USA: +1(669)289-8683
USA: +1(669)289-8683

I just need some help

LINK TO ROOT POLICY DOCUMENTThe nature of this repository is intended to serve as an index for the EISP and ISSP
which critiques the case organization’s policy and discussing proposed changes and
inconsistencies. Each document contains a scope section to set the strategic direction and tone
for the proposal and an abstract section that recommends approaches to improve the
organization’s current policy.
Link
MEMORANDUM
TO: BOARD OF DIRECTORS
FROM: Irieonna Davis
SUBJECT: PROPOSED ORGANIZATION
DATE: FEBRUARY 4, 201x
CC: MITCH WHITEMAN, CEO
Scope
The purpose of this report is to address the critical inconsistencies and gaps in Consolidated
Holdings, Inc.’s information security governance by referencing the case study of Consolidated
Holdings, Inc. vs. EISP and ISSP. This report will analyze the misalignment between the
current Enterprise Information Security Policy (EISP) and the various Issue-Specific Security
Policies (ISSP) implemented across different departments. The aim is to propose necessary
updates and realignments to ensure that the company’s security policies are both comprehensive
and consistent, mitigating risks and improving operational efficiency. Additionally, this report
will provide recommendations for restructuring key officers and employees to enhance
accountability and streamline the execution of the new policies.
Abstract
Following an examination of the company’s EISP and ISSP, it was discovered that Consolidated
Holdings, Inc. had an outdated EISP with inadequate coverage of new threats, as well as an
ISSP that was inconsistent across departments. Different subsidiaries and sections within the
firm had conflicting procedures for managing security issues such as data encryption, remote
access, and social media usage. The key findings of this report are;
1. The company’s divisions had implemented their own ISSPs, which varied in scope,
detail, and enforcement mechanisms. For example, while some departments enforced
strict email encryption protocols, others had lax standards, leaving communications
vulnerable.
2. Consolidated holdings, inc.’s enterprise-level policy hadn’t been updated in years,
failing to account for emerging technologies like cloud computing and remote work.
This caused confusion and gaps in enforcement across departments, resulting in
security vulnerabilities.
3. The EISP was not in accordance with the company’s current business objectives and
compliance requirements, which resulted in potential legal exposure and inefficiencies,
particularly in relation to data privacy regulations like GDPR and CCPA.
Inconsistencies/Proposed Changes
After reviewing the case study of Consolidated Holdings, Inc. vs. EISP and ISSP, several key
inconsistencies were discovered between the company’s high-level Enterprise Information
Security Policy (EISP) and its department-specific Issue-Specific Security Policies (ISSP).
These inconsistencies add to security vulnerabilities, inefficiencies, and noncompliance with
legal norms. Key issues include:
1. Fragmented Security Practices: Consolidated Holdings, Inc. departments use different
standards for data security, encryption, and access controls. This lack of consistency
has resulted in flaws, notably in the management of sensitive information.
2. Outdated EISP: The company’s EISP is not up-to-date with new technology, including
cloud computing, remote access, and cybersecurity issues. Departments have
implemented their own policies (ISSPs) without clear guidance, resulting in
inconsistency and misalignment with corporate objectives.
3. Lack of accountability: There is no clear chain of command to enforce the EISP among
subsidiaries. Departments have been left to interpret the policy independently, resulting
in variances in compliance and enforcement.
4. Inconsistent Data Protection Standards: While some departments enforce strict data
encryption and privacy standards, others do not, resulting in breaches and legal
problems, particularly with new data protection rules (e.g., GDPR and CCPA).
To address these inconsistencies and safeguard the company’s data and reputation, the
following changes are recommended:
1. Update the EISP Framework to include new technologies including cloud
infrastructure, remote work protocols, and growing cyber threats. The new EISP should
serve as a comprehensive guide for the entire business, ensuring that all departments
adhere to a common set of security rules.
2. Establish a framework for ISSPs that complies with the new EISP. All departments
should adhere to consistent standards addressing data security, encryption, access
control, and privacy laws. Regular audits will ensure that policies are applied
consistently across the board.
3. Create a centralized security oversight team, reporting to the CISO, to enforce EISP and
ISSP regulations consistently throughout the organization. This team will perform
routine reviews and audits to ensure compliance.
4. Establish a framework for reviewing and revising EISP and ISSP policies to reflect
technological improvements and regulatory changes. Additionally, obligatory training
programs for key staff and department heads will be implemented to ensure that they
are aware of the new rules and procedures.
New Officers and Key Employees
Consolidated Holdings Incorporated
Case Study
1
Table of Contents
Executive Summary ………………………………………………………………………………………….. 3
Mission………………………………………………………………………………………………………… 3
Vision ………………………………………………………………………………………………………….. 3
Company Summary ………………………………………………………………………………………….. 3
Services ……………………………………………………………………………………………………….. 4
Performance …………………………………………………………………………………………………. 5
Market Analysis ……………………………………………………………………………………………….. 6
Business Participants …………………………………………………………………………………….. 7
Consulting Services ………………………………………………………………………………………. 7
Internet Services Taxation ……………………………………………………………………………… 7
Main Competitors …………………………………………………………………………………………. 8
Risks………………………………………………………………………………………………………….. 10
Strategy …………………………………………………………………………………………………………. 11
Competitive Advantages ………………………………………………………………………………. 11
Marketing Plan ……………………………………………………………………………………………. 12
Strategic Relationships…………………………………………………………………………………. 13
Organization …………………………………………………………………………………………………… 13
Officers & Key Employees …………………………………………………………………………… 14
Financial Forecast …………………………………………………………………………………………… 14
References ……………………………………………………………………………………………………… 21
2
Executive Summary
Consolidated Holdings Inc. (CHI) is a Georgia-based firm specializing in
comprehensive Information Technology and Security consulting services. Founded six
years ago by Stella Croft and Nichola Casion, the company seeks to become a dominant
provider of information technology and security consulting services.
CHI offers an array of products and services from general network infrastructure
consulting to full server backup and continuity services. Our company prides itself on its
commitment to customer service through strategic partnerships and a forward-thinking
approach to the ever changing information technology and security landscape.
Based on current trends in the industry and initial surveys throughout CHI’s
operating profile, we are projecting revenues for the next three years at $5.5 million,
$8.25 million, and $12.5 million, respectively. The company is seeking an investment of
$10 million, primarily through capital funding to sustain five areas of company growth:
1. Increase personnel to handle sales, service, and development efforts.
2. Increase marketing to assure future customers are aware of our offerings and
aggressive pricing.
3. Expand our base of operations (using wholesale providers, partnerships, and
other mechanisms) to include at least the top 50 U.S. markets for network
infrastructure, management, and information security solutions.
4. Perform research and development to bring new products to market.
5. Migration to cloud-based services.
Mission
Consolidated Holdings Inc.’s mission is to offer comprehensive, cost-effective
information technology and security solutions for businesses of any size, from home
offices to large corporations.
Vision
The vision of our company is to be the industry leading information technology
and security provider across the United States.
Company Summary
Consolidated Holdings, Inc. is a C-class corporation incorporated in the state of
Georgia on July 4th six years ago. The company’s principal offices are currently located in
Atlanta, GA. All operations, from administration and product development to system
assembly, take place at this leased office location. An adjoining warehouse is available
for storage purposes. The company will relocate to a larger facility as part of plans to
expand services by acquiring companies with data & assembly centers. Further expansion
planning includes the procurement of staff beyond the current forty full-time employees.
3
Services
Currently, Consolidated Holdings offers the following services:
• System/Server Builds
• System/Server Backup Strategies
• Network Design, Installation, and Administration
• Anti-Virus Installation and Maintenance
• Virus Detection and Elimination
• Penetration Testing
• Information Security Planning
• Business Continuity Planning
• Incident Response Simulations
• Secure Cloud Integration
CHI currently offers information security and network administration services to
business customers, and will begin selling scalable cloud services to residential customers
by February of next year.
CHI designs many of its services so that customers will be capable of automating
their tasks. Increasing the efficiency of our customers increases perception of our
performance, and creates a positive image for our company. With our current assets, we
can:





Create and configure systems and networks to meet customer needs
Perform penetration tests and administrate simulations
Provide backup services
Provide training through Administration and Information Security courses
Secure networks, detect unusual activity, and resolve malware events
Service Description
CHI provides consulting on information security topics ranging from network
optimization to network defense and intrusion detection. CHI initiates ongoing research
and development to provide advanced solutions to current customer issues. In addition to
tackling the issues to which organizations are currently exposed, CHI strives to remain
forward-thinking; developing solutions for the security problems of tomorrow.
CHI selects products which meet the following criterion:



Benefit: The product must materially benefit the customer or the company in
some way. This may manifest itself as a side benefit, an improvement on a current
service, or an increase in revenue.
Cost/Benefit Ratio: The benefits realized must be greater than or equal to the
cost of implementation, production, and maintenance of the product.
Maintainability: The product must be maintainable. Code that is open-source,
which allows our engineers to adjust for errors, is preferred.
4
Consolidated Holdings maintains high standards for customer service and issue
resolution in the shortest possible times. Customer service will remain an inherent focus
of CHI for years to come.
Consolidated Holdings offers telephone and e-mail support during business hours, 5
days a week. Online technical support is available via chat room and instant messenger.
CHI has an on-call system for emergencies and in the case of unexpected downtime. In
the future, the company plans to expand implementation of our 24/7 Network Operations
Center (NOC). Plans are also in place to implement a toll-free technical support phone
number.
CHI plans to have constant monitoring of network connectivity and take proactive
measures to solve developing problems. If it is determined that there is a failing
component within the customer’s on-site equipment, a call would be triggered to the
customer. We would then schedule the order of a replacement part. This proactive
support would allow us to solve our customer’s problems post-haste; before they ever are
known to exist.
Fulfillment
All products are implementations of open-source and licensed software from
known vendors. Consolidated Holdings will be extending the functionality of opensource products, and release those changes back to the development community. CHI
engineers provide technical expertise and support to customers at no additional cost.
Future Services
In the future, CHI plans on developing a back-office product that consists of the
following features/services:
• Email
• File-Sharing
• Calendar/Scheduling
Employing the aforementioned services would allow our clientele to have the
collaboration and infrastructure enjoyed by major corporations with multi-million dollar
budgets for a fraction of the cost. Consolidated Holdings plans to have the initial launch
of the back-office product by March 31st.
Performance
Consolidated Holdings has been profitable since its inception. Profit margins
were originally forecast to be at 30%. Year one sales were $350,000 with a 30%
growth rate for the first five years. Consolidated Holdings is well positioned in a
continuously growing market.
5
Information Security has seen explosive growth in the USA and is now the
fastest growing IT discipline in the USA. A CSI/FBI survey indicates that 46% of the
companies responding experienced an event and are investing in ways to make their
businesses easier to manage and more secure. (Richardson, 2007) CHI will continue
to strive to deliver a variety of security solutions and support at reasonable prices.
Investing in Consolidated Holdings is considered a high growth, reasonable risk
opportunity.
Market Analysis
The topics which follow discuss our customers, our competitors, and conditions
within our industry.
Market Analysis (Pie)
M edium/ Large
Business
Small Of f ice/ Home
Of f ice
Market Analysis
Potential
Customers
Growth 5 Years Ago 4 Years Ago 3 Years Ago 2 Years Ago
1 Year Ago
CAGR
Medium/
Large Business
10%
101,041,000
111,044,059
122,037,421
134,119,126
147,396,919
9.90%
Small
Office/Home
Office
Total
3%
8.94%
16,963,070
118,004,070
17,404,110
128,448,169
17,856,617
139,894,038
18,320,889
152,440,015
18,797,232
166,194,151
2.60%
8.94%
Customers and Target Markets
CHI’s customer base includes all small and medium-sized businesses, including
start-ups. Over time the company plans to concentrate on medium to large-sized clients
exclusively, as these are ideal targets for our customized security offerings and hold the
greatest growth potential for the company. Consolidated Holdings feels that these market
segments have special pricing and service needs and make more dedicated, reliable
customers.
6
Business Participants
CHI is competing within information security and services management; a
consultative niche in the industry. The industry is moving toward a fusion these various
types of services as each individual service becomes more streamlined and consolidation
becomes more desirable. The alternative is to be a single solution provider, however, this
is a less desirable position. It leaves the company too much at the whim of the public and
forces the company to renew its’ efforts continuously to provide quality service.
The InfoSec & Managed Services industry has begun the process of specialization.
Many companies who began by filling all needs (as we do today) have moved into areas
which utilize their strengths. These specializations include:
1.
2.
3.
4.
5.
6.
Co-location (“Server Hotel”) facilities.
Network Design and Management
Information Security design and testing
Anti-Virus Identification and Elimination
Identity Theft/ Recovery
Cloud Deployment
Consulting Services
IT consulting companies in Georgia offer a wide range of services. These can be
anything from PC repair to Business Resiliency services and everything in
between. Compensation for such services, like the services themselves, range
depending upon the type of service and the degree of detail/difficulty involved in
implementing the desired solution. Current consulting charges begin at $75 per
hour and escalate to over $200 per hour. Other factors affecting price include the
existence of a contract, package bundling, whether or not the services provided
will require ongoing monitoring or management services.
Internet Services Taxation
One cumbersome issue that could potentially hinder the growth of e-commerce
transactions is the taxation of goods and services. Currently, fees paid are taxfree, except in a few states. Purchases, however, are subject to the same taxes that
apply to goods sold in a store or catalog. When online purchases are made,
purchasers are technically responsible for remitting state and local taxes. The only
exception occurs when a consumer buys from a corporation with a physical
presence in that consumer’s home state. In truth online shoppers rarely pay this
cyber-taxation.
7
While state and local governments are disturbed at this loss of revenue and the
potential loss of immense future revenue. Federal governmental officials have
been adopting a hands-off policy with regard to Internet taxation. In October,
1998, the Internet Tax Freedom Act was passed, placing a three-year ban on any
new Internet sales taxes. During this three-year time frame, a committee of
government and business representatives, known as ‘The Advisory Commission
on Electronic Commerce’, will meet to discuss a more permanent tax policy. The
19 members of the commission include three federal officials, eight business/
consumer leaders, and eight representatives of state/local governments.
According to the Tax Administrators News, taxation of online purchases and
services seems to be a bit of a hot topic. As of 2004 Georgia only taxes computer
based services where Tax is due on tangible personal property consumed, not on
services performed (FTA, 2005).
Challenges
The rise in Internet users has proven to be a boon for Internet based businesses,
which charge fees in return for providing services or information. While business
has been good for many of these companies, a number of challenges threaten the
long-term growth and profitability for them. As legislative hurdles are bypassed
and the internet is further regulated, share of the proverbial pie gets smaller for
all.
Buying Patterns
Consolidated Holdings believes that its customers choose its products and
services based on the following criteria:





Price.
Experience.
Reputation.
Service.
Accessibility.
Main Competitors
Competitive threats coming from other companies include:
IBM ISS, Symantec, Northridge. Most of our competitors offer solutions for Windows
and Linux.
Key competitors are detailed as follows:
8
IBM Information Security Services
IBM ISS offers a wide variety of services to match customer needs. They have split
information into eleven categories: (IBM ISS, 2007)
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Business Continuity and Resiliency ServicesMaintain business operations under virtually any condition, comply with
industry and government regulations and gain the ability to recover from
disasters
End User ServicesHelp end users become more productive and collaborate from any place at any
time
Integrated Communication ServicesDesign, implement and manage integrated communications and networking
environments to drive collaboration, business flexibility and growth
IT Strategy and architecture servicesAssess and design an IT infrastructure that aligns IT strategy with business
priorities
Maintenance and technical support servicesIncrease availability and simplify management with integrated support for
your multiproduct, multivendor hardware and software environment
Middleware servicesUnlock the potential of your infrastructure with middleware that allows a
seamless flow of information from silo-ed applications to business processes
throughout the enterprise
Outsourcing servicesFocus on your core business while driving innovation and efficiency with
industry-leading outsourcing and managed services for business processes,
applications and infrastructure
Security and privacy servicesAssess your current security and privacy posture, and design, implement and
manage measures that address both internal and external threats
Server ServicesBuild and manage a dynamic and optimized infrastructure that supports
business, operational and product innovation using our portfolio of server
services
Site and Facilities servicesPlan, design and build flexible, cost-effective and energy efficient data centers
and facilities
Storage and Data servicesSimplify storage and data management to support business growth, innovation
and compliance
Symantec
Symantec is an industry leader in information security services offering end-user and
enterprise solutions ranging from anti-virus and anti-spam detection and elimination to
9
data backup, archive and recovery services. In addition to PC software and security,
Symantec offers n-tier solutions at the gateway and server levels as well.
Symantec provides a full range of services to assist customers in assessing, architecting,
implementing, supporting, and maintaining their security, storage, and infrastructure
software solutions. Their global services organization also provides customers with
maintenance and technical support, consulting, and education services. (Symantec, 2007)
Northridge
Northridge is a technology consulting and managed services firm founded in 1999. They
service the greater Atlanta area, offering the following services;




Custom Software Strategy & Development
I.T. Infrastructure Strategy & Implementation
Business Intelligence Strategy & Implementation
Interactive Strategy & Creative Services (via Northridge Interactive)
iVision
iVision offers consulting and integration services for IT infrastructure. iVision is based in
Atlanta and offers many services (iVision, 2021):










Maintenance Planning
Cloud Deployment
IT Management
C-level Consultation
Project Management
Merger and Acquisition Assistance
Data Center Management
Workflow Planning
Network Management
Information Security Services
Risks
CHI recognizes that it is subject to both market and industry risks. The company’s
view of its risks, as well as how each is being addressed, is as follows:

Regulations: Possible problems caused by a sudden increase in regulation by
Local, State, or Federal authorities. One way the company can reduce this risk is
to diversify into several different, but related, business areas. If one area becomes
too heavily regulated it may be sold and the profit rolled back into the company to
bolster the remaining business.
10

Monopolistic Pricing: Aggressive or monopolistic pricing by large or heavilyfunded providers. By holding prices down, it becomes difficult for competitors to
“low-ball” the company. By diversifying, we can protect business in one area by
bundling it with offerings from another area, meeting the needs of the customers
and strengthening their ties to the company.

Technology: Sudden and unexpected shifts in technology or the popularity/
availability of the services provided. The company will maintain an active
research and development effort, as well as ongoing review of forthcoming
technologies from competitors and vendors, in order to stay at or near the top of
the technological curve. Also, the diversification of the company’s business
allows it to respond to shifts in revenue by redistributing material and personnel
into those efforts most likely to generate the highest return on investment.
Strategy
The Consolidated Holdings strategy is to achieve name recognition and attract
customers by aggressively pricing its’ services. Once we have established our customer
base, CHI will seek to offer additional services through incentive programs. Our sales
and system engineers as well as other technical support staff will increase margins and
provide useful solutions unique to CHI.
CHI will implement a low-cost strategy; achieved by establishing and developing
agreements with local media companies to exchange services for discounted advertising
and other exposure. Consolidated Holdings’ market strategy calls it to build upon its’ core
portfolio of products and services using the company’s expertise in the Information
Security and Network Management consulting industry. Consolidated Holdings plans to
capitalize on the following areas of growth:





Identity security
Anti-Virus recognition and elimination
Network & Server Backup services
Hot Site Maintenance
Cloud Computing
Competitive Advantages
Consolidated Holdings is currently the lowest-priced provider in Atlanta for most
commercial services, and its’ reputation has been consistently high. Size gives the
company a competitive advantage in that it can see where the industry is going and move
in that direction more quickly than the competition. This allows the company to be more
efficient at recruiting and hiring highly creative and talented individuals who tend to shy
away from large “corporate” environments. The company has worked to overcome old
mistakes made by existing service providers by hiring technically-savvy individuals.
11
Making the customer feel as though they have a readily available, dedicated, IT support
staff for the price they pay per month.
Marketing Plan
The concentrated marketing activities of Consolidated Holdings places emphasis
on the business mission and remain comprehensive in nature. The following activities are
the marketing department’s mission:
• Advertising design and placement.
• Public relations schedules and press releases throughout each year.
• Creation of annual advertorial (advertisement/tutorial) themes for trade journals
and industry conferences.
• Planning and execution of all industry conferences, including the reservation of
space, booths, etc.
• Personnel, messages, literature, etc.
• Collection, analysis, and internal dissemination of competitive information.
• Creation and maintenance of all corporate literature.
• Design, maintenance, and monitoring of websites.
• Design and creation of sales support material.
• Collection and dissemination of client testimonials.
To generate sales, the company uses direct marketing, computer reseller/repair
facilities, and web advertisement.
Marketing initiatives will focus on four areas: Co-location (“Server Hotel”) facilities, web
hosting, broadband access, and content provision. Marketing activities will be
concentrated in the following categories:





Contact Campaigns: This initiative will encompass various methods of reaching
potential customers to generate interest, followed by direct mail to the potential
customer.
Trade Shows: The company will participate in selected local and national shows
that will provide an opportunity to develop exposure. This is a very effective tool
in creating awareness and stimulating lead activity.
Industry Organizations and Associates: The recommendation is to join a
number of organizations that are relevant to the company as a whole. This
initiative will create awareness of the company within the industry, and provide
networking opportunities.
Web Advertisement: Banners and advertisements promoting the company placed
on various web pages.
Promotional Giveaways: This is a traditional way of advertising a company’s
name by giving something away. This will be used in conjunction with
community service organization fund-raising efforts and traditional advertising.
12
Strategic Relationships
Consolidated Holdings currently has strategic relationships with:




AT&T WorldNet Communications for Internet service.
Dell Computer systems for Server and PC based solutions.
Cisco Systems for Network and Network Security hardware.
Goozon Technologies for Cloud Services
CHI is currently pursuing an agreement with a local technical support provider to
handle any overflow of onsite service requests or service requests falling outside of the
service area of CHI.
CHI plans to develop community calendaring and groupware applications for use by
the company and the aforementioned service provider. This will provide a simple, useful
tool for organizations, businesses, and individuals to organize, plan, announce, and track
projects and events.
In the future, the company plans to partner with backbone providers, wholesale
carriers, and other strategic organizations to:



Reduce cost of goods and services utilized.
Increase the number and variety of services offered to customers.
Chart the growth of the company into new territories.
At this time, CHI is establishing re-seller agreements with hardware manufacturers
and other service providers which will allow the company to compete in broader markets,
thus allowing for higher consumer recognition.
Over the next several months, CHI intends to shift more of our IT infrastructure from
localized systems to cloud services. Goozon has been selected as our cloud partner, and
will increase business efficiency both within CHI and for our customers while providing
greater security throughout CHI. Some local systems and servers may remain at CHI,
particularly those that support backups and company devices.
Organization
CHI’s management philosophy is based on responsibility, accountability and
mutual respect. Consolidated Holdings has an environment and structure that encourages
productivity and respect for customers and fellow employees. The company’s goal is to
create an environment where:




Creativity can flourish.
Generating new ideas and products is well rewarded.
Management structure is relatively flat and communication is encouraged.
Mutual respect and sharing of knowledge is encouraged.
13
CHI’s Board of Directors represents the company shareholders. The Board
controls the management of the company by appointing executives in effort to support
the needs of CHI as a whole. The CEO of CHI serves as the Board’s Chairman.
Officers & Key Employees
CHI’s management is highly experienced and qualified. Key members of its management
teams are listed below:





Stella Hayward Croft – President & CEO
Nichola Casion – Chief Operating Officer
Katashi Sung – InfoSec Manager
Rajeev Kaur – Comptroller
Tameka Winton – Treasurer
Additionally, CHI’s Org charts are listed below for a more comprehensive understanding
of the company’s structure.
Enterprise Orga nizational Chart
Pres iden t & CEO
Chie f In forma tion Officer
Director of Marketi ng
Network Ad mini strator
Sal es & Cu stom er Service
Te chn ica l Sup port
Rese arch & Develo pmen t
Ad mini strative Director
Huma n Reso urce s
Acco unti ng
Le gal
Financial Forecast
This section presents our financial projections for the term of the plan.
The sales forecast chart and table are presented below. Final sales forecasts are based on
predictions mentioned in the Executive Summary.
14
Sales Monthly
$450,000.00
$400,000.00
Other
$350,000.00
$300,000.00
$250,000.00
General Consulting
Server Co-location
$200,000.00
$150,000.00
Network
Management
$100,000.00
Penetration Testing
$50,000.00
$0.00
Network Design
n b r r y n ul g p t v c
Ja Fe Ma ApMa Ju J Au Se Oc No De
General Assumptions
The company is raising $1.5 million for the purpose of growth and operations. This
funding will cover operating expenses and product development during this period. The
following is a breakdown of how the funds will be used.
Expense
Advertising
Legal Fees
Office
Working
Capital
Miscellaneous
Sub-total
Product
Development:
Total
Cost
$50,000
$10,000
$40,000
$100,000
$50,000
$250,000
$1,250,000
$1,500,000
Significant Assumptions
1. Nature and Limitation of Projections: This financial projection is based on
sales volume at the levels described in the revenue section and presents, to the
best of management’s knowledge and belief, the company’s expected assets,
liabilities, capital, revenues, and expenses. The projections reflect management’s
judgment of the expected conditions and its expected course of action, given the
hypothetical assumptions.
15
2. Revenues: The company’s revenue is derived primarily from subscriptions.
Revenue projections are based on recent sales in the comparable market
nationwide, based on industry average. The exact numbers can be found in the
Sales Forecast table and chart section.
3. Expenses: The company’s expenses are primarily those of salaries, sales
commissions, and administrative costs. Other expenses are based on
management’s estimates and industry averages.
Break-Even Analysis
Table 2 reflects the company’s break-even estimates. These are based on fixed and
variable cost estimates derived from past income statement data. Given that Consolidated
Holdings has little in the way of marginal costs, the break even analysis reflects the
industry’s high gross margins. Unless one of the potential future risks seriously impacts
profitability, or the company loses its ability to rapidly adjust to changing market
conditions, the company does not see this as a serious issue.
Break-Even Analysis:
Monthly Units Break-even
41,368
Monthly Revenue Break-even
$41,368
Assumptions
Average Per-Unit Revenue
$1.00
Average Per-Unit Variable Cost
$0.05
Estimated Monthly Fixed Cost
$39,228
Table 1
Profit/Loss Analysis
Consolidated Holdings is in the early stage of development, thus initial projections have
only been made on accounts that are believed to most drive the income statement. Table 3
provides CHI’s projected income statements for past three years.
Profit/Loss
Sales
Direct Cost of Sales
Other
Total Cost of Sales
3 Years Ago
2 Years Ago
1 Year Ago
$1,500,000
$4,500,000
$7,500,000
$77,596
$84,296
$88,796
$0
$0
$0
$77,596
$84,296
$88,796
16
Gross Margin
$1,422,404
$4,415,704
$7,411,204
94.83%
98.13%
98.82%
Payroll
$307,800
$342,400
$392,400
Sales and Marketing and Other Expenses
$41,468
$41,468
$41,468
Depreciation
$0
$0
$0
Legal Fees
$300
$300
$300
Utilities
$3,600
$3,600
$3,600
Insurance
$4,200
$4,200
$4,200
Mortgage
$67,200
$67,200
$67,200
Payroll Taxes
$46,170
$51,360
$58,860
$0
$0
$0
Total Operating Expenses
$470,738
$510,528
$568,028
Profit Before Interest and Taxes
$951,666
$3,905,176
$6,843,176
Interest Expense
$65,506
$51,131
$36,131
Taxes Incurred
$225,583
$963,511
$1,730,124
Net Profit
$660,577
$2,890,534
$5,076,921
Net Profit/Sales
44.04%
64.23%
67.69%
Gross Margin %
Expense
Other
Table 2
17
Cash-Flow Analysis
Chart 1 and Table 4 show our cash flow and cash balance projections.
Chart 1
Cash Flow
3 Years Ago
2 Years Ago
1 Year Ago
$1,275,000
$3,825,000
$6,375,000
$220,905
$619,810
$1,069,810
$1,495,905
$4,444,810
$7,444,810
Sales Tax, VAT, HST/GST Received
$0
$0
$0
New Current Borrowing
$0
$0
$0
New Other Liabilities (interest-free)
$0
$0
$0
New Long-term Liabilities
$0
$0
$0
Sales of Other Current Assets
$0
$0
$0
Sales of Long-term Assets
$0
$0
$0
New Investment Received
$0
$0
$0
$1,495,905
$4,444,810
$7,444,810
2000
2001
2002
Cash Received
Cash from Operations:
Cash Sales
Cash from Receivables
Subtotal Cash from Operations
Additional Cash Received
Subtotal Cash Received
Expenditures
18
Cash Spending
$48,141
$121,571
$194,346
Payment of Accounts Payable
$829,560
$1,438,462
$2,179,741
Subtotal Spent on Operations
$877,701
$1,560,033
$2,374,086
Sales Tax, VAT, HST/GST Paid Out
$0
$0
$0
Principal Repayment of Current Borrowing
$0
$0
$0
Other Liabilities Principal Repayment
$0
$0
$0
$150,000
$150,000
$150,000
Purchase Other Current Assets
$0
$0
$0
Purchase Long-term Assets
$0
$0
$0
Dividends
$0
$0
$0
$1,027,701
$1,710,033
$2,524,086
Net Cash Flow
$468,204
$2,734,777
$4,920,724
Cash Balance
$580,816
$3,315,593
$8,236,316
Long-term Liabilities Principal Repayment
Subtotal Cash Spent
Table 3
Balance Sheet
Table 5 outlines CHI’s projected balance sheets for the past 3 fiscal years
Balance Sheet
Current Assets
3 Years Ago
2 Years Ago
1 Year Ago
Cash
$580,816
$3,315,593
$8,236,316
Accounts Receivable
$27,595
$82,785
$137,975
Other Current Assets
$34,650
$34,650
$34,650
Total Current Assets
$643,061
$3,433,028
$8,408,941
Long-term Assets
$331,650
$331,650
$331,650
$0
$0
$0
Total Long-term Assets
$331,650
$331,650
$331,650
Total Assets
$974,711
$3,764,678
$8,740,591
Current Liabilities
2003
2004
2005
Accounts Payable
$32,409
$81,842
$130,835
Current Borrowing
$90,338
$90,338
$90,338
Other Current Liabilities
$90,338
$90,338
$90,338
Accumulated Depreciation
19
Subtotal Current Liabilities
$213,084
$262,517
$311,510
Long-term Liabilities
$495,975
$345,975
$195,975
Total Liabilities
$709,059
$608,492
$507,485
Paid-in Capital
$0
$0
$0
Retained Earnings
($394,925)
$265,652
$3,156,186
Earnings
$660,577
$2,890,534
$5,076,921
Total Capital
$265,652
$3,156,186
$8,233,107
Total Liabilities and Capital
$974,711
$3,764,678
$8,740,591
Net Worth
$265,652
$3,156,186
$8,233,107
Table 4
20
References
Federation of Tax Administrators (2005). Are You Being Served? Tax Administrators
News,(69,5) Retrieved from the World Wide Web on November 15, 2007 from:
http://www.taxadmin.org/fta/pub/services/tan0505_services.pdf.
iVision (2021). iVision Solutions. Retrieved from: https://ivision.com/solutions/
Richardson, R. (2007) 2007 CSI Computer Crime and Security Survey. Retrieved from
the World Wide Web on November, 24 2007 from
http://www.gocsi.com/forms/csi_survey.jhtml
21
Consolidated Holdings Incorporated
Omnibus
Table of Contents
Policy …………………………………………………………………………………………………………………. 3
Enterprise Information Security Policy ……………………………………………………………….. 3
Issue Specific Security Policy/System Security Policies ………………………………………… 8
Anti-Virus ……………………………………………………………………………………………………….. 8
Authentication & Authorization …………………………………………………………………………. 9
Acceptable Use ………………………………………………………………………………………………. 10
Password ……………………………………………………………………………………………………….. 15
Remote Access ……………………………………………………………………………………………….. 16
Virtual Private Network (VPN) Policy ………………………………………………………………. 19
E-mail & Messaging Use and Retention …………………………………………………………….. 20
Retention ……………………………………………………………………………………………………….. 22
Ethics Policy ………………………………………………………………………………………………….. 24
Firewall …………………………………………………………………………………………………………. 26
Internal Security ……………………………………………………………………………………………… 29
IDS ……………………………………………………………………………………………………………….. 32
Systems Management ……………………………………………………………………………………… 33
Planning ……………………………………………………………………………………………………………. 35
Contingency Planning ……………………………………………………………………………………… 35
Disaster Recovery …………………………………………………………………………………………… 42
1.0 Purpose…………………………………………………………………………………………………….. 42
Appendix A (Contact Lists) ……………………………………………………………………………… 44
Appendix B (Form Templates) …………………………………………………………………………. 45
10K Filing …………………………………………………………………………………………………………. 49
References …………………………………………………………………………………………………………. 58
Policy
Enterprise Information Security Policy
Statement of Purpose
This document will identify elements of a good security policy, explain the need
for information security, identify the information security roles and responsibilities, and
establish minimum information security practices for Consolidated Holdings computer
resources and associated communication networks utilizing the Consolidated Holdings
enterprise network.
Information Security Elements
Information security is defined as the protection of information and the systems
and hardware that use, store, and transmit that information. Therefore, this policy is
intended to give direction on accepted security practices designed to ensure information
confidentiality, integrity, and availability of company assets by managing threats and
reducing vulnerabilities.
Assets are defined, in this case, as items that are owned by the company, that have
an assessed financial value. This would include computer hardware, software,
information, and lines of communication coming into and leaving the company campus.
Threats are defined as objects, people, or other entities that represent a risk of loss
to an asset(s). Threats occur in several categories. These include:
1. Acts of human error or failure (Accidents, employee mistakes)
2. Compromises to intellectual property (Piracy, copyright infringement)
3. Deliberate acts of espionage or trespass (Unauthorized access)
4. Deliberate acts of information extortion (Blackmail of disclosure)
5. Deliberate acts of sabotage or vandalism (Destruction of information)
6. Deliberate acts of theft (Illegal confiscation of equipment)
7. Deliberate software attacks (Viruses, worms, denial-of-service)
8. Deviations in QOS from service providers (Power and WAN issues)
9. Forces of nature (Fire, flood, earthquake, lightning)
10. Technical hardware failures or errors (Equipment failure)
11. Technical software failures or errors (Bugs, unknown loopholes)
12. Technical obsolescence (Antiquated or outdated technology)
Vulnerabilities are defined as weaknesses or faults in a system or protection
mechanism that exposes information to an attack or damage. Attacks are acts of
intentional or unintentional attempt to compromise the information and/or the systems
that support it.
Need for Information Security
The continued use of information technology resources throughout Consolidated
Holdings’ working infrastructure has continued to evolve with the intent of improving
services for our constituency. These improvements allow for rapid and efficient
communication among various departments and often directly with the directors of the
surrounding business community. Consequently, our constituency has become heavily
dependent upon the availability of a reliable information technology infrastructure to
meet its business needs.
Unfortunately, the “electronic highways” that facilitate our ability to
instantaneously share information also creates vulnerabilities, potentially allowing
unauthorized persons to gain access to Consolidated Holdings resources. In order to
mitigate threats to information technology resources across the enterprise network and
associated domains, a series of Information security instructions, entitled
“INFORMATION SECURITY POLICY, INSTRUCTIONS, AND TECHNICAL
STANDARDS,” is to be established.
Information Security Roles & Responsibilities
Consolidated Holdings technology resources will proactively track threat activity
and work to prohibit or correct such activity. Where unintentional unauthorized access is
detected, the affected organization will be advised to correct exploitable vulnerabilities to
prevent future occurrences. Where unauthorized access is determined to be intentional it
will be assumed to be malicious and an appropriate response will be initiated.
All Consolidated Holdings faculty members, staff, students, contractors, agents or
other individuals utilizing computer resources, data communication networks, or other
information technology infrastructure resources owned or leased by Consolidated
Holdings, including any other state agencies having electrical connectivity to the network
are subject to this policy. Additionally, any remote access, such as dial up connections,
personal Internet Service Provider access or VPN connection, onto the Consolidated
Holdings enterprise network or associated domains will have the same effect as direct
access via CHI provided equipment or facilities.
General Policy Elements
1) Protection of Information
Policy: Information must be protected in a manner commensurate with its sensitivity,
value, and criticality
Audience: Technical Staff
2) Use of Information
Policy: Consolidated Holdings computer and communications systems must be used
for appropriate business purposes only, by authorized personnel.
Audience: All
3) Information Handling, Access, & Usage
Policy: All data and information sent over the Consolidated Holdings enterprise
network, and associated domain communications systems, are the property of
Consolidated Holdings.
Audience: All
4) Data & Program Damage Disclaimers
Policy: Consolidated Holdings is not held responsible for any loss or damage to data
or software that results from its efforts to protect the confidentiality, integrity, and
availability of the information handled by computers and communications systems.
Audience: End Users
5) Legal Conflicts
Policy: Consolidated Holdings information security policies were drafted to meet or
exceed existing federal and state laws and regulations. Any policy implemented by
CHI that is found to be in conflict with any existing laws or regulations should
immediately be brought to the attention of the Chief Information Security Officer
Audience: End Users
6) Exceptions to Policies
Policy: Exceptions to information security policies exist on occasion where a risk
assessment examining the implications of being out of compliance has been
performed, where a standard risk acceptance form has been prepared by the data
owner or management, and where this form has been approved by both the Chief
Information Security Officer and internal Audit Management.
Audience: Management
7) Non-enforcement
Policy: Management’s non-enforcement of any policy requirement does not constitute
its consent.
Audience: End Users
8) Violation of the Law
Policy: Consolidated Holdings will prosecute violators of federal and state computer
crime laws as laid out within the applicable laws.
Audience: End Users
9) Revocation of Access Privileges
Policy: Consolidated Holdings reserves the right to revoke a user’s information
technology privileges at any time
Audience: End Users
10) Industry-Specific Information Security Standards
Policy: Consolidated Holdings information systems must employ industry specific
information security standards
Audience: Technical Staff
11) Use of Information Security Policies and Procedures
Policy: All Consolidated Holdings information security documentation, including, but
not limited to, policies, standards, and procedures, must be classified as “Internal Use
Only”, unless expressly created for external business processes and partners.
Audience: All
12) Authority Over Data
Policy: Consolidated Holdings reserves the right to examine all information
transmitted through these systems. Examination of such information may take place
without prior warning to the parties sending or receiving such information.
Audience: All
13) Expectation of Privacy
Policy: Staff, contractors, agents or other individuals should have no expectation of
privacy associated with the information they store in or send through these systems;
most files and documents maintained by Consolidated Holdings are subject to public
review under the Georgia Open Records Act. This includes computer files and other
stored material regardless of the medium of storage.
Audience: All
14) Mission Critical Systems Information Handling
Policy: Consolidated Holdings reserves the right to delete, summarize, or edit any
information posted to, or transiting through, Consolidated Holdings information
systems. These systems are scarce, Company owned-resources designed to support
mission critical Company activities and goals.
Audience: All
Review & Evaluation
1) Review Period
Policy: This policy and associated instructions requires a quarterly review by the
Chief Information Officer’s Departmental Directors or agents.
Audience: Management
2) Authority
Policy: Authority to establish and enforce this policy and associated security policy
documents is made by Chief Information Officer and Chief Information Security
Officer.
Audience: Management
Reference
The Georgia Computer Systems Protection Act (O.C.G.A. 16-9-90) specifies
unlawful acts involving information resources and subsequent penalties upon conviction.
As data residing or transiting Consolidated Holdings networks and machines is held in
great trust it must be afforded the greatest safeguards. Therefore, information security
policy, instruction, processes, and standards created in furtherance of protecting
Consolidated Holdings Company information assets rely upon the Georgia computer
Systems Protection Act (O.C.G.A 16-9-90) TO ENSURE COMPLIANCE. Violators may
be prosecuted accordingly.
** Portions of this policy were copied and or modified from tables 4-1 and 4-2 (pages 111-115) of
Management of Information Security by Dr. Michael Whitman and Professor Herbert Mattord
Issue Specific Security Policy/System Security Policies
Anti-Virus
1.0 Purpose
The purpose of this policy is to provide guidance for utilizing anti-virus software
and preventing the introduction of malicious software or access to CHI corporate owned
systems, where corporate owned is defined as any system operating in a CHI production
environment on the company network, whether within the company owned facilities or
issued to company agents or employees for use at remote locations for company business.
2.0 Scope
This policy applies to all CHI employees and affiliates.
3.0 Policy
3.1

General Guidelines
Always run the corporate standard, supported anti-virus software is available from
the corporate download site. Download and run the current version; download and
install anti-virus software updates as they become available.

NEVER open any files or macros attached to an email from an unknown,
suspicious or untrustworthy source. Delete these attachments immediately, then
“double delete” them by emptying your Trash.

Delete spam, chain, and other junk email without forwarding, refer to CHI’s
Acceptable Use Policy.

Never download files from unknown or suspicious sources.

Avoid direct disk sharing with read/write access unless there is absolutely a
business requirement to do so.

Always scan a floppy diskette from an unknown source for viruses before using it.

Back-up critical data and system configurations on a regular basis and store the
data in a safe place.

If lab testing conflicts with anti-virus software, run the anti-virus utility to ensure
a clean machine, disable the software, and then run the lab test. After the lab test,
enable the anti-virus software.

When the anti-virus software is disabled, do not run any applications that could
transfer a virus, e.g., email or file sharing.
3.2
Ownership

Responsibility will befall to IS/IT/InfoSec staff to verify current anti-virus
revisions and maintain the corporate download website with current updates for
corporate assets.
4.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Definitions
Term
Macro
Virus
Definition
In Microsoft Word and other programs, a macro is
a saved sequence of commands or keyboard
strokes that can be stored and then recalled with a
single command or keyboard stroke.
virus is a program or programming code that
replicates by being copied or initiating its copying
to another program, computer boot sector or
document.
6.0 Revision History
Authentication & Authorization
Acceptable Encryption
1.0 Purpose
The purpose of this policy is to provide guidance that limits the use of encryption
to those algorithms that have received substantial public review and have been proven to
work effectively. Additionally, this policy provides direction to ensure that Federal
regulations are followed, and legal authority is granted for the dissemination and use of
encryption technologies outside of the United States.
2.0 Scope
This policy applies to all CHI employees and affiliates.
3.0 Policy
Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should
be used as the basis for encryption technologies. These algorithms represent the actual
cipher used for an approved application. For example, Network Associate’s Pretty Good
Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hellman, while Secure
Socket Layer (SSL) uses RSA encryption.
Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric cryptosystem keys must be of a length that yields equivalent strength. CHI’s key length
requirements will be reviewed annually and upgraded as technology allows.
The use of proprietary encryption algorithms is not allowed for any purpose,
unless reviewed by qualified experts outside of the vendor in question and approved by
InfoSec. Be aware that the export of encryption technologies is restricted by the U.S.
Government. Residents of countries other than the United States should make themselves
aware of the encryption technology laws of the country in which they reside.
4.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary
action, up to and including termination of employment.
5.0 Definitions
Term
Proprietary Encryption
Symmetric Cryptosystem
Asymmetric Cryptosystem
Definition
An algorithm that has not been made public and/or
has not withstood public scrutiny. The developer
of the algorithm could be a vendor, an individual,
or the government.
A method of encryption in which the same key is
used for both encryption and decryption of the
data.
A method of encryption in which two different
keys are used: one for encrypting and one for
decrypting the data (e.g., public-key encryption).
6.0 Revision History
Acceptable Use
1.0 Overview
InfoSec’s intentions for publishing an Acceptable Use Policy are not to impose
restrictions that are contrary to CHI’s established culture of openness, trust and integrity.
InfoSec is committed to protecting CHI’s employees, partners and the company from
illegal or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer
equipment, software, operating systems, storage media, network accounts providing
electronic mail, WWW browsing, and FTP, are the property of CHI. These systems are to
be used for business purposes in serving the interests of the company, and of our clients
and customers in the course of normal operations. Please review Human Resources
policies for further details.
Effective security is a team effort involving the participation and support of every
CHI employee and affiliate who deals with information and/or information systems. It is
the responsibility of every computer user to know these guidelines, and to conduct their
activities accordingly.
2.0 Purpose
The purpose of this policy is to outline the acceptable use of computer equipment
at CHI. These rules exist to protect the employee and CHI. Inappropriate use exposes
CHI to risks including virus attacks, compromise of network systems and services, and
legal action.
3.0 Scope
This policy applies to employees, contractors, consultants, temporaries, and other
workers at CHI, including all personnel affiliated with third parties. This policy applies to
all equipment that is owned or leased by CHI.
4.0 Policy
4.1 General Use and Ownership
While CHI’s network administration desires to provide a reasonable level
of privacy, users should be aware that the data they create on the corporate
systems remains the property of CHI. Because of the need to protect CHI’s
network, management cannot guarantee the confidentiality of information stored
on any network device belonging to CHI.
Employees are responsible for exercising good judgment regarding the
reasonableness of personal use. Individual departments are responsible for
creating guidelines concerning personal use of Internet/Intranet/Extranet systems.
In the absence of such policies, employees should be guided by departmental
policies on personal use, and if there is any uncertainty, employees should consult
their supervisor or manager.
InfoSec recommends that any information that users consider sensitive or
vulnerable be encrypted. For guidelines on information classification, see
InfoSec’s Information Sensitivity Policy. For guidelines on encrypting email and
documents, go to InfoSec’s Awareness Initiative.
For security and network maintenance purposes, authorized individuals
within CHI may monitor equipment, systems and network traffic at any time, per
InfoSec’s Audit Policy. CHI reserves the right to audit networks and systems on a
periodic basis to ensure compliance with this policy.
4.2 Security and Proprietary Information

Information contained on CHI systems should be classified as either confidential
or non-confidential. Examples of confidential information include but are not
limited to: corporate strategies, trade secrets, specifications, customer lists, and
research data.

Employees should take all necessary steps to prevent unauthorized access to
confidential information.

Keep passwords secure and do not share accounts. Authorized users are
responsible for the security of their passwords and accounts. System level
passwords should be changed quarterly, user level passwords should be changed
every six months.

All PCs, laptops and workstations should be secured with a passwordprotected screensaver with the automatic activation feature set at 10 minutes or
less, or by logging-off (control-alt-delete for Win2K users) when the host will be
unattended.

Use encryption of information in compliance with InfoSec’s Acceptable
Encryption Use policy

Because information contained on portable computers is especially vulnerable,
special care should be exercised. Protect laptops in accordance with the “Laptop
Security Tips”.

Postings by employees from a CHI email address to newsgroups should contain a
disclaimer stating that the opinions expressed are strictly their own and not
necessarily those of CHI, unless posting is in the course of business duties.

All hosts used by the employee that are connected to the CHI
Internet/Intranet/Extranet, whether owned by the employee or CHI, shall be
continually executing approved virus-scanning software with a current virus
database unless overridden by departmental or group policy.

Employees must use extreme caution when opening e-mail attachments received
from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse
code.
5.0 Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted
from these restrictions during the course of their legitimate job responsibilities (e.g.,
systems administration staff may have a need to disable the network access of a host that
is disrupting production services).
Under no circumstances is an employee of CHI authorized to engage in any
activity that is illegal under local, state, federal or international law while utilizing CHIowned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for
activities which fall into the category of unacceptable use.
5.1 System and Network Activities
The following activities are strictly prohibited, with no exceptions:













Violations of the rights of any person or company protected by copyright,
trade secret, patent or other intellectual property, or similar laws or
regulations, including, but not limited to, the installation or distribution of
“pirated” or other software products that are not appropriately licensed for use
by CHI.
Unauthorized copying of copyrighted material including, but not limited to,
digitization and distribution of photographs from magazines, books or other
copyrighted sources, copyrighted music, and the installation of any
copyrighted software for which CHI or the end user does not have an active
license is strictly prohibited.
Exporting software, technical information, encryption software or technology,
in violation of international or regional export control laws, is illegal. The
appropriate management should be consulted prior to export of any material
that is in question.
Introduction of malicious programs into the network or server (e.g., viruses,
worms, Trojan horses, e-mail bombs, etc.).
Revealing your account password to others or allowing use of your account by
others. This includes family and other household members when work is
being done at home.
Using a CHI computing asset to actively engage in procuring or transmitting
material that is in violation of sexual harassment or hostile workplace laws in
the user’s local jurisdiction.
Making fraudulent offers of products, items, or services originating from any
CHI account.
Making statements about warranty, expressly or implied, unless it is a part of
normal job duties.
Effecting security breaches or disruptions of network communication.
Security breaches include, but are not limited to, accessing data of which the
employee is not an intended recipient or logging into a server or account that
the employee is not expressly authorized to access, unless these duties are
within the scope of regular duties. For purposes of this section, “disruption”
includes, but is not limited to, network sniffing, pinged floods, packet
spoofing, denial of service, and forged routing information for malicious
purposes.
Port scanning or security scanning is expressly prohibited unless prior
notification to InfoSec is made.
Executing any form of network monitoring which will intercept data not
intended for the employee’s host, unless this activity is a part of the
employee’s normal job/duty.
Circumventing user authentication or security of any host, network or account.
Interfering with or denying service to any user other than the employee’s host
(for example, denial of service attack).


Using any program/script/command, or sending messages of any kind, with
the intent to interfere with, or disable, a user’s terminal session, via any means,
locally or via the Internet/Intranet/Extranet.
Providing information about, or lists of, CHI employees to parties outside
CHI.
5.2 Email and Communications Activities







Sending unsolicited email messages, including the sending of “junk mail” or
other advertising material to individuals who did not specifically request such
material (email spam).
Any form of harassment via email, telephone or paging, whether through
language, frequency, or size of messages.
Unauthorized use, or forging, of email header information.
Solicitation of email for any other email address, other than that of the poster’s
account, with the intent to harass or to collect replies.
Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of
any type.
Use of unsolicited email originating from within CHI’s networks of other
Internet/Intranet/Extranet service providers on behalf of, or to advertise, any
service hosted by CHI or connected via CHI’s network.
Posting the same or similar non-business-related messages to large numbers of
Usenet newsgroups (newsgroup spam).
5.3 Blogging
• Blogging by employees, whether using CHI’s property and systems or
personal computer systems, is also subject to the terms and restrictions set
forth in this Policy. Limited and occasional use of CHI’s systems to engage in
blogging is acceptable, provided that it is done in a professional and
responsible manner, does not otherwise violate CHI’s policy, is not
detrimental to CHI’s best interests, and does not interfere with an employee’s
regular work duties.
• Blogging from CHI’s systems falls under CHI’s Confidential Information
Policy and Non-Discrimination and Anti-Harassment policy and is therefore
subject to monitoring. As such, Employees are prohibited from revealing any
Company confidential or proprietary information, trade secrets or any other
material covered by Company’s Confidential Information policy when
engaged in blogging.
6.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary
action, up to and including termination of employment.
7.0 Definitions
Term
Definition
Blogging Writing a blog. A blog (short for weblog) is a personal online journal that is
Spam
frequently updated and intended for general public consumption.
Unauthorized and/or unsolicited electronic mass mailings.
8.0 Revision History
Password
1.0 Purpose
This policy provides the requirements for creating and retrieving usernames and
passwords (i.e., credentials) for use by employees that require authentication and access
resources on CHI’s network.
These credentials are meant to restrict access based on privileges as assigned by
the IS/IT/InfoSec department and can be compromised when the credentials are
improperly stored.
2.0 Scope
This policy applies to all users that will access CHI resources, locally and through
VPN/ remote access.
3.0 Policy
3.1 General
In order to maintain the security of CHI’s internal resources, access by
user must be granted only after authentication on one of 3 Active Directory
Domain Controller servers.
3.2 Specific Requirements
3.2.1 Username & Password Creation and Retention
• User names will consist of an employee’s first initial and last name
• Passwords will be 8 to 12 characters in length
• Passwords will be a combination of upper and lower case alphanumeric values which can include common symbols.
• Passwords will be valid for 45 days
• A minimum of 12 passwords will be kept in the system’s history,
not to be repeated.
• Passwords must be stored using reverse encryption
3.2.2 Retrieval of User Names and Passwords
• If a user forgets his/her password, they should contact the CHI
technical support center (TSC) and request to have their password
reset. The TSC will not have access to a user’s password and
therefore be unable to directly access a user’s account without
creating an audit log entry


When a member of the CHI TSC resets a user’s password, an entry
will be made into the system audit logs and said logs will be
maintained for a period of one (1) year.
User names consist of a standard format, as previously stated of
first initial and last name. In the event of duplication, the user’s
first name initials will be used until such that duplication will not
exist.
4.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary
action, up to and including termination of employment.
5.0 Definitions
Term
Credentials
Entitlement
Executing body
Hash
Name space
Definition
Something you know (e.g., a password or pass phrase),
and/or something that identifies you (e.g., a user name, a
fingerprint, voiceprint, retina print). Something you know
and something that identifies you are presented for
authentication.
The level of privilege that has been authenticated and
authorized. The privileges level at which to access resource
The series of computer instructions that the computer
executes to run a program.
An algorithmically generated number that identifies a
datum or its location.
A logical area of code in which the declared symbolic
names are known and outside of which these names are not
visible.
6.0 Revision History
Remote Access
1.0 Purpose
The purpose of this policy is to define standards for connecting to CHI’s network
from any host. These standards are designed to minimize the potential exposure to CHI
from damages which may result from unauthorized use of CHI resources. Damages
include the loss of sensitive or company confidential data, intellectual property, damage
to public image, damage to critical CHI internal systems, etc.
2.0 Scope
This policy applies to all CHI employees, contractors, vendors and agents with a
CHI-owned or personally-owned computer or workstation used to connect to the CHI
network. This policy applies to remote access connections used to do work on behalf of
CHI, including reading or sending email and viewing intranet web resources.
Remote access implementations that are covered by this policy include, but are
not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems,
etc.
3.0 Policy
3.1 General
It is the responsibility of CHI employees, contractors, vendors and agents
with remote access privileges to CHI’s corporate network to ensure that their
remote access connection is given the same consideration as the user’s on-site
connection to CHI.
General access to the Internet for recreational use by immediate household
members through the CHI Network on personal computers is permitted for
employees that have flat-rate services. The CHI employee is responsible to ensure
the family member does not violate any CHI policies, does not perform illegal
activities, and does not use the access for outside business interests.
The CHI employee bears responsibility for the consequences should access be
misused. Please review the following policies for details of protecting information
when accessing the corporate network via remote access methods, and acceptable
use of CHI’s network:
• Acceptable Encryption Policy
• Virtual Private Network (VPN) Policy
• Wireless Communications Policy
• Acceptable Use Policy
For additional information regarding CHI’s remote access connection options,
including how to order or disconnect service, cost comparisons, troubleshooting,
etc., go to the Remote Access Services website.




3.2 Requirements
Secure remote access must be strictly controlled. Control will be enforced via onetime password authentication or public/private keys with strong pass-phrases. For
information on creating a strong pass-phrase see the Password Policy.
At no time should any CHI employee provide their login or email password to
anyone, not even family members.
CHI employees and contractors with remote access privileges must ensure that their
CHI-owned or personal computer or workstation, which is remotely connected to
CHI’s corporate network, is not connected to any other network at the same time, with
the exception of personal networks that are under the complete control of the user.
CHI employees and contractors with remote access privileges to CHI’s corporate
network must not use non-CHI email accounts (i.e., Hotmail, Yahoo, AOL), or other
external resources to conduct CHI business, thereby ensuring that official business is
never confused with personal business.







Routers for dedicated ISDN lines configured for access to the CHI network must
meet minimum authentication requirements of CHAP.
Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual
homing is not permitted at any time.
Frame Relay must meet minimum authentication requirements of DLCI standards.
Non-standard hardware configurations must be approved by Remote Access Services,
and InfoSec must approve security configurations for access to hardware.
All hosts that are connected to CHI internal networks via remote access technologies
must use the most up-to-date anti-virus software (place url to corporate software site
here), this includes personal computers. Third party connections must comply with
requirements as stated in the Third Party Agreement.
Personal equipment that is used to connect to CHI’s networks must meet the
requirements of CHI-owned equipment for remote access.
Organizations or individuals who wish to implement non-standard Remote Access
solutions to the CHI production network must obtain prior approval from Remote
Access Services and InfoSec.
4.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Definitions
Term
Cable Modem
CHAP
Dial-in Modem
Dual Homing
Definition
Cable companies such as AT&T Broadband provide Internet access
over Cable TV coaxial cable. A cable modem accepts this coaxial
cable and can receive data from the Internet at over 1.5 Mbps. Cable
is currently available only in certain communities.
Challenge Handshake Authentication Protocol is an authentication
method that uses a one-way hashing function. DLCIData Link
Connection Identifier ( DLCI) is a unique number assigned to a
Permanent Virtual Circuit (PVC) end point in a frame relay network.
DLCI identifies a particular PVC endpoint within a user’s access
channel in a frame relay network, and has local significance only to
that channel.
A peripheral device that connects computers to each other for
sending communications via the telephone lines. The modem
modulates the digital data of computers into analog signals to send
over the telephone lines, then demodulates back into digital signals to
be read by the computer on the other end; thus the name “modem”
for modulator/demodulator.
Having concurrent connectivity to more than one network from a
computer or network device. Examples include: Being logged into
the Corporate network via a local Ethernet connection, and dialing
into AOL or other Internet service provider (ISP). Being on a CHIprovided Remote Access home network, and connecting to another
network, such as a spouse’s remote access. Configuring an ISDN
DSL
Frame Relay
ISDN
Remote Access
Split-tunneling
router to dial into CHI and an ISP, depending on packet destination.
Digital Subscriber Line (DSL) is a form of high-speed Internet access
competing with cable modems. DSL works over standard phone lines
and supports data speeds of over 2 Mbps downstream (to the user)
and slower speeds upstream (to the Internet).
A method of communication that incrementally can go from the
speed of an ISDN to the speed of a T1 line. Frame Relay has a flatrate billing charge instead of a per time usage. Frame Relay connects
via the telephone company’s network.
There are two flavors of Integrated Services Digital Network or
ISDN: BRI and PRI. BRI is used for home office/remote access. BRI
has two “Bearer” channels at 64kbit (aggregate 128kb) and 1 D
channel for signaling info.
Any access to CHI’s corporate network through a non-CHI controlled
network, device, or medium.
Simultaneous direct access to a non-CHI network (such as the
Internet, or a home network) from a remote device (PC, PDA, WAP
phone, etc.) while connected into CHI’s corporate network via a VPN
tunnel. VPN Virtual Private Network (VPN) is a method for
accessing a remote network via “tunneling” through the Internet.
6.0 Revision History
Virtual Private Network (VPN) Policy
1.0 Purpose
The purpose of this policy is to provide guidelines for Remote Access IPSec or
L2TP Virtual Private Network (VPN) connections to the CHI corporate network.
2.0 Scope
This policy applies to all CHI employees, contractors, consultants, temporaries,
and other workers including all personnel affiliated with third parties utilizing VPNs to
access the CHI network. This policy applies to implementations of VPN that are directed
through an IPSec Concentrator.
3.0 Policy
Approved CHI employees and authorized third parties (customers, vendors, etc.)
may utilize the benefits of VPNs, which are a “user managed” service. This means that
the user is responsible for selecting an Internet Service Provider (ISP), coordinating
installation, installing any required software, and paying associated fees. Further details
may be found in the Remote Access Policy.
Additionally,
• It is the responsibility of employees with VPN privileges to ensure that
unauthorized users are not allowed access to CHI internal networks.










VPN use is to be controlled using either a one-time password authentication such
as a token device or a public/private key system with a strong passphrase.
When actively connected to the corporate network, VPNs will force all traffic to
and from the PC over the VPN tunnel: all other traffic will be dropped.
Dual (split) tunneling is NOT permitted; only one network connection is allowed.
VPN gateways will be set up and managed by CHI network operational groups.
All computers connected to CHI internal networks via VPN or any other
technology must use the most up-to-date anti-virus software that is the corporate
standard (provide URL to this software); this includes personal computers.
VPN users will be automatically disconnected from CHI’s network after thirty
minutes of inactivity. The user must then logon again to reconnect to the network.
Pings or other artificial network processes are not to be used to keep the
connection open.
The VPN concentrator is limited to an absolute connection time of 24 hours.
Users of computers that are not CHI-owned equipment must configure the
equipment to comply with CHI’s VPN and Network policies.
Only InfoSec-approved VPN clients may be used.
By using VPN technology with personal equipment, users must understand that
their machines are a de facto extension of CHI’s network, and as such are subject
to the same rules and regulations that apply to CHI-owned equipment, i.e., their
machines must be configured to comply with InfoSec’s Security Policies.
4.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary
action, up to and including termination of employment.
5.0 Definitions
Term
IPSec Concentrator
Definition
A device in which VPN connections are
terminated.
6.0 Revision History
E-mail & Messaging Use and Retention
Use
1.0 Purpose
To prevent tarnishing the public image of CHI. When email leaves the CHI
domain the general public will tend to view that message as an official policy statement
from CHI.
2.0 Scope
This policy covers appropriate use of any email sent from a CHI email address
and applies to all employees, vendors, and agents operating on behalf of CHI.
3.0 Policy
3.1 Prohibited Use. The CHI email system shall not to be used for the creation or
distribution of any disruptive or offensive messages, including offensive
comments about race, gender, hair color, disabilities, age, sexual orientation,
pornography, religious beliefs and practice, political beliefs, or national
origin. Employees who receive any emails with this content from any CHI
employee should report the matter to their supervisor immediately.
3.2 Personal Use.
Using a reasonable amount of CHI resources for personal emails is
acceptable, but non-work related email shall be saved in a separate folder from
work related email. Sending chain letters or joke emails from a CHI email account
is prohibited. Virus or other malware warnings and mass mailings from CHI shall
be approved by CHI VP Operations before sending. These restrictions also apply
to the forwarding of mail received by a CHI employee.
3.3 Monitoring
CHI employees shall have no expectation of privacy in anything they store, send
or receive on the company’s email system. CHI may monitor messages without
prior notice. CHI is not obliged to monitor email messages.
4.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Definitions
Term
Email
Forwarded email
Chain email or letter
Sensitive information
Virus warning
Unauthorized Disclosure
Definition
The electronic transmission of information through a
mail protocol such as SMTP or IMAP. Typical email
clients include Eudora and Microsoft Outlook.
Email resent from an internal network to an outside
point.
Email sent to successive people. Typically the body of
the note has direction to send out multiple copies of the
note and promises good luck or money if the direction is
followed.
Information is considered sensitive if it can be damaging
to CHI or its customers’ reputation or market standing.
Email containing warnings about virus or malware. The
overwhelming majority of these emails turn out to be a
hoax and contain bogus information usually intent only
on frightening or misleading users.
The intentional or unintentional revealing of restricted
information to people, both inside and outside CHI, who
do not have a need to know that information.
6.0 Revision History
Retention
1.0 Purpose
The Email Retention Policy is intended to help employees determine what
information sent or received by email should be retained and for how long. The
information covered in these guidelines includes, but is not limited to, information that is
either stored or shared via electronic mail or instant messaging technologies.
All employees should familiarize themselves with the email retention topic areas that
follow this introduction. Questions about the proper classification of a specific piece of
information should be addressed to your manager. Questions about these guidelines
should be addressed to Infosec.
2.0 Scope
This email retention policy is secondary to CHI policy on Freedom of Information
and Business Record Keeping. Any email that contains information in the scope of the
Business Record Keeping policy should be treated in that manner. All CHI email
information is categorized into four main classifications with retention guidelines:
• Administrative Correspondence (4 years)
• Fiscal Correspondence (4 years)
• General Correspondence (1 year)
• Ephemeral Correspondence (Retain until read, destroy)
3.0 Policy
3.1
Administrative Correspondence
CHI Administrative Correspondence includes, though is not limited to
clarification of established company policy, including holidays, time card
information, dress code, work place behavior and any legal issues such as
intellectual property violations.
All email with the information sensitivity label Management Only shall be
treated as Administrative Correspondence. To ensure Administrative
Correspondence is retained, a mailbox admin@CHI has been created. If you copy
(cc) this address when you send email, retention will be administered by the IT
Department.
3.2
Fiscal Correspondence
CHI Fiscal Correspondence is all information related to revenue and
expense for the company. To ensure Fiscal Correspondence is retained, a mailbox
fiscal@CHI has been created, if you copy (cc) this address when you send email,
retention will be administered by the IT Department.
3.3
General Correspondence
CHI General Correspondence covers information that relates to customer
interaction and the operational decisions of the business. The individual
employee is responsible for email retention of General Correspondence.
3.4
Ephemeral Correspondence
CHI Ephemeral Correspondence is by far the largest category and includes
personal email, requests for recommendations or review, email related to product
development, updates and status reports.
3.5
Instant Messenger Correspondence
CHI Instant Messenger General Correspondence may be saved with
logging function of Instant Messenger, or copied into a file and saved. Instant
Messenger conversations that are Administrative or Fiscal in nature should be
copied into an email message and sent to the appropriate email retention address.
3.6
Encrypted Communications
CHI encrypted communications should be stored in a manner consistent
with CHI Information Sensitivity Policy, but in general, information should be
stored in a decrypted format.
3.7 Recovering Deleted Email via Backup Media
CHI maintains backup tapes from the email server and once a quarter a set
of tapes is taken out of the rotation and they are moved offsite. No effort will be
made to remove email from the offsite backup tapes.
4.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary
action, up to and including termination of employment.
5.0 Definitions
Terms
Approved Electronic Mail
Approved Encrypted email and files
Approved Instant Messenger
Individual Access Controls
Definitions
Includes all mail systems supported by the IT
Support Team. These include, but are not
necessarily limited to, [insert corporate supported
mailers here…]. If you have a business need to
use other mailers contact the appropriate support
organization.
Techniques include the use of DES and PGP.
DES encryption is available via many different
public domain packages on all platforms. PGP use
within CHI is done via a license. Please contact
the appropriate support organization if you require
a license.
The Jabber Secure IM Client is the only IM that
is approved for use on CHI computers.
Individual Access Controls are methods of
Insecure Internet Links
Encryption
electronically protecting files from being accessed
by people other than those specifically designated
by the owner. On UNIX machines, this is
accomplished by careful use of the chmod
command (use man chmod to find out more about
it). On Mac’s and PC’s, this includes using
passwords on screensavers, such as Disklock.
Insecure Internet Links are all network links that
originate from a locale or travel over lines that are
not totally under the control of CHI.
Secure CHI Sensitive information in accordance
with the Acceptable Encryption Policy.
International issues regarding encryption are
complex. Follow corporate guidelines on export
controls on cryptography, and consult your
manager and/or corporate legal services for
further guidance.
6.0 Revision History
28 July, 2003 Added discussion of backup media
Ethics Policy
1.0 Overview
CHI purpose for this ethics policy is to establish a culture of openness, trust and
integrity in business practices. Effective ethics is a team effort involving the
participation and support of every CHI employee. All employees should familiarize
themselves with the ethics guidelines that follow this introduction.
CHI is committed to protecting employees, partners, vendors and the company
from illegal or damaging actions by individuals, either knowingly or unknowingly.
When CHI addresses issues proactively and uses correct judgment, it will help set us
apart from competitors.
CHI will not tolerate any wrongdoing or impropriety at anytime. CHI will take the
appropriate measures act quickly in correcting the issue if the ethical code is broken.
Any infractions of this code of ethics will not be tolerated.
2.0 Purpose
The purpose for authoring a publication on ethics is to emphasize the employee’s and
consumer’s expectation to be treated to fair business practices. This policy will serve
to guide business behavior to ensure ethical conduct.
3.0 Scope
This policy applies to employees, contractors, consultants, temporaries, and other
workers at CHI, including all personnel affiliated with third parties.
4.0 Policy
4.1. Executive Commitment to Ethics
• Top brass within CHI must set a prime example. In any business practice,
honesty and integrity must be top priority for executives.

Executives must have an open door policy and welcome suggestions and concerns
from employees. This will allow employees to feel comfortable discussing any
issues and will alert executives to concerns within the work force.

Executives must disclose any conflict of interests regard their position within
CHI.
4.2. Employee Commitment to Ethics
• CHI employees will treat everyone fairly, have mutual respect, promote a team
environment and avoid the intent and appearance of unethical or compromising
practices.

Every employee needs to apply effort and intelligence in maintaining ethics value.

Employees must disclose any conflict of interests regard their position within
CHI.

Employees will help CHI to increase customer and vendor satisfaction by
providing quality product s and timely response to inquiries.
4.3. Company Awareness
• Promotion of ethical conduct within interpersonal communications of employees
will be rewarded.

CHI will promote a trustworthy and honest atmosphere to reinforce the vision of
ethics within the company.
4.4. Maintaining Ethical Practices
• CHI will reinforce the importance of the integrity message and the tone will start
at the top. Every employee, manager, director needs consistently maintain an
ethical stance and support ethical behavior.

Employees at CHI should encourage open dialogue, get honest feedback and treat
everyone fairly, with honesty and objectivity.

CHI has established a best practice disclosure committee to make sure the ethical
code is delivered to all employees and that concerns regarding the code can be
addressed.
4.5. Unethical Behavior
• CHI will avoid the intent and appearance of unethical or compromising practice in
relationships, actions and communications.


CHI will not tolerate harassment or discrimination.
Unauthorized use of company trade secrets & marketing, operational, personnel,
financial, source code, & technical information integral to the success of our
company will not be tolerated.

CHI will not permit impropriety at any time and we will act ethically and
responsibly in accordance with laws.

CHI employees will not use corporate assets or business relationships for personal
use or gain.
5.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary
action, up to and including termination of employment.
6.0 Definitions
Term
Definition
7.0 Revision History
Firewall
External Security
1.0 Purpose
This policy establishes information security requirements for all networks and
equipment deployed in CHI located on the “De-Militarized Zone” (DMZ). Adherence to
these requirements will minimize the potential risk to CHI from the damage to public
image caused by unauthorized use of CHI resources, and the loss of sensitive/company
confidential data and intellectual property.
2.0 Scope
CHI networks and devices (including but not limited to routers, switches, hosts,
etc.) that are Internet facing and located outside CHI corporate Internet firewalls are
considered part of the DMZ and are subject to this policy. This includes DMZ equipment
in primary Internet Service Provider (ISP) locations and remote locations.
All existing and future equipment, which falls under the scope of this policy,
must be configured according to the referenced documents. This policy does not apply to
equipment residing inside CHI’s corporate Internet firewalls. Standards for this
equipment is defined in the Internal Security Policy
3.0 Policy
3.1. Ownership and Responsibilities
1. All new DMZ equipment must accompany a business justification with sign-off at
the business unit Vice President level. InfoSec must keep the business
justifications on file.
2. Departments are responsible for assigning managers, point of contact (POC), and
back up POC, for each department and must maintain up to date POC information
with InfoSec [and the corporate enterprise management system, if one exists].
Managers or their backup must be available around-the-clock for emergencies.
3. Changes to the connectivity and/or purpose of existing DMZ equipment and
establishment of new DMZ equipment connectivity must be requested through a
CHI Network Support Organization and approved by InfoSec.
4. All ISP connections must be maintained by a CHI Network Support Organization.
5. A Network Support Organization must maintain a firewall device between the
DMZ and the Internet.
6. The Network Support Organization and InfoSec reserve the right to interrupt
device connections if a security concern exists.
7. The Departments will provide and maintain network devices deployed in the
DMZ up to the Network Support Organization point of demarcation.
8. The Network Support Organization must record all DMZ equipment address
spaces and current contact information [in the corporate enterprise management
system, if one exists].
9. The Department Managers are ultimately responsible for their organizations
complying with this policy.
10. Immediate access to equipment and system logs must be granted to members of
InfoSec and the Network Support Organization upon request, in accordance with
the Audit Policy
11. Individual accounts must be disabled within three (3) days when access is no
longer authorized. Group account passwords must comply with the Password
Policy and must be changed within three (3) days from a change in the group
membership.
12. InfoSec will address non-compliance waiver requests on a case-by-case basis.
3.2. General Configuration Requirements
1. Production resources must not depend upon resources on the DMZ networks.
2. DMZ equipment must not be connected to CHI’s corporate internal networks,
either directly or via a wireless connection.
3. DMZ equipment should be in a physically separate room from any internal
networks. If this is not possible, the equipment must be in a locked rack with
limited access. In addition, the Department Manager must maintain a list of who
has access to the equipment.
4. Department Managers are responsible for complying with the following related
policies:
a. Password Policy
b. Wireless Communications Policy
c. Anti-Virus Policy
5. The Network Support Organization maintained firewall devices must be
configured in accordance with least-access principles and the department business
needs. All firewall filters will be maintained by InfoSec.
6. The firewall device must be the only access point between the DMZ and the rest
of CHI’s networks and/or the Internet. Any form of cross-connection which
bypasses the firewall device is strictly prohibited.
7. Original firewall configurations and any changes thereto must be reviewed and
approved by InfoSec (including both general configurations and rule sets).
InfoSec may require additional security measures as needed.
8. Traffic from the DMZ to the CHI internal network, including VPN access, falls
under the Remote Access Policy
9. All routers and switches not used for testing and/or training must conform to the
DMZ Router and Switch standardization documents.
10. Operating systems of all hosts internal to the DMZ running Internet Services must
be configured to the secure host installation and configuration standards. [Add url
link to site where your internal configuration standards are kept].
11. Current applicable security patches/hot-fixes for any applications that are Internet
services must be applied. Administrative owner groups must have processes in
place too stay current on appropriate patches/hotfixes.
12. All applicable security patches/hot-fixes recommended by the vendor must be
installed. Administrative owner groups must have processes in place to stay
current on appropriate patches/hotfixes.
13. Services and applications not serving business requirements must be disabled.
14. CHI Confidential information is prohibited on equipment where non-CHI
personnel have physical access (e.g., training labs), in accordance with the
Information Sensitivity Classification Policy
15. Remote administration must be performed over secure channels (e.g., encrypted
network connections using SSH or IPSEC) or console access independent from
the DMZ networks.
4.0 Enforcement
Any employee found to be in violation this policy may be subject to disciplinary action,
up to and including termination of employment.
5.0 Definitions
Terms
Access Control List (ACL)
DMZ (de-militarized zone)
Definitions
Lists kept by routers to control access to or
from the router for a number of services
(for example, to prevent packets with a
certain IP address from leaving a particular
interface on the router).
Networking that exists outside of CHI
primary corporate firewalls, but is still
under CHI administrative control.
Network Support Organization
Least Access Principle
Internet Services
.
Network Support Organization Point of
Demarcation
Firewall
Internally Connected Lab
Any InfoSec-approved support organization
that manages the networking of non-lab
networks.
Access to services, hosts, and networks is
restricted unless otherwise permitted.
Services running on devices that are
reachable from other devices across a
network. Major Internet services include
DNS, FTP, HTTP, etc
The point at which the networking
responsibility transfers from a Network
Support Organization to the DMZ Lab.
Usually a router or firewall.
A device that controls access between
networks, such as a PIX, a router with
access control lists, or a similar security
device approved by InfoSec.
A lab within CHI’s corporate firewall and
connected to the corporate production
network.
6.0 Revision History
Internal Security
1.0 Purpose
This policy establishes information security requirements for all networks and
equipment deployed in CHI located on the internal network. Adherence to these
requirements will minimize the potential risk to CHI from the damage to public image
caused by unauthorized use of CHI resources, and the loss of sensitive/company
confidential data and intellectual property.
2.0 Scope
CHI networks and devices (including but not limited to routers, switches, hosts,
etc.) that are Intra-network facing and located inside CHI corporate Internet firewalls are
considered part of the internal network and…

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper
Are you stuck with your online class?
Get help from our team of writers!
Order Today

Order your essay today and save 20% with the discount code RAPID

Order Now