001)
and is in compliance with legal/regulatory requirements where applicable. Policies apply equally to
everyone within RightRev, regardless of location.
• Information Security Standards and Processes – This is a collection of standards and processes (e.g.,
industry, legal and RightRev-specific) that are to be used when implementing the specific part of the
overall policy which they reference. For example, standards may dictate a type of technology,
approach, or methodology to use, but not name a particular product (depending on the policy and
standard subject). Processes, on the other hand, describe the steps to take in order to fulfil the
goals of a particular aspect of the policy. Standards and processes may be regionalized to fit the
conditions at different locations and will clearly note where they apply.
• Information Security Specific Configurations and Procedures – These are very specific details that
support the implementation of the standards and processes referenced above. These may include
specific products and configuration details, or step-by-step procedures to implement processes.
3 SECURITY POLICY
3.1 INFORMATION POLICY DOCUMENT
This document outlines RightRev’s approach to information security, as well as providing the affirmation
of management’s commitment to information security.
The purpose of this policy is to communicate the direction of the organization’s information security
program by providing relevant, accessible, and understandable definitions, statements, and
explanations.
The information security policy document will:
• Define information security as well as its scope and importance in the organization. •
Include a statement of management’s intent for information security.
• Include a statement of management’s goals and principles of information security. Explain
the organization’s security policies, standards, and compliance requirements, including:
• Compliance with legislative and contractual requirements.
• Security education and awareness commitment.
• Consequences for security violations.
• Prevention and protection against viruses and other malicious software attacks. •
Commitment to well thought-out and effective business continuity management. •
Outline specific responsibilities for information security management.
• Outline policies and procedures for reporting security incidents.
The information security policy document will serve as a reference document that will lead to additional,
more detailed information when necessary (for instance employee manuals, etc.).
3.2 REVIEW OF SECURITY POLICY
RightRev CIO & Security Reporting Team (SRT) will be the owner of the document and will be
responsible for maintaining, reviewing, and updating the policy as needed. The policy will be reviewed
on a regular basis and updated in response to any changes that would affect the assumptions from the
baseline risk assessment, such as significant security incidents, new vulnerabilities, new regulations, or changes to the organization’s infrastructure.
4 SECURITY ORGANIZATION
4.1 INFORMATION SECURITY INFRASTRUCTURE
4.1.1 ALLOCATION OF INFORMATION SECURITY RESPONSIBILITIES
The company needs to protect all of the information assets within its control.
The SRT is responsible for the overall application of the information security policies. Each individual site
and team SRT will have a site security officer who is responsible for the overall application of the
Information Security Program and policies at that site.
Each asset will have an “owner” who may delegate responsibilities but remains ultimately responsible
for the asset(s).
The asset owner will:
• Identify and define all security processes for their asset(s).
• Document all security processes on their assets. and
• Clearly define and document all authorization levels of their assets.
4.1.2 AUTHORIZATION PROCESS FOR INFORMATION PROCESSING FACILITIES
The authorization process for new information processing facilities requires that the SRT (or the
designated representative) perform a risk assessment prior to authorizing a new information processing
facility. This risk assessment should follow a standard format or checklist which includes, among other
things, purpose and use, compatibility of hardware and software and security of personal information in
the facility.
The results of the risk assessment will be incorporated to establish additional controls by RightRev’s SRT
and the site IT security manager.
Shared with wider audience within RightRev
4.1.3 SPECIALIST INFORMATION SECURITY ADVICE
RightRev obtains the services of outside security experts, as in necessary, to protect the information
assets within the organization by co-coordinating in-house knowledge and experiences to ensure
consistency, provide guidance in decision making, and assess the overall effectiveness of RightRev’s
security policy.
4.1.4 SENDING INFORMATION OUTSIDE THE COMPANY
Before any confidential information is passed to any person or organization outside of the company,
authorization must be received from: (a) the security officer and that will include who will contact the
outside party, who will be contacted, and what information will be shared. and (b) the Legal Department
to ensure that an appropriate non-disclosure agreement is in place with the intended recipient before
information provided to them.
Time based access is granted, if possible, for the external users, and the data which shared outside of
RightRev will have restriction on Email Based or IP based.
4.2 Logical Access Control
4.2.1 IDENTIFICATION OF RISKS FROM THIRD PARTY ACCESS
The SRT will control authorization for types of access to information processing facilities by third parties
based upon the reasons for that access.
A risk assessment will be carried out before any third-party access is granted and will consider the
reasons for access, as well as the necessary controls and written agreements to be put in place.
Access of third parties to information processing facilities will be clearly spelled out in the necessary
contracts which will include, among other things the scope of access to physical, logical, and network
assets.
4.2.2 SECURITY REQUIREMENTS IN THIRD PARTY CONTRACTS
Any disclosure of confidential information to consultants, contractors, temporary employees, or any
other third parties will be preceded by the receipt of a signed RightRev non-disclosure agreement (NDA)
and/or other appropriate contracts.
Contracts granting third party access to organizational information processing facilities must contain, or
refer to, all of the security requirements of this Policy. The contract must be approved by the Legal
Department should ensure that there are no misunderstandings between RightRev and the third party.
The following terms should be considered for inclusion in the contract:
The general policy on information security
• Asset protection, including:
o Procedures to protect organizational assets, including information and software.
o Procedures to determine whether any compromise of the assets, i.e. loss or modification of
data, has occurred.
o Controls to ensure the return or destruction of information and assets at the end of, or at an
agreed point in time during, the contract.
• Integrity and availability.
• Restrictions on copying and disclosing information.
• A description of each service to be made available.
• The target level of service and unacceptable levels of service.
• The respective liabilities of the parties to the agreement.
• Responsibilities with respect to legal matters, i.e. data protection legislation, especially taking into
account different national legal systems. If the contract involves cooperation with organizations in
other countries
• Intellectual property rights (IPR’s) and copyright assignment and protection of any collaborative work
4.2.3 ACCESS CONTROL AGREEMENTS, COVERING:
• Permitted access methods, control and use of unique identifiers such as user ID’s and passwords. •
An authorization process for user access and privileges.
• A requirement to maintain a list of individuals authorized to use the services being made available and
what their rights and privileges are with regard to such use.
• The definition of verifiable performance criteria, their monitoring and reporting. + The right to
monitor, and revoke, user activity.
• The right to audit contractual responsibilities or to have those audits carried out by a third party.
• The establishment of an escalation process for problem resolution, contingency arrangements should
also be considered where appropriate.
• Responsibilities regarding hardware and software installation and maintenance. •
A clear reporting structure and agreed reporting format.
• A clear and specified process of change management.
• Any required physical protection controls and mechanisms to ensure those controls are followed. •
User and administrator training in methods, procedures, and security.
• Controls to ensure protection against malicious software (see 8.3).
• Arrangements for reporting, notification and investigation of security incidents and security breaches.
• Involvement of the third party with subcontractors.
These security requirements must address the confidentiality of RightRev’s data and the third party’s
relationships with any RightRev competitor. This is especially important when dealing with engineering
partners who work with various companies in the same space as RightRev.
4.3 OUTSOURCING
4.3.1 SECURITY REQUIREMENTS IN OUTSOURCING CONTRACTS
The security requirements for outsourcing the management and control of all or some of RightRev’s
information systems, networks, and/or desktop environments must be addressed in a contract agreed
between the parties.
The contract must address:
• How the legal requirements are to be met, i.e. data protection legislation.
• What arrangements will be in place to ensure that all parties involved in the outsourcing,
including subcontractors, are aware of their security responsibilities?
• How the integrity and confidentiality of RightRev’s business assets are to be maintained and
tested.
• What physical and logical controls will be used to restrict and limit the access to RightRev’s
sensitive business information to authorized users.
• How the availability of services is to be maintained in the event of a disaster. + What levels of
physical security are to be provided for outsourced equipment. + The right of audit.
• The terms given in 4.2.2 should also be considered as part of this contract. The contract should
allow the security requirements and procedures to be expanded in a security management plan
to be agreed upon between the two parties.
5. ASSET CLASSIFICATION AND CONTROL
RightRev’s data classification system has been designed to support access to information based on the
need to know so that information will be protected from unauthorized disclosure, use, modification, and
deletion. Consistent use of this data classification system will facilitate business activities and help keep
the costs for information security to a minimum. Without the consistent use of this data classification
system, RightRev unduly risks the loss of customer relationships, loss of public confidence, internal
operational disruption, excessive costs, and competitive disadvantage.
Applicable Information: This data classification policy applies to all information in RightRev’s possession,
including electronic data, printed reports, and backup media.
5.1 ACCOUNTABILITY FOR ASSETS
To maintain accountability for assets, RightRev will compile a list of all its information assets and
establish the relative value and importance of each asset.
This policy requires that all information systems be identified and documented with a program in place
to manage assets RightRev-wide. The following will be included in the program:
• All assets associated with each information system will be identified and documented with their
classification, owner, and location
• All assets will have an owner and that owner will be documented
• All assets will be classified based upon their value and importance to the organization and/or to
the organization’s customer, partners, or suppliers, as applicable
• Classification of security assets will reflect their sensitivity, protection levels and their handling
• Assets will be categorized into logical categories such as information assets, software assets,
physical assets, and service assets
5.2 INFORMATION CLASSIFICATION
5.2.1 CLASSIFICATION GUIDELINES
Information asset classification is the process of assigning value to data to organize it according to its
sensitivity to loss or disclosure. All information assets will be classified, using a RightRev-wide asset
classification system. All data, regardless of its classification, will be protected from unauthorized
alteration. this section guides the proper handling of data.
The classification system anticipates that classifications of information assets may change over time.
5.2.2 CLASSIFYING INFORMATION
All information assets must be classified and labelled in a manner that allows the asset to be readily
identified to determine the handling and protection level appropriate for that asset.
Care will be taken when interpreting the classification systems from other organizations, as their
classification systems may have different parameters. Information assets will be assigned a sensitivity
classification by the asset information owner or his/her nominee, by the following classification
definitions:
5.2.3 HANDLING AND PROTECTION RULES
• Each asset classification will have handling and protection rules. These rules must cover any
media the assets may reside in at any time (see 5.2.2).
• All computer-resident confidential information will be protected via access controls to ensure that
it is not improperly disclosed, modified, deleted, or otherwise rendered unavailable.
• Employees are prohibited from recording confidential information with CDs, memory sticks / USB
drives, digital/analogue recording devices, etc., without the consent of their manager and the
Legal Department. This includes the use of camera equipment/phones (of any kind).
• Unless it has specifically been designated as “Public” all RightRev internal information will be
assumed to be confidential and will be protected from disclosure to unauthorized third parties.
• No confidential information of RightRev or any third party will be disclosed to the public or any
unauthorized third party without the prior approval of RightRev’s Legal and Public Relations
Departments.
• Access to every office, server room, and work area containing confidential information will be
restricted, and employees will take all reasonable steps to protect confidential information
under their control from inadvertent disclosure.
• Handling and protection rules must include all parts of an asset’s life-cycle, from
creation/installation through use and finally to destruction/disposal. Sensitive information or
systems must be appropriately disposed of when no longer needed.
5.2.4 INFORMATION LABELING AND HANDLING
An appropriate set of procedures must be defined for information labelling and handling by the
classification policy adopted by RightRev. These procedures must cover information assets in physical
and electronic formats. For each classification, handling procedures should be defined to cover the
following types of information processing activity:
• Copying.
• Storage.
• Transmission by post, fax, and electronic mail.
• Destruction.
• System outputs containing confidential information will carry an appropriate classification label
(in the output).
• The labelling should reflect the classification according to the rules established in 5.2.1. Items for
consideration include printed reports, screen displays, recorded media (tapes, disks, CDs,
cassettes, flash memory drives), and electronic messages and file transfers.
• Physical labels are generally the most appropriate form of labeling. However, some information
assets, such as documents in electronic form, cannot be physically labelled and electronic
means of labelling need to be used.
• All printed, handwritten, or other paper manifestations of confidential information will have a
evident sensitivity label on the bottom right-hand corner of each page or a watermark that
indicates the sensitivity classification.
5.3 INFORMATION RETENTION
Information will not be retained any longer than the business requires it to be retained. This reduces the
window of time that data can potentially be available for misuse.
Controls should be implemented to delete data that exceeds the required retention time.
• Electronic customer data will be retained for up to five (5) years (or as agreed in the contract).
• Client confidential information will be retained till the contract period. All the client confidential
information will be destroyed at the end of the contract period. The same will be informed to the
client.
6 PHYSICAL AND ENVIRONMENTAL SECURITY
6.1 SECURE AREAS
6.1.1 PHYSICAL SECURITY CONTROLS
Physical entry controls will be used to protect and secure all areas. These controls will be designed to
prevent unauthorized access, damage or interference to the business processes that take place within
the area. Physical security controls apply to any RightRev-owned or controlled facility, including
temporary locations.
6.1.2 SITE RISK ASSESSMENT
A risk assessment will be performed for all secure areas to determine the type and strength of the
physical entry control that is appropriate and prudent. The security controls for an area should be
commensurate with the sensitivity and classification of the information resources contained therein
(see 5.2). This risk assessment must also take into account the physical surroundings of the site (see
7.1.2). Finally, physical security requirements should include items such as fire suppression, plumbing,
and electrical wiring as these may not always be mandated by local authorities.
Site risk assessments must also be conducted for any sites where RightRev will be sharing facilities with
any outside organization. This may be sharing a building (where physical access is common to all, but
network access is specific to each organization) or where RightRev is sharing a suite (where physical and
network access is common to all) with others. Specific security requirements must be determined for
these situations, based on the arrangements.
Where sites are deficient in physical security controls (such as leased sites where the owner will not
allow modification to the structure or shared sites with business partners), additional network security
controls will be implement as warranted in order to protect the rest of the corporate network. In
addition, the levels of sensitivity of information that can be processed or stored there may be restricted.
6.1.3 RESTRICTED ACCESS TO SITES
Access to sensitive information and information processing facilities will be restricted to authorized
persons only. Authentication controls will be used to authorize and validate entry. A log of all that enter
will be maintained by the site manager / Security officer as appropriate for the sensitivity of the
information resources therein.
Controls to restrict access to facilities will be determined on a case-by-case basis. These controls will
ensure that unauthorized persons do not have easy physical access to the facilities, and such access is
detected, and the appropriate personnel notified if a breach occurs.
The SRT will provide the requirements for access controls and other physical security measurements
commensurate with the classification levels of data present and the information protection
requirements.
Access rights, and levels of access, will be given to the least number of people as necessary to
appropriately protect various classifications of information or facilities, while providing appropriate
protections and coverage for emergency, business continuity and disaster recovery situations. Access
rights to secure areas will be reviewed by the site manager periodically and updated where necessary.
6.1.4 VISITOR PROCEDURES
All visitors to secured areas will be supervised and only allowed in for authorized purposes. A visitors’ log
will be in place at all secure areas that records date and time of entry and exist times. All visitors will be
given both security instructions and emergency procedures.
Employees will challenge unfamiliar people who are unescorted or not showing visible identification.
Contractors, service vendors, suppliers, materialmen, etc., will be advised of the building rules and
regulations concerning their proper conduct within RightRev’s property. They will be required to sign
acknowledgement of the BUILDING RULES AND REGULATIONS prior to beginning work.
Special third parties may have Security personnel and devices at RightRev facilities on a full-time basis.
These third parties must only be allowed full time access if they are necessary to help further the needs
of RightRev’s business. Special care should be taken to limit access of third-party personnel to only their
work areas as much as possible.
6.1.5 THIRD PARTY PHYSICAL SECURITY AT RIGHTREV FACILITIES
Special third parties may have Security personnel and devices at RightRev facilities on a full-time basis.
These third parties must only be allowed full time access if they are necessary to help further the needs
of RightRev’s business. Special care should be taken to limit access of third-party personnel to only their
work areas as much as possible.
6.1.6 CONTROL OF PHYSICAL SECURITY CONTROLS
Access to the mechanisms that control physical access to secure sites must include badge enabling
systems, door lock key and other physical access control systems. Master badges / ID cards or keys must be restricted to very few individuals per site or system. Wherever possible, control of these systems must reside with the local Information Security or Physical Security management.
6.1.7 SECURING OFFICES, ROOMS, AND FACILITIES
All offices, rooms and facilities that contain other than public information resources will be protected to
prevent unauthorized access, damage, or interference to the business processes. All offices, rooms that
contain confidential information should be secured using access control system.
6.1.8 SITE RISK ASSESSMENT
A risk assessment of secure areas to determine the type of control that is appropriate and prudent,
taking into account not only personnel risks, but also that of environment, neighborhood, civil unrest,
and natural and man-made disasters will be conducted. Health and safety regulations and concerns will
also be examined, and controls incorporated.
6.1.9 SECURING SITES WHEN UNOCCUPIED
Rooms in facility that contain sensitive assets will be locked when not in use. Windows and doors will be
kept locked and have protection from intrusion or environmental factors.
Intrusion alarms will be in place and maintained to the vendor’s standards as applicable according to the
information protection requirements Unoccupied areas will be alarmed as required.
Sensitive documents will be locked in file cabinets or other protective furniture that takes into account
the results of the risk analysis.
Additional access controls will be implemented for Server and communications rooms or areas. Key
facilities will be situated so as they avoid public access. Support functions and equipment will be
situated in a way that keeps them away from the public and unauthorized personnel.
6.2 MONITORING OF FACILITIES FOR PHYSICAL SECURITY
Where possible, systems will monitor the physical security of facilities. Monitoring could include any or
all of the following technologies, based on the outcome of the physical security risk assessment:
• Closed circuit TV or video cameras
• Door and window opening alarms
• Hold open sensors for doors or windows
• Always-active door alarms for emergency exits and other little-used doors
• Motion/heat sensors for sensitive working areas
• Access control system for server room and main entry/ exit rooms
• Security Patrols
6.2.1 OTHER SITE SECURITY ISSUES
Hazardous or combustible materials will be stored securely a safe distance from secure facilities. Only
necessary bulk supplies will be stored within secure facilities.
Back-up equipment and media will be stored off-site and a safe distance from facilities sufficient that it
would not be damaged if the facility is damaged.
7 COMMUNICATIONS AND OPERATIONS MANAGEMENT
7.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES
7.1.1 DOCUMENTED OPERATING PROCEDURES
• All standard operating procedures will be formally documented and maintained to ensure the
correct and secure management of all information processing facilities.
• Formal documented procedures and detail execution instructions will be in place for each job,
including:
• Information processing and handling.
• Scheduling requirements including system interdependencies and prioritization. •
Scheduling of earliest start and latest completion times.
• Instructions for error handling, during job execution.
• Instructions for exceptions during job execution.
• Restrictions on the use of system utilities (see 9.5.5).
• Operational and support contacts for technical difficulties.
• Output instructions for confidential or sensitive output.
• Secure disposal of output from failed jobs.
• System restart and recovery procedures in the event of system failure.
• Housekeeping functions in information processing facilities such as startup and close down,
equipment maintenance, server room and mail management and safety. and
• Formal authorization from management will be obtained prior to any changes to documentation.
7.1.2 OPERATIONAL CHANGE CONTROL
Formal management responsibilities and procedures to control all changes to equipment, software or
procedures will be established and followed for change, integrating operational and application change
control procedures and logging all changes.
There will be a formal approval for proposed changes (that could potentially impact the computing
environment) that will be developed by the development management team.
Prior to any operational change there will be a risk assessment that:
• Identifies significant changes.
• Records significant changes.
• Assesses the potential impact of such changes. and
• Procedures and responsibilities for aborting and recovering from unsuccessful changes. All
changes will be communicated to all relevant persons. The system owner will manage this process with
the assistance of the SRT.
7.2 SYSTEM PLANNING AND ACCEPTANCE
7.2.1 CAPACITY PLANNING
To limit the disruption to the network, applications, and business functions, RightRev will monitor system
capacity and plan for future capacity needs insufficient time to procure system resources prudently. This
will ensure adequate resources are available and reduce the possibility of system overload.
System owners will monitor their equipment for current uses and projected capacity.
7.2.1 PROVISIONING OF HARDWARE AND SOFTWARE
IT must be consulted whenever deploying any new systems for adequate provisioning of system
hardware and software. IT will obtain and install the equipment, as appropriate, and then allow access
to the appropriate groups for use of the equipment. Provisioning of software requires purchasing of any
applicable licenses for use.
7.2.2 MANAGEMENT OF NETWORK STORAGE
To allow the adequate storage capacity to support all users, IT will develop standards and processes for
managing online and offline storage capacity. These standards will include types or classes of storage,
data backup (see 8.4.1), protection by classification (see 5.2.1), and any quotas necessary based on the
business reasons for storage. Management of storage will incorporate any requirements given in
information retention policies (see 5.3).
7.2.3 SYSTEM ACCEPTANCE
To ensure new systems or applications do not disrupt the network, existing applications, or other
systems, a system acceptance process will be defined. This process will document acceptance criteria
for new systems prior to acceptance. All systems will be tested prior to acceptance, including a
vulnerability assessment or scan prior to being permitted to connect to the RightRev network. This
process will ensure that security controls are in place and that the new system complies with the design
and function required.
• System owners will ensure that the equipment capacity requirements are met prior to use of new
system.
• Managers and users (when applicable) will inspect major new systems periodically throughout the
development to ensure functionality is appropriate and compliant with design requirements.
• Prior to the acceptance and use of new systems, the following controls will be documented and in
place:
o The system is built according to standard hardware or software builds, published by IT
• Effective manual contingency procedures are documented (if applicable)
• Error recovery/restart procedures and contingency plans (if applicable) •
Updated business continuity plans (if applicable)
o Compatibility of the new system to the security requirements of the organization
o Compatibility of the new system to the existing systems.
o Security controls are in place and tested
o A vulnerability scan run against the system to verify that patch levels are current and that
no unnecessary services are running.
o Users will be adequately trained prior to take a new system into operational mode.
o Operational testing procedures will be documented and preparations for new systems
completed prior to acceptance. Systems must meet acceptance criteria, or have formal
exceptions authorized, before being connected to the RightRev network.
o Note that these requirements do not apply to any system not connected to the RightRev
corporate network. This includes stand-alone systems, or systems not connected to the rest of
the network. If these systems are subsequently brought out of that environment and the
desire is to connect them to the RightRev network, then these requirements apply.
7.3 PROTECTION AGAINST MALICIOUS SOFTWARE
RightRev will implement procedures, user awareness, and change controls to detect and prevent the
introduction of malicious software into the organization’s computing environment. This policy will
protect the integrity of software and information by promoting procedures and user actions to mitigate
the risks of the introduction of malicious software into the organization.
• To prevent interrupted service caused by computer viruses for both computers and networks, all
personal computer / laptop users must keep current versions of approved virus-screening software
enabled on their primary computers at all times.
• The organization will comply with the requirements of software licenses. No unauthorized or illegal
software will be used.
• All e-mail attachments will be scanned when entering the network or server scanned prior to use. All
unauthorized files or amendments will be thoroughly investigated.
• Procedures and responsibilities for the use of, training in, reporting on and recovery from virus attacks
will be developed and documented. All users will receive training on virus awareness and virus
control procedures (see 6.3). Business contingency plans will include the handling and recovery
from virus attacks.
7.4 HOUSEKEEPING
7.4.1 INFORMATION BACKUP
RightRev will regularly back-up adequate copies and generations of all software, documentation and
business information and store it off-site. Regular testing will be done to ensure the quality and usability
of backed-up resources. The purpose is to maintain the availability and integrity of information resources
in the case of failure or disaster, by retaining up-to-date back-ups that are stored at a distance sufficient
to escape damages that might occur at the main site.
• Restoration procedures will be documented and tested to ensure that they are effective and comply
with restoration time requirements. Restoration procedures will be kept with the back-up copies at
the remote location.
• The back-up site will implement similar physical and environmental controls as those in place at the
main site.
• Back-up media will be tested regularly to ensure the back-up can be relied upon. IT will be responsible
for ensuring that back-ups are tested.
• Retention schedules will be adhered to for all business information.
• Determinations for archival periods and requirements will be determined by the Legal and Finance
Departments and will be documented and adhered to.
7.4.1 PC DATA BACKUP
To protect RightRev’s information resources from loss or damage, personal computer/laptop users are
responsible for regularly backing-up the information on their personal computers/laptops to their
respective network file shares that are assigned to them by the IT Operations group. These shares are
backed up to secure media for disaster recovery purposes.
7.5 NETWORK MANAGEMENT
7.5.1 NETWORK CONTROLS
RightRev will implement strict controls on the organization’s networks to ensure the safeguarding of
information and protection of the organization’s infrastructure and the connected services from
unauthorized access.
• All procedures and responsibilities will be documented.
• Network access controls will be observed for networks connected to public networks (see 9.4).
• The SRT will closely coordinate the controls on the organization’s networks to assure functional
optimization as well as consistency of controls.
7.6 EXCHANGE OF INFORMATION AND SOFTWARE
7.6.1 INFORMATION AND SOFTWARE EXCHANGE AGREEMENTS
Formal agreements will be put in place before information and/or software are exchanged between
organizations. This is necessary to prevent loss, misuse, or modification to the organization’s information
by establishing secure agreements that reflect the sensitivity of the business information involved in
such an organization-to-organization exchange. The Legal Department will determine what agreements
are appropriate and will assist in implementing them. The information owner will be responsible for
assuring that agreements are executed.
7.6.2 SECURITY OF PHYSICAL MEDIA IN TRANSIT
To prevent loss, modification, or issue of data that is being physically transported, the organization will
safeguard media or information commensurate with its data classification.
All media in transit will be labeled accordingly and packed securely in accordance with the
manufacturer’s specifications.
Sensitive information will be protected from unauthorized access or modification by methods that
include:
• Locked containers
• Hand delivery
• Tamper evident containers
• Splitting the information into more than one package and more than one route • The
System owner will approve the method for each transport of sensitive information.
Audit logs will be kept for each transport of sensitive media (a classification level of non- public)
including:
• What was sent.
• To whom it was sent.
• Who sent it?
• Dispatch time.
• Arrival time.
• Method of transport.
• Special protections.
• System owner’s approval.
7.6.3 SECURITY OF ELECTRONIC MEDIA IN TRANSIT
The purpose of this policy is to prevent loss, modification, or misuse of data that is being electronically
transported (i.e., email, fax, and file transfer). The organization will safeguard media or information
commensurate with its data classification.
Sensitive information will be protected from unauthorized access or modification by methods that
include:
• Use of digital signature and encryption.
• Use of secure use of facsimile equipment.
• The System owner will approve the method for each transport of sensitive information. Audit logs will
be kept for each transport of sensitive media.
7.6.4 OTHER FORMS OF INFORMATION EXCHANGE
The following policies govern the secure use of voice, facsimile, or video equipment to protect the
confidentiality and access to information that is communicated through these mediums and to ensure
the availability of resources.
RightRev staff will not reveal sensitive information on the telephone (land or mobile) that can be:
• Overheard by others.
• When there is a threat of wiretap or other type of potential eavesdropping. •
When others at the recipient’s end may be eavesdropping.
• In public places or in open offices or offices having thin walls.
• RightRev staff will not reveal sensitive information on answering machines that are shared, can be
accessed by others or could be the wrong voicemail box.
• RightRev staff will not send or receive sensitive or confidential messages on facsimile machines that
store messages.
• RightRev’s staff will check to assure that the phone number that information is being sent to is correct
and verify that the information is received.
• RightRev’s staff will verify recipient’s facsimile information with the recipient prior to sending
confidential information. The confidential information will not be sent until the recipient has stated
that the information can be sent.
7.6.5 PROTECTION OF SPAM
RightRev business units will take care not to produce Unsolicited Commercial E-mail (otherwise known
as SPAM) to be sent out to the Internet. Any commercial e-mail should be specifically
targeted to recipients in accordance with applicable laws and regulations (see 11.1). If allowed mass
emailings will be made, Network Services and IT will be consulted to determine the effects of these
mailings on systems and the network, and appropriate mitigation efforts will be enacted (such as system,
time of day, or network path restrictions).
Employees will not send unsolicited email messages, including the sending of “junk mail” or other
advertising material to individuals who did not specifically request such material (email spam).
Employees will not use RightRev email or computing resources to participate in the creation of or the
forwarding of chain letters, Ponzi, or other pyramid schemes of any type.
7.7 VULNERABILITY MANAGEMENT
Effective vulnerability management can reduce risk to RightRev’s computing environment by verifying
that systems or network devices are using current patch levels, are not running unnecessary services,
and do not have default passwords.
RightRev will run internal vulnerability scans against any systems containing (or accessing systems that
contain) confidential data at least on a regular basis.
RightRev will contract with a trusted third party to run external vulnerability scans against any
Internetfacing systems on at least a regular basis.
8 ACCESS CONTROL
8.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL
8.1.1 ACCESS CONTROLS AND NEED TO KNOW
Access will be given on a need-to-know basis, based upon the security requirements and business
requirements of individual business applications. Access to information will be provided in a manner
that aims to protect the confidentiality and integrity of that information and without compromise to
associated information or raw data. Data owners will review access control rights for users and groups
of users on a semi-annual basis to ensure that all access rights are authorized and remain appropriate,
and that no unauthorized privileges have been granted.
• All forums where confidential information may be discussed and where non-RightRev employees are
present will be preceded by a determination that all parties are authorized to receive the
information and the appropriate categorization of that information.
• Access will be given that is consistent with security levels and classifications, consistent with
legislation and contractual obligations for confidentiality.
• Access to standard common groups of users will be given standard access profiles. Access rights in a
networked environment will recognize all connection types available.
• All users and groups of users will receive a clear statement as to the access policy and as to the
requirements met by these access controls.
• Originators of confidential information will decide who will be permitted to gain access to that
information and will specify the uses for that information.
• Administrator access to production systems will be limited to only those with a justified business
requirement for such access. Developers and other application personnel will not have access to the
underlying operating system on production systems, except in emergencies and then with access
only granted for the time necessary. System administrators will not have access to the applications
if possible.
8.2 USER ACCESS MANAGEMENT
8.2.1 USER REGISTRATION
A formal user registration and deregistration process must be used for gaining access to multi-user
systems. This process must protect and maintain the security of access to the organization’s information
resources through the complete life cycle of the user.
Access to RightRev confidential information will be provided only after the authorization of the
information owner has been obtained.
Contractors and third-party contracts will contain the rights of access and will contain sanctions if
unauthorized attempts at access are made (see 6.1.3 and 6.3.4) Service providers will be made aware of
the policy not to provide access to users until specific authorization has been given.
Each person accessing a RightRev multi-user based information system will utilize a unique Right
Reassigned User ID and a private password. Prior authorization is required for user IDs shared among
two or more users.
System owners and/or management will grant access rights. Formal records of all access rights for each
system will be maintained.
Access rights will immediately be removed or modified when a user leaves the organization or changes
jobs.
IT will periodically check for redundant IDs and ensuring that redundant IDs are not issued in excess of
that required (i.e., administrators may have a privileged and a non-privileged account on the same
system, but an average user should not have two different non- privileged accounts on the same system
without a valid business reason).
8.2.2 PRIVILEGE MANAGEMENT
User rights will be granted using the least-privilege methodology, based on business need and security
requirements.
All privileges will be granted only with formal authorization. This authorization will be accomplished
along with User ID authorization, according to IT guidelines. All privileges that are granted will be
documented. No privileges will be granted until authorization is complete.
Elevated privileges (Administrator or root, etc.) should be assigned to a different user ID than that used
for normal business use. Administrators should only use their elevated privilege accounts when
conducting activities that actually require them. Elevated privileges must only be assigned to dedicated
systems administrators and not normal users.
Wherever possible system routines should be developed and used instead of privileges.
8.2.3 USER PASSWORD MANAGEMENT
A user’s account and password are the primary means of verifying a user’s identity. The allocation of
passwords will be a formal management process.
Users will sign a statement in their terms and conditions of employment (see 6.1.3) that their personal
or group passwords are confidential. This may be done as part of the overall acceptance of policies.
Users will be responsible for the secure storage of their passwords.
Users will be granted initial temporary passwords and will be forced to change them immediately. Initial
passwords will be unique for each user. Temporary passwords will only be granted with positive
identification of the user.
Passwords will be given in a secure manner. (i.e., not in a plain text e-mail).
8.2.4 REVIEW OF USER ACCESS RIGHTS
Users’ access rights will be reviewed at regular intervals. Managers will review their employee’s rights to
ensure they are consistent with their present job function. IT will review user rights to ensure that
elevated privileges have not been granted out without authorization, and that accounts that have not
been used recently or belong to terminated employees are deactivated or purged.
User access rights will be reviewed at least every six (6) months. Privileged access rights will be reviewed
every three (3) months to ensure that all are authorized and remain appropriate and that no
unauthorized privileges have been gained.
8.3 USER RESPONSIBILITIES
8.3.1 PASSWORD USE
Passwords are an important aspect of computer security. They are the front line of protection for user
accounts. A poorly chosen password may result in the compromise of RightRev’s entire corporate
network. As such, all RightRev employees (as well as contractors and vendors with access to RightRev
systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their
passwords.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of
access that supports or requires a password) on any system that resides at any RightRev facility, has
access to the RightRev network, or stores any non-public RightRev information.
8.3.1.1 USER PASSWORD RULES
All users will keep their passwords confidential and store them securely (i.e., not on the computer and
not on paper unless they can be protected).
Users will be made aware of good security practices and the requirement to use good security practices
with their passwords.
All passwords are to be treated as confidential RightRev information. They should not be shared with
anyone, including administrative assistants.
Password requirements:
If an account or password is suspected to have been compromised, report the incident to Information
Security and change all passwords.
• Regular passwords will be changed at least every three (3) months (90 days). Privileged passwords
will be changed every 90 days.
• Shared privilege passwords (i.e. for “root”, “administrator”, etc. should be changed every 90 days
or whenever someone with administrator-level access leaves the firm.
• Passwords cannot be re-used for a minimum of 90 days. Temporary passwords will be changed at
first log-on.
• Systems will be configured to lock user accounts in the event of five (5) consecutive unsuccessful
login attempts. System Administrators may reset locked accounts. otherwise, the minimum
account lockout duration will be 15 minutes.
• Passwords will not be stored on a computer or used in a macro for sign-on. Do not use the
“Remember Password” feature of applications.
• Passwords may not be inserted into e-mail messages or other forms of electronic communication.
• Passwords should not be written down or stored unencrypted on ANY computer (including PDAs)
• PCs or terminals will be locked (i.e., by a key or password) when not in use.
8.3.1.2 SYSTEM PASSWORD RULES
System accounts (i.e., non-interactive accounts for applications or systems) must use passwords that
meet or exceed the password composition requirements.
System-level passwords must be changed at least once every 90 days. This includes shared secret keys
for encryption of connections.
8.3.1.3 PASSWORD COMPOSITION
All user-level and system-level passwords must conform to the requirement described below.
• Passwords will be at least 8 non-sequential characters long.
• Passwords will be composed of alpha-numeric characters.
• Passwords will contain at least 3 of the 4 characteristics below:
• Alphabet character
• Upper case letter
• Number
• Non-alpha-numeric character
8.3.2 UNATTENDED USER EQUIPMENT
Users will protect RightRev’s information resources from unauthorized access by protecting unattended
equipment:
• Users will terminate active sessions when finished (or unattended) or secure by appropriate
locking functions.
• Users will log off of multi-user systems when finished.
• Users will log off or lock terminals when unattended.
• PCs or terminals will be locked (i.e., by a key or password) when not in use.
8.4 NETWORK ACCESS CONTROL
8.4.1 POLICY ON USE OF NETWORK SERVICES
Users will only have access where there is a specific business requirement, and the access has been
specifically authorized. Users will be granted specific access to networks that they are permitted to
access. Users may not access networks that they are not given specific authorization to access.
Information Security will provide users with the rules, policies, and procedures for accessing network
connections and network services.
Third parties that must deploy non-RightRev controlled systems must be specifically approved by the
Security Officer and must meet the third-party provisions of section 8.2.2.
8.4.2 USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
All remote users will be authenticated before they are permitted to access information resources. Users
will be given remote access only when their job function requires it. Any non-employee who receives
approval for remote access must be restricted to access to specific systems only.
The system owners, in coordination with the Security Officer will select from the following options,
based upon the results of the risk assessment.
8.4.3 REMOTE DIAGNOSTIC PORT PROTECTION
Remote diagnostic ports, usually in the form of vendor modems attached to systems, must be protected
from unauthorized use. Diagnostic ports will not be connected when not in use.
The Security Officer must approve any requests for a vendor or third party to access a device through a
remote port. The vendor must be fully authenticated before access is granted.
Information Security/IT must review the system after the vendor has accessed it to ensure no
unauthorized activities were performed on the system.
8.4.4 SEGREGATION IN NETWORKS
8.4.4.1 EXTERNAL SEGREGATION
Network Controls must segregate groups of information services, users and information systems when
interconnecting networks to partners or other third parties.
A risk assessment must be performed to determine the necessary controls prior to allowing access of the organization networks by new partners or third parties, and the Security Officer must approve of any
such connections.
Network segregation controls will be selected on the basis of the risk assessment. cost and the impact of incorporating suitable routing and gateway technology (see 9.4.7 and 9.4.8). External connections must terminate in some form of controlled network and must be subject to security controls. There will be no direct connection between the RightRev corporate (internal) network and any third party. See also 4.2.
8.4.4.2 INTERNAL SEGREGATION
Based on site risk assessments (see 7.1.1), internal segregation of sites or networks within sites may be
warranted. Development and testing networks/systems must be segregated from the rest of the internal
network (either completely or through a firewall/proxy arrangement) to prevent malfunctions in
software from impacting the rest of the network.
Confidential information will be consolidated and isolated on dedicated access servers, active storage,
and inactive storage (such as Hard disk /tape media) whenever possible.
8.4.4.3 SEGREGATION OF DEVELOPMENT AND PRODUCTION ENVIRONMENTS
RightRev will separate development and production environments to prevent unfinished or
malfunctioning software from affecting the business network. Only IT-approved systems will be
connected to production environments, and only after the systems have fulfilled acceptance criteria.
8.4.5 NETWORK CONNECTION CONTROL
Highly sensitive systems will have network access controls (e.g., firewalls and/or Access Control Lists) in
place to prevent unauthorized connections from inside, or outside, RightRev. This is in addition to any
application or system access controls. Restrictions will be consistent with the organization’s access
control policy.
Network controls will be configured to allow only network traffic required by the business to enter or
leave the RightRev network. These controls will include:
• Ingress and egress filtering on border devices
• Firewall/Access Control List configuration that is host and port specific
An annual risk assessment will be performed to establish which systems and/or applications should be
protected.
8.4.6 WIRELESS NETWORK POLICY FOR RIGHTREV FACILITIES
This policy controls access to RightRev networks via wireless communication mechanisms.
This policy covers all wireless data communication devices (i.e., personal computers, laptops, cellular
phones, PDAs, etc.) connected to any of RightRev’s internal networks. This includes any form of wireless
communication device capable of transmitting packet data. Wireless devices and/or networks without
any connectivity to RightRev’s networks do not fall under the purview of this policy.
8.5 OPERATING SYSTEM ACCESS CONTROL
8.5.1 USER IDENTIFICATION AND AUTHENTICATION
All users will be identified and authenticated with, at a minimum, a unique identification and a password
before access to operating systems is granted. This will minimize the opportunity for unauthorized
access to information resources at the operating system level by providing a means of user
authentication. If access to the operating system is not necessary, such as when the user has access to
an application (only) running on the system, then operating system access must not be given to the
user.
If operating system access is necessary, such access will be governed by the following rules:
• All users will have a unique user account
• All users will have a unique password
• User passwords will give no indication to their privilege level
• Additional authentication technique(s) will be used in combination with user IDs to provide
further security in authentication including
8.5.2 PASSWORD PROGRAM
All passwords for systems and applications must be individual, effective, and of sufficient quality to deter
compromise. Systems and applications must be configured to programmatically enforce these rules if
available. In the absence of programmatic enforcement, the user will be responsible for enforcing these
rules themselves. See 9.3.1 for more information on passwords.
8.5.2.1 SYSTEM PASSWORD RULES
Default passwords will be changed as soon as a new application is installed.
Systems must automatically expire passwords on the anniversary of the creation of the password.
Expiration may lead to disabling of the account or forcing a password change (depending on the
software implementation).
Application developers must ensure their programs contain the following security precautions.
Applications:
• Should require confirmation during selection to avoid input errors.
• Should support authentication of individual users, not groups.
• Should not store passwords in clear text or in any easily reversible form.
• Should provide for some sort of role management, such that one user can take over the functions
of another without having to know the other’s password.
• Should not be displayed when entered.
• Should keep password files separate from application system data.
8.5.3 USER ACCOUNT REVIEW/AUDIT
All user accounts will be reviewed on a regular basis to ensure that malicious, out-of-date, or unknown
accounts do not exist. User/group roles and access rights will be reviewed on a regular basis to ensure
that no user or group has excessive privileges.
8.5.4 USE OF SYSTEM UTILITIES
Access to system utilities for non-administrators should be restricted to minimize the opportunity for
unauthorized access to or modification to information resources.
All unnecessary system utilities will be removed from server systems. Unnecessary system utilities
should be removed from desktop/laptop systems as appropriate.
8.6 APPLICATION ACCESS CONTROL
8.6.1 INFORMATION ACCESS RESTRICTION
To safeguard applications, RightRev will restrict business application system access information on a
needto-know basis.
Menus and documentation will be edited so the users only view data or menus that they are authorized
to view.
8.7 MONITORING SYSTEM ACCESS AND USE
8.7.1 EVENT LOGGING
RightRev will log all security-relevant events or exceptions. IT will be responsible for maintaining event
logs. Event logs will be retained for at least one year with at least 3 months of on-line retention.
The SRT will monitor event logs at periodic intervals. Automated log analysis and alerting will suffice for
this provision.
Event logs will contain:
• User IDs used in logons
• Dates and times for logon and logoff for each user
• Terminal identity (system name and network address)
• Successful and rejected access attempts
• Successful or rejected data access attempts
• Use of elevated privileges through ‘su’ or ‘run as’
• Any access to Member data (Account numbers)
8.7.2 MONITORING SYSTEM USE
RightRev will monitor the use of information processing facilities to detect unauthorized activities and
ensure that users are only performing the functions and gaining access to information to which they are
authorized. Each facility will perform a risk assessment to determine the level of monitoring required.
8.7.2.1 MONITORED ITEMS
Areas eligible for monitoring include:
• Authorized access:
• User IDs
• Date and time of key events
• Types of events
• Files accessed
• Programs and utilities used
• Privileged operations:
• Use of supervisor accounts
• Use of other privileged accounts (i.e., administrator)
• System start-up and stop • Devise attachment and removal
• Unauthorized attempts:
• Failed attempts for access
• Access policy violations and notifications for network gateways and firewalls •
Alerts from proprietary intrusion detection systems
• System alerts or failures:
• Console alerts or messages
• System log exceptions Network management alarms
• All access to Member data, including root/administration access
• Monitoring results will be retained in accordance with retention schedules for potential
evidence
8.7.2.2 REVIEW OF MONITORED INFORMATION
IT and the SRT will regularly review the results of the monitoring of information processing facilities to
detect deviations from the organizations’ access policy and to improve and discipline those that deviate.
The factors that determine the frequency of review include:
• Value, criticality or sensitivity of the information or application involved.
• Past experience of infiltration or misuse. and
• Extent of interconnections.
• Violation of these policies will be subject to disciplinary measures, up to and including
termination.
• Incidents will be reviewed, and controls put in place to stop future occurrences.
8.7.2.3 PROTECTION OF MONITORED INFORMATION
Event and security logs must be protected in order to assure their accuracy and to protect them against
tampering or misuse.
All original logs must be kept unaltered. Extracted log events will be kept separately from the original
logs.
The review of logs will be segregated from those whose actions are logged, Controls will be put in place
that prevent and monitor:
• Attempts to de-activate logs.
• Attempts to alter message types that are recorded.
• Attempts to edit or delete log files.
• The log file becoming exhausted and either overwriting it or failing to record events.
• The System owners will be responsible for reviewing of their system logs.
• The Security Officer will audit these reviews.
8.7.3 CLOCK SYNCHRONIZATION
RightRev will use a common method to ensure that all system clocks are synchronized. This will ensure
the accuracy of the audit logs and protect the integrity and credibility of any logs that might need to be
used as future evidence.
All computers with real-time clocks will be set on one-time standard (i.e., local standard time) that is
used within the entirety of the organization.
8.7.4 E-MAIL, VOICE-MAIL AND INTERNET ACCESS MONITORING
RightRev’s e-mail, voicemail, and Internet access systems are to be used primarily for RightRev business.
RightRev reserves the right to access e-mail or voice-mail systems at any time with or without advance
notice or consent of the employee. Such access may occur before, during or after working hours by any
manager or security personnel designated by RightRev.
Employees should not have an expectation of privacy in their voicemail or e-mail messages, or in
computers or computer storage devices. RightRev also reserves the right to monitor all Internet access.
While RightRev recognizes that accidental access to undesirable sites occurs, prolonged or repeated
access to undesirable sites will be construed as intentional violation of RightRev’s policy and may result
in disciplinary action up to and including termination.
All Internet data that are composed, transmitted, or received via RightRev’s computer communications
systems are considered to be part of RightRev’s official records and, as such, may be subject to
disclosure to third parties. Employees should always ensure that the business information contained in
Internet transmissions is accurate, appropriate, ethical, and lawful.
8.8 MOBILE COMPUTING AND TELEWORKING
8.8.1 MOBILE COMPUTING
RightRev institutes the following policies to ensure that business information is not compromised by use
of such devices as notebooks, laptops, PDAs, mobile phones, and tablet PCs in an unprotected
environment and to provide users with controls for and awareness of the potential risks.
A risk assessment will be performed on the potential threats associated with the various forms of mobile
computing for new devices (other than those listed above) that become available.
The risk assessment will consider the following issues:
• Physical protection of the device (i.e., locking away, carrying on airplanes)
• Access control
• The use of cryptographic techniques
• Back-up schedules, procedures, and media protection
• Protection from viruses and malicious software
• Network connections
• Use of networking facilities in public places
Users of mobile computing devices will be required to sign a statement of their understanding and
compliance. This statement should be included in the policy acceptance letter signed during orientation.
8.8.1.1 PHYSICAL PROTECTION OF MOBILE DEVICES
Users must reasonably ensure mobile devices are physically secure at all times if they contain RightRev
sensitive data. Examples of physically securing devices include:
• Mobile devices should never be left visible in a car and should never be left in the trunk or other
storage location overnight.
• Mobile devices should always be carried onboard aircraft and not put in checked luggage
• Mobile devices should not be left at tables in public places (e.g., restaurants, coffee shops, etc.) if
they will be out of sight or one’s immediate control.
8.8.1.2 ACCESS CONTROL REQUIREMENTS
If a mobile device contains other than public RightRev data, it must have some form of access control to
access this information. If access to the device is not controllable, access to the data must be controlled.
8.8.1.3 USE OF ENCRYPTION
If a mobile device contains sensitive RightRev data, it must be encrypted on the storage drive. Encryption may be on a file-by-file basis, or on a volume-by-volume basis.
8.8.1.4 INFORMATION BACKUP
Users are strongly encouraged to back up their RightRev data stored on mobile devices. Backup may be
done when connected to the RightRev network (file shares and other backup facilities), or may be
backed up to removable media. If backed up to removable media, this media must be physically
protected or the data must be encrypted.
8.8.1.5 PROTECTION FROM VIRUSES/MALICIOUS SOFTWARE
If capable, mobile devices must run anti-virus software with current updates/definitions. All laptops
must use RightRev-approved anti-virus software.
8.8.1.6 CONNECTING TO THE RIGHTREV NETWORK AT RIGHTREV FACILITIES
Users may only connect mobile devices that have been authorized by the SRT to the RightRev network at RightRev facilities. These devices must have current anti-virus software running and the user must be
reasonably sure no other malicious software is operating on the laptop. Users may never connect to an
outside network through any form of network interface (modem, wireless, second Ethernet card, etc.)
while simultaneously connected to the internal RightRev network through their primary network
connection. If use of a secondary connection is necessary, the user must first disconnect from the
RightRev network before connecting to the outside network. This policy also applies to connections
from one security zone within RightRev to another (i.e., connecting to the RightRev network and the
network inside an isolated lab at the same time).
Users are encouraged to have IT or Information Security check approved mobile devices before
connecting to the RightRev network if they have reason to believe they may have come into contact
with any malicious software, whether detected by anti-virus or not.
8.8.1.7 CONNECTING TO THE INTERNAL RIGHTREV NETWORK FROM PUBLIC PLACES Remote connections to the RightRev network may be made by mobile devices at public places under the following provisions.
Public places are defined as any place outside a RightRev facility and include, but are not limited to
hotels, hot spots at food or drink establishments, airports or train stations, the employee’s or other
people’s homes, government, or partner facilities. Users must use an approved personal firewall, and
have it running and actively filtering traffic, when connecting to RightRev networks from public places.
Users must also have current and active anti-virus software running before connecting. Remote
connections will be made through VPN tunnels to safeguard the connection traffic. Connections from
home networks may use a gateway firewall (such as a linksys router with firewall or other similar
firewall) in place of the personal firewall, but one or the other must be operational and actively filtering
traffic.
8.8.1.8 WIRELESS CONNECTIONS (ANY)
RightRev users must use a personal firewall and anti-virus software (as discussed above) whenever
connected to a wireless network, regardless of whether or not they will connect to the RightRev
networks. In addition, the use of WPA or equivalent privacy measures is encouraged where available.
Mobile device users will not enable adhoc networking, or operate any other access point functionality
on their wireless adapters while connected to the RightRev network through another connection
(Ethernet, modem, etc.)
8.8.2 TELECOMMUTING AND REMOTE ACCESS
The purpose is to ensure that the organization’s information resources are not compromised by those
that access them from premises that are not under the control of the organization by requiring
authorization, controls and monitoring the remote access. Also see 9.8.1 concerning mobile devices.
Users must strictly control and protect the organization’s information resources against the possible
threats associated with remote access. These threats include theft of the remote computing devices and
unauthorized access into RightRev’s computing facilities.
8.8.2.1 AUTHORIZATION FOR USE OF PERSONAL REMOTE SYSTEMS
All telecommuting (work that occurs from a fixed location that is outside of the organization that
requires connection to the organization’s information resources) using a personal remote system will be
authorized by the SRT/Security Team.
Authorization Rules:
• Use of all personal remote systems (Laptops/Desktop) for into RightRev Network will be
specifically authorized.
• The access to sensitive information via such personal remote system will be specifically
authorized.
• The storage of sensitive information on such personal remote system will be specifically
authorized.
• The telecommuting will have adequate and secure communications equipment (VPN, antivirus
software, etc.) setup on the personal remote system.
• The teleworker will be given access to hardware and support and maintenance services
• Communication requirements will be secured and in line with those required by the information
to be accessed classification.
8.8.2.2 APPLICABILITY OF RIGHTREV POLICY DURING TELECOMMUTING
Users are responsible for any security breaches that occur as a result of their negligence in securing their personal remote systems. By using their own equipment, users are accepting responsibility to protect the RightRev information in accordance with this/these policy(ies).
RightRev reserves the right to audit and monitor any equipment used to process or store RightRev
information resources, regardless of ownership.
8.8.2.3 REMOTE ACCESS METHODS AND AUTHENTICATION OF CONNECTIONS
Users will employ only RightRev approved remote access methods when connecting to the RightRev
network. This provision applies equally to the connection to the RightRev network and connections to
RightRev information resources within the network. Only approved methods of system remote access
will be allowed in accordance with IT guidance and standards. All use of non-approved access methods,
or approved access methods not utilizing IT approved configurations and settings, will be subject to
disciplinary procedures (see 6.3.4).
Access to the RightRev Networks via remote access is to be controlled using strong authentication. At no
time will commercial remote access services (such as GoToMyPC) be allowed with RightRev networks,
systems, or home systems that house or process RightRev information.
8.8.2.4 REMOTE MANAGEMENT OF SYSTEMS
Remote management connections will only be made via encrypted connections (SSH, SSL, etc.). Remote
connections must not allow logon via an elevated system account (i.e., root or administrator) directly.
Administrators must log on with their user account and then change to the elevated privilege account.
This will ensure accountability and logging of unique IDs instead of shared administrative accounts.
8.9 ACCEPTABLE USE OF RIGHTREV COMPUTER SYSTEMS
The purpose of this policy is to outline the acceptable use of computer equipment (Desktops/Laptops) at
RightRev. This will help protect RightRev’s employees, partners, and RightRev from illegal or damaging
actions by individuals, either knowingly or unknowingly.
Inappropriate use exposes RightRev to risks including virus attacks, compromise of network systems and
services, and legal issues. All users are expected to be familiar with and comply with this policy.
All RightRev systems are to be used for business purposes in serving the interests of the RightRev, and of our customers in the course of normal operations, although occasional use of RightRev computer
systems for personal use is acceptable.
Effective security is a team effort involving the participation and support of every RightRev employee
and affiliate who deals with information and/or information systems. It is the responsibility of every
computer user to know this policy, and to conduct his/her activities accordingly.
This policy applies to employees, contractors, consultants, temporaries, and other workers at RightRev,
including all personnel affiliated with third parties. This policy applies to all equipment that is owned or
leased by RightRev.
8.9.1 GENERAL USE AND OWNERSHIP
While RightRev’s network administration desires to provide a reasonable level of privacy, users should be
aware that the data they create on the corporate systems remains the property of RightRev. Because of
the need to protect RightRev’s network, management cannot guarantee the confidentiality of
information stored on any network device belonging to RightRev.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use.
Individual departments are responsible for creating guidelines concerning personal use of
Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by
departmental policies on personal use, and if there is any uncertainty, employees should consult their
supervisor or manager.
Employees must exercise due diligence to protect sensitive or confidential data or material. For
guidelines on information classification, see Information Classification Section.
For security and network maintenance purposes, authorized individuals within RightRev may monitor
equipment, systems, and network traffic at any time.
8.9.2 SECURITY AND PROPRIETARY INFORMATION
Employees should take all necessary steps to prevent unauthorized access to this information:
• Authorized users are responsible for the security of their passwords and accounts. Users must
keep their passwords secure, and accounts should not be shared.
• All PCs, laptops and workstations should be secured with a password-protected screensaver with
the automatic activation feature set at 15 minutes or less, or by logging-off (control-alt-delete
for Windows users) when the host will be unattended.
• Postings by employees from a RightRev email address to newsgroups should contain a disclaimer
as below:
“Disclaimer”:
The information in this email is confidential. If you are not the addressee indicated in this message (or
responsible for delivery of the message to such person), you may not copy or deliver this message to
anyone. In such case, you should destroy this message, and notify the sender immediately. If you or your
employer does not consent to e-mail messages of this kind, please advise the sender immediately.
Opinions, advice, and other information expressed in this message are not given or endorsed by
employer unless otherwise indicated by an authorized representative independent of this message.
Opinions, advice, and other information contained in this email are subject to the terms and conditions
expressed in the governing RightRev Software nondisclosure agreement or software license and services
agreement.”
All applicable hosts used by the employee that are connected to the RightRev network, whether owned
by the employee or RightRev, will continually execute approved virus- scanning software with a current
virus database (unless overridden by departmental or group policy).
Employees must use extreme caution when opening e-mail attachments received, especially from
unknown senders, as these attachments may contain viruses, e-mail bombs, or Trojan horse code.
8.9.3 UNACCEPTABLE USE
The following activities are generally prohibited. Employees may be exempted from these restrictions
during the course of their legitimate job responsibilities (e.g., systems administration staff may have a
need to disable the network access of a host if that host is disrupting production services). Under no
circumstances is an employee of RightRev authorized to engage in any activity that is illegal under local,
state, federal or international law while utilizing RightRev owned resources.
The lists below are by no means exhaustive, but provide a framework of strictly prohibited activities:
System, Network, and Internet Activities
• Private use of the Internet may be permitted (departmental control) within reasonable limits,
provided that the Web sites accessed are not unlawful or inappropriate to a well-controlled
working environment (e.g., pornography, gambling, or drug-related sites).
• The Internet must not be used to violate intellectual property rights of any party. Intellectual
property includes copyrights, trademarks, patents, trade secrets, publicity, and privacy rights.
Employees are prohibited from interfering with or attempting to disable anti-piracy
mechanisms or other standard technical measures used by copyright owners to protect or
identify their work.
• Accessing resources other than web sites on the Internet from RightRev premises is reserved to
the authorized users of the target systems, must be limited to legitimate purposes and must
comply with local legislation. Attacking in any way, as well as scanning, probing or penetrating,
computer systems or networks on the Internet is strictly prohibited. All employees will be made
aware that all Internet access may be screened, logged, and monitored, in accordance with
local legislation.
• RightRev reserves the right to block access to Internet sites considered inappropriate. Deliberate
attempts to access such sites may result in disciplinary action, up to and including termination.
• The download of electronic files from the Internet by employees is prohibited unless as a
necessary part of their work and must be subject to virus checking on the local workstation.
• Unauthorized copying of copyrighted material including, but not limited to, digitization and
distribution of photographs from magazines, books or other copyrighted sources, copyrighted
music, and the installation of any copyrighted software for which RightRev or the end user does
not have an active license is strictly prohibited.
• Exporting software, technical information, encryption software or technology, in violation of
United States, international or regional export control laws, is illegal. The appropriate
management should be consulted prior to export of any material that is in question.
• Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan
horses, e-mail bombs, etc.) is prohibited.
• Employees will not reveal account passwords to others or allow use of their accounts by others.
This includes family and other household members.
• Employees may not use a RightRev computing asset to actively engage in procuring or
transmitting material that is in violation of sexual harassment or hostile workplace laws in the
user’s local jurisdiction.
• It is not permissible to make fraudulent offers of products, items, or services originating from any
RightRev account.
• Employees will not attempt to access data for which they have not been granted access, unless
they have been granted permission to test security controls of a system or application (i.e., if
these duties are within the scope of regular duties).
• It is prohibited to execute any form of network monitoring which will intercept data not intended
for the employee’s computer, unless this activity is a part of the employee’s normal job/duty.
• It is prohibited to circumvent user authentication or security of any host, network, or account.
• It is prohibited to provide unauthorized information about, or lists of, RightRev employees to
parties outside RightRev.
Email and Communications Activities
• Personal, non-business use is permissible to the extent that it does not consume significant
resources, and that it does not pre-empt any business activity.
• The use of unapproved instant messaging systems is not permitted.
• E-mail, including attachments must be classified according to the policy, based on the sensitivity
of the information contained. Therefore, e-mail has to be secured to an extent commensurate
with this classification. Procedures for the correct labeling and the classification of e-mails are
defined in the Information Asset Classification Guideline (see 5.2).
• Employees are prohibited from sending bulk emails. Exceptions allowed after obtaining
appropriate approvals from the Security Officer / IT admin.
• It is prohibited to participate in any form of harassment via email, telephone, or paging, whether
through language, frequency, or size of messages.
• Unauthorized use, or forging, of email header information is prohibited.
• Any email messages not compiling with guidelines listed in 8.6.5 are prohibited.
8.9.4 ENFORCEMENT
Any employee found to have violated this policy is to be subject to disciplinary action, up to and
including termination of employment.
9 SYSTEMS DEVELOPMENT AND MAINTENANCE
9.1 SECURITY REQUIREMENTS OF SYSTEMS
9.1.1 SECURITY REQUIREMENTS ANALYSIS AND SPECIFICATION
The purpose of this policy is to ensure that all new systems comply with the organization’s security
requirements. Security approval will be required for all key project phases (i.e., concept, requirements,
testing). All new or upgraded systems must have their security requirements documented.
• A risk assessment will be performed to evaluate the security requirements for new systems or
upgrades.
• The system owner, in conjunction with the Security Officer, will specify the security requirements
of all new implementations prior to their final approval.
• The controls and requirements will reflect the sensitivity and business value of the information
assets involved.
• Independent consultants will be brought in to assist in evaluations if deemed necessary.
• Vulnerability scans and/or penetration tests will be run against systems to ensure security
controls are in place, patch levels are current, and unnecessary services are not running.
9.2 SECURITY IN APPLICATION SYSTEMS
Each Application owner is responsible for managing their own application security, updates, and change
control processes in accordance with policy, business requirements, and vendor recommendations.
RightRev will conduct an application security posture assessment on its software on a regular basis to
proactively minimize the risk from vulnerabilities around database, Technology framework. Any
recommendations from these assessments will be documented. These actionable items will be
prioritized by RightRev’s Product Management and executed.
10 COMPLIANCES
10.1 COMPLIANCE WITH LEGAL REQUIREMENTS
10.1.1 IDENTIFICATION OF APPLICABLE LEGISLATION
To avoid any legal or security breaches, RightRev will document and comply with all relevant statutory,
regulatory, and contractual requirements for each information system.
System owners will seek the advice of the Legal or Information Security Officers for all relevant legal and
security information.
Care will be taken to account for different requirements in different locations (e.g., issues associated
with encryption, see Error! Reference source not found.). RightRev’s Legal Department will determine
exceptions to standing policy for those locations that have differing legal requirements, and will work
with the SRT to create exceptions to general policy and specific policies for those jurisdictions.
10.1.2 INTELLECTUAL PROPERTY RIGHTS
All users at RightRev will comply with the legal aspects of intellectual property protection and the rights
and limitations of license agreements associated with proprietary software products.
The purpose of the policy is to ensure that users are aware of and comply with such copyrights,
trademarks, and design rights. Users are responsible for not violating applicable copyright, intellectual
property, or other licensing rights of electronic media or software that is not the property of RightRev.
Furthermore, users are responsible for not using RightRev intellectual property outside the limits of
RightRev policy or licensing.
Failure to abide by these policies will subject the user to disciplinary actions up to and including
termination and/or criminal/civil charges.
10.1.2.1 INTELLECTUAL PROPERTY STANDARDS AND TRAINING
Product Management will publish the organization’s standards for software acquisition. Intellectual
Property Rights Protection policies will be included in all security awareness training.
The SRT, along with each owner, will establish, document, and educate applicable users on:
• Maintaining appropriate asset registries
• Maintaining proof of ownership or licenses
• Policies and controls to assure that license conditions are met
• Policies and controls for disposing of or transferring software to others
• Use of appropriate audit tools
10.1.2.2 USING SOFTWARE FROM OUTSIDE SOURCES
Users will not download or install any third party pirated software on RightRev systems.
Users will not download or install any non-approved software from the Internet. The SRT will approve
specific software for use from the Internet if there is a business need.
10.1.2.3 COPYRIGHTED MATERIAL AND PEER-TO-PEER FILE SHARING AT RIGHTREV RightRev respects the copyrights of those involved in creating and distributing copyrighted material, including music, movies, software, and other literary and artistic works. It is the policy of RightRev to fully comply with all
copyright laws.
When RightRev employees need to use copyrighted materials to do their jobs, RightRev acquires
appropriate licenses.
RightRev employees may not:
• Store or otherwise make unauthorized copies of copyrighted material on or using RightRev
computer systems, networks, or storage media.
• Download, upload, transmit, make available or otherwise distribute copyrighted material using
RightRev’s computer systems, networks, or storage media without authorization. or
• Use or operate any unlicensed peer-to-peer file transfer service using RightRev’s computer
systems or networks or take other actions likely to promote or lead to copyright infringement.
RightRev reserves the right to:
• Monitor its computer systems, networks, and storage media for compliance with this and other
RightRev policies at any time, without notice and with or without cause. and
• Delete from its computer systems and storage media, or restrict access to, any unauthorized
copies of copyrighted materials it may find, at any time and with or without notice.
10.1.3 DATA PROTECTION AND PRIVACY OF PERSONAL INFORMATION
RightRev will comply with all applicable laws and regulations regarding the protection of personal data.
This will ensure that RightRev is collecting personal information (that information that can be used to
identify living individuals) in a manner that complies with laws, as well as processing and disseminating
that data in a lawful manner.
The SRT will distribute policies and educate users, managers, and service providers on their
responsibilities for compliance.
Information owners will inform the appropriate information protection officer about proposals to keep
information in a structured file. The information protection officer will advise information owners on
policies and procedures concerning their protection and storage of such data.
Confidential information entrusted to RightRev by customers, business partners, suppliers, and other
third parties will be protected in accordance with RightRev’s Security Policies and will be protected with
at least the same care as RightRev’s confidential information.
10.1.4 PREVENTION OF MISUSE OF INFORMATION PROCESSING FACILITIES
Users of RightRev information processing facilities will utilize these facilities for only
managementauthorized business purposes. RightRev reserves the right to legally monitor facilities for
compliance. The purpose of this policy is to protect the availability and integrity of the organization’s
information processing facilities as well as protect the organization against legal sanctions against the
misuse of computers.
The SRT will provide managers with guidelines for the legal monitoring of computer facilities. Managers
of information processing facilities will monitor the use of such facilities.
If misuse is detected, it will be brought to the attention of the person’s manager for disciplinary action.
An acceptable use policy will be communicated to users. This policy will be included in the acceptance of policy letter that employees will sign during orientation. The acceptable use policy will govern permitted and forbidden activities for their location. In all cases, any activity not expressly permitted is forbidden.
10.2 REVIEWS OF SECURITY POLICY AND TECHNICAL COMPLIANCE
10.2.1 COMPLIANCE WITH SECURITY POLICY
To maintain the security, integrity, and availability of the organization’s information processing assets,
RightRev will continually monitor the organization’s compliance with its security policies.
Managers will continually monitor their user’s compliance with the organization’s security policies,
procedures, standards.
10.3 SYSTEM AUDIT CONSIDERATIONS
10.3.1 SYSTEM AUDIT CONTROLS
Any partners/vendors conducting system audits will carefully plan, agree upon, and expedite system
audits so as to minimize the risk of disruptions to operational business processes. This will ensure the
organizations security requirement compliance while maximizing the availability, integrity and security of
the organization’s information resources.
The scope and requirements of all audits will be controlled and agreed to by management. Access to any
files beyond read-only will be approved by the SRT/Security team. This includes isolated copies of system files. If isolated copies of system files are used, the files will be destroyed as soon as the audit is
completed.
Requirements for additional testing will be identified and agreed upon by appropriate management.
• IT resources will be identified and made explicitly available for audit assistance. •
All access to the system will be logged to produce a reference trail.
• All procedures, responsibilities, requirements, and scope will be documented.
10.3.2 PROTECTION OF SYSTEM AUDIT TOOLS
Any agency conducting system audits will protect access to system audit tools (i.e., software or data
files). This will protect the security, availability, and integrity of the organization’s information resources
by ensuring that the organization’s system audit tools are protected from misuse or compromise.
System audit tools will be separated from operational and development systems unless they are given
the added appropriate protection and are authorized by the SRT/Security Team. Users must not test or
attempt to compromise computer or communication system security measures unless specifically
approved in advance by the Security Officer.
11 Training
Due to the Rapid development Cycle and new technologies RightRev is working on, We shall we training
the team on the latest tools and certifications as per the project Requirement.
Which required Management approval and project requirement.
The new joiners or new team members will be going through the Training phase in the initial time of the
project allocation. During that that a mentor will be guiding and proving the technical KT and track the
performance and the learning programme for min 3 – 6 months