INFORMATION TECHNOLOGY POLICIES & PROCEDURES

Orani Water District (OraniWD) information technology resources constitute a valuable company asset that must be managed accordingly to ensure their integrity, security, and availability for research and business activities. Carrying out this mission requires the Company to establish basic Information Security policies and standards and to provide both access and reasonable Security at an acceptable cost. The OraniWD Information Technology Policies and Procedures are intended to facilitate and support authorized access to Company information. 

The purposes of the OraniWD Information Policies and Procedures are:
  • To establish a set of Company Protocols for Information Security;
  • To help identify and prevent the compromise of Information Security and the misuse of OraniWD information technology resources;
  • To protect the reputation of the company and to allow the OraniWD satisfy MIS legal and ethical responsibilities with regard to MIS information technology resources; and
  • To enable the OraniWD respond to complaints and queries about real or perceived non-compliance activities with the OraniWD Information Technology Policies and Procedures.


Defined Terms


The definitions of capitalized words and phrases in these Policies and Procedures have special meanings. Their definitions appear in Appendix A and readers should review those terms prior to reading these Policies and Procedures and thereafter refer to them as needed.

Responsibility
Authorized Users of OraniWD information technology resources are personally responsible for complying with all company policies, procedures and standards relating to Information Security, regardless of location and will be held personally accountable for any misuse of these resources.

Amendments
Proposals for amendments to this document may be submitted to the Information Technology (MIS) Section for review. If the review results in the need to amend the Information Technology Policies and Procedures Manual, the MIS personnel will draft the proposed amendment and it will be forwarded to the GM for review and if approved, for recommendation to the Board for inclusion in the Information Technology Policies and Procedures Manual.
Table of Contents
Acceptable Use Policy ................................................................................... 4
Guest User Policy ............................................................................................. 8
OraniWD Confidentiality Policy ............................................................... 9
Unauthorized Use Policy ............................................................................ 10
Electronic Communications Policy..........................................................11
Password Policy.................................................................................................12
Acceptable Encryption Policy.....................................................................16
Remote Access Policy.................................................................................... 17
Physical Security Policy ............................................................................... 19
Workstation Configuration Security Policy....................................... 22
Server Configuration Security Policy ................................................... 24
General Configuration Policy ……………………………………..………. 27
Wireless Communication Policy………………………....……….………. 29
Change Management Policy ………………………………………………. 30
Information Security Audit Policy…………………………...…………... 31
Data Management and Access Policy………………………………….. 33
Source Code Policy ……………………………………………………………. 38
Mobile Device Security Policy ……………………………..……….......... 43
Internet Policy ………………………………………………………..………….. 46
E-Mail Use Policy ………………………………………………….…………… 49
Data Handling Guidelines for Exiting Employees………….…….. 55
ITS Privileged Access Agreement ……………………………………….. 57
Appendix A Making Changes to OraniWD Software ……...…… 60
Appendix B: Rules of Behavior ……………………………….…………… 61
Appendix C: Defined Terms …………………………………..……………. 66

1. Acceptable Use Policy

1.1. Overview
This policy is intended to protect the Company and its employees from the consequences of illegal or damaging actions by individuals using the Company Information Technology Network.

The Company Information Technology Network includes, but not limited to:

Internet/Intranet/Extranet-related systems, computer/Networking equipment, Software, Operating Systems, storage media, Network accounts providing electronic mail, Instant Messaging, employee information system, WWW browsing, and FTP, which are all properties of the OraniWD. They are to be used for Company business purposes and to serve its interests.

Effective computer Security is a team effort requiring the participation and support of every Company employee and Authorized User who deals with information and/or information systems. It is the responsibility of every computer user to know the Company Information Technology Policies and Procedures, and to comply with the Company Information Technology Policies and Procedures.

1.2. Purpose
This policy describes the Authorized Use of the Company Information Technology Network and protects the Company and Authorized Users. Unauthorized uses expose the Company to many risks including legal liability, Virus attacks, and the compromise of Network systems, Services, and information.

1.3. Scope
This policy applies to all persons with an OraniWD-issued/owned and personal computing device that is connected to the Company Information Technology Network.

1.4. Policy
1.4.1. General Use and Ownership.
1.4.1.1.  All Company employees, unless given otherwise, shall be granted “User” access privileges to Company Information Technology Network according to official functions & responsibilities, thus becoming Authorized Users.

1.4.1.2. All Data created by Authorized Users in the Company Information Technology Network are properties of the Company, including those made through personal devices. Authorized Use includes reasonable personal use of the Company Information Technology Network by Authorized Users.

1.4.1.3. Reasonable personal use” in this IT Policies & Procedures only means personal activities needed to support oneself & family needs at the time when such were done.

1.4.1.4. Any information t1.4.1.4. Any information that an Authorized User considers to be sensitive or vulnerable shall be encrypted.

1.4.1.5. Authorized Company employees shall monitor the Company Information Technology Network traffic at any time, in accordance with the Information Security Audit Policy.

1.4.1.6. The Company reserves the right to audit Networks and systems on a periodic basis or anytime, to ensure compliance with the Company Information Technology Policies and Procedures.
1.4.2. Security and Proprietary Information.
1.4.2.1. Authorized Users are required to classify the user interface for information contained on the Company Information Technology Network as “confidential” or “not confidential,” as defined by Company Confidentiality Guidelines. Confidential information includes, but is not limited to: Company records & files, specifications, and research data. Employees are required to take all necessary steps to prevent unauthorized access to this Sensitive Information.

1.4.2.2. Authorized Users are responsible for the Security of their passwords and accounts and must keep passwords confidential and shall not share accounts.

1.4.2.3. Authorized Users are responsible for logging out of all systems and accounts when they are not being used. They must not be left unattended.

1.4.2.4. All laptops and workstations that are part of or connected to the Company Information Technology Network are required to be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when the device will be unattended.

1.4.2.5. Encryption of information must be used in compliance with Information Security's Acceptable Encryption Use Policy.

1.4.2.6. Authorized Users are required to exercise special care to protect laptop computers that are part of or connected to the Company Information Technology Network in accordance with the “Laptop Security Guidelines.”

1.4.2.7. Postings by Authorized Users in a Company Email address must contain a “disclaimer” stating that the opinions expressed are strictly those of the author and not necessarily those of the Company, unless posting has been done in the course of Company business.

1.4.2.8. All computers used by Authorized Users that are connected to the Company Information Technology Network, whether owned by the individual or the Company, must be continually executing approved Virus-scanning Software with a current Virus Database.

1.4.2.9. Authorized Users must use extreme caution when opening e-mail attachments received from unknown senders, which may contain Viruses, e-mail bombs, or Trojan Horse codes.

1.5. Unacceptable Use of t1.5. Unacceptable Use of the Company Information Technology Network.
The following activities are prohibited, although Company employees who are Authorized Users by the management, may be exempted from these restrictions during the performance of their legitimate job responsibilities. Under no circumstances is an Authorized User permitted to engage in any illegal activity under local or international laws while utilizing the Company Information Technology Network.

Unacceptable use includes, but is not limited to the following activities:
1.5.1. System and Network 1.5.1. System and Network Activities

1.5.2. Violations of the rights of any person or company protected by copyright, trade secret, patent or other Intellectual Property, or similar laws or regulations, including, but not limited to, the installation or distribution of copyrighted or other Software products that are not licensed for use by the Company.

1.5.2.1. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted Software for which the Company or the Authorized User does not have an active license.

1.5.2.2. Introduction of Malicious Software into the Company Information Technology Network (e.g., Viruses, Worms, Trojan Horses, e-mail bombs, etc.).

1.5.2.3. An Authorized User’s revelation of his account password to others or allowing the use of an Authorized User’s account by others, including family and other household members when an Authorized User’s computer is connected to the Company Information Technology Network from home or other non-Company locations.
1.5.2.4. The use of a component of the Company Information Technology Network or other computing asset to actively engage in procuring or transmitting material that violates sexual harassment or hostile workplace laws or that violates any Company policy. Pornographic material is a violation of sexual harassment policies.

1.5.2.5. Making fraudulent1.5.2.5. Making fraudulent offers of products, items, or services originating from any Company account or otherwise made from a computer connected to the Company Information Technology Network.

1.5.2.6. Causing Security breaches or disruptions of communication over the Company Information Technology Network. Accessing data or other communications of which the Authorized User is not an intended recipient or logging into an account that the Authorized User is not expressly authorized to access. For purposes of this section, "disruption" includes, but is not limited to, traffic floods, Packet Spoofing, Denial of Service, among others.

1.5.2.7. Port Scanning or Security Scanning unless prior notification and approval to Information Security is made.

1.5.2.8. Executing any form of Network monitoring that intercepts data not intended for the Authorized User, unless this activity is a part of the Authorized User’s normal job/duty.

1.5.2.9. Circumventing User Authentication or Security of any device, Network, or account.

1.5.2.10. Using any Program/script/command, or sending messages of any kind with the intent to interfere with or disable a user's terminal session, via any means locally or remotely.

1.5.2.11. Providing information about, or lists of, Company employees to non-Company parties.

1.5.3. Email and Communications Activities

1.5.3.1. Each Company employee must be given an official email address beginning employee’s first name followed by Company domain name, i.e. ____@oraniwater.com.ph which shall be used in any official Company communication.

1.5.3.2. Sending unsolicited Email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (Email SPAM).

1.5.3.3. Any form of harassment via Email, instant messenger, telephone, or pager, whether through language, frequency, or size of messages.

1.5.3.4. Unauthorized use, or forging, of Email header information.

1.5.3.5. Solicitation of Email for any other Email address, other than that of the Authorized User’s own account, with the intent to harass or to collect replies.

1.5.3.6. Creating or forwarding Chain email, Phishing, or other scams of any type.

1.5.3.7. Use of the Company’s name in any unsolicited Email on behalf of, or to advertise, any service or product without the explicit written permission of the Company.

1.5.3.8. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup SPAM).

1.6. Enforcement
Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

2. Guest User Policyr />
2.1. Purpose
2.1. Purpose

The Company promotes sharing the internet connection within the company premises. In doing so, the OraniWD often grants to Company guests and visitors the right to use MIS internet resources in compliance with the Company Information Technology Policies and Procedures. Such authorized persons are Guest Users and are also Authorized Users to the extent of their authorizations.

2.2. Scope

This policy applies only to any Guest Users and does not include employee of the OraniWD.

2.3. Policy

A Guest User is an Authorized User when utilizing the OraniWD’s information technology resources in compliance with the Company Information Technology Policies and Procedures and as long as the use remains within the limits of the Guest User’s individual authorization. The Guest User may be authorized to use computers in the Company’s computers and selected Software. The Guests may also be permitted to selected areas of the OraniWD’s Information Technology Network.

2.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and is subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

3. OraniWD Confidentiality Policyr />
3.1. Purpose
3.1. Purpose

Confidential information may be developed or obtained by OraniWD employees as a result of that person’s relationship with the Company.

3.2. Scope

All Authorized Users who have contact with and access to confidential information must keep such information confidential. Confidential information includes, but is not limited to, the following types of information:

3.2.1. Employee information, such as address, telephone number, social security number, birth date and other private information.

3.2.2. Operations manuals, Company practices, marketing plans, techniques and materials, development plans, and financial information.

3.2.3. Employee or applicant lists, personnel and payroll records, records regarding vendors and suppliers, records and files of the Company, and all other information concerning the business affairs of the Company.

3.3. Policy

Confidential information must never be released, removed from the Company premises, copied, transmitted, or in any other way used by the Authorized User for any purpose outside the scope of their Company employment, nor revealed to non OraniWD employees, without the express written consent of OraniWD management. Information stored on the Company Information Technology Network is confidential and must not be distributed outside the Company except in the course of the Company’s business or as otherwise authorized by the management. Authorized Users shall not remove, borrow or removed out of the Company premises any computer equipment, disks, or related technology, product or information unless authorized to do so.

3.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

4. Un-authorized Use Policyr />
4.1. Purpose 4.1. Purpose

This policy sets forth the OraniWD’s policy regarding Un-authorized Use of the Company Information Technology Network.

4.2. Scope

This policy covers all Unauthorized Use of the company Information Technology Network, whether such Unauthorized Use is done by a person who is not an Authorized User, or by an Authorized User who exceeds the limits of that person’s authorization whose use exceeds Authorized Use permitted by the company, all of whom are referred to in this policy as “Unauthorized Users.”

4.3. Policy

All Unauthorized Users are prohibited from using Company Information Technology Network for any purpose whatsoever. Authorized Users are prohibited from using the Company Information Technology Network in any way that exceeds the limits of their individual authorizations.

4.4. Enforcement

Un-authorized Users shall be subject to disciplinary actions of grave misconduct, criminal prosecution and/or civil suits which the Company shall seek damages from; and/or other legal and/or equitable remedies.

5. Electronic Communications Policyr />
5.1. Purpose 5.1. Purpose

Electronic communications systems that utilize the Company Information Technology Network are not open fora, but rather are owned and operated by the Company to promote learning, and to support official Company business. Authorized Users shall use these systems only within the scope of Company Information Technology Policies and Procedures. Electronic communication systems include, but are not limited to, all electronic mail and Instant Messaging systems, electronic bulletin boards, web content, and Internet access.

5.2. Scope

This policy covers appropriate use of any electronic message sent from a Company account, and applies to all Authorized Users of the Company Information Technology Network.

5.3. Policy
5.3.1. Prohibited Uses

The Company Email system must not to be used for the creation or distribution of any disruptive or offensive messages, including but not limited to offensive comments about the Company, any person, race, gender, disability, age, sexual orientation, religious belief and practice, political belief, or national origin. Individuals who receive any electronic communications with objectionable content should report the matter to their supervisor or to Information Security personnel immediately.

5.3.2. Personal Use

Authorized Users may use reasonable amount of Company resources for personal emails, reasonable as defined earlier in this set of Policies. However, non-work related Emails shall be saved in a separate folder from work related Email. Sending Chain Email or joke Emails from a Company Email account is prohibited. These restrictions also apply to the forwarding of Email received by an Authorized User.

5.3.3. Mass Emailings/ Mail Broadcast

Mail Broadcast over the Company Information Technology Network must have prior approval from the Office of the General Manager. The approval must be noted at the bottom of the Email and must include the name of the approving individual and the date of approval.

Signatures

Signatures in Emails and other electronic messages may contain some or all of the following only: name, title, division/section name, name of Company, and workplace contact information (phone number, fax number, mailing address, Email address).

5.3.4. Monitoring

All, including Authorized Users of Company accounts shall have no expectation of privacy in anything they store, send or receive in a Company’s Information Technology Network. The Company may monitor communication on the Company Information Technology Network without prior notice, but is not obliged to do so.

5.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

6. Password Policyr />
6.1. Overview 6.1. Overview

Passwords are essential to computer Security. They are the front line of protection for Authorized User accounts. A poorly chosen password can result in the compromise of the entire Company Information Technology Network. All Authorized Users shall follow the actions outlined below in selecting and securing their passwords.

6.2. Purpose

The purpose of this policy is to establish a standard for the creation and protection of strong passwords for Authorized Users of information technology resources on the Company Information Technology Network. This policy will also establish the frequency of change for those passwords.

6.3. Scope

This includes all Authorized Users who are responsible for an account (or any form of access that supports or requires a password) on any system that resides or accesses the Company Information Technology Network, or store any non-public Company information.

6.4. Policy
6.4.1. General 6.4.1. General

6.4.1.1. All system-level passwords (e.g. the Windows "administrator" account, application administration accounts, etc.) must be changed at least on a quarterly basis.

6.4.1.2. All system-level passwords in all equipment shall be part of the Company Password Management System.

6.4.1.3. All user-level passwords (e.g. Email, web, desktop computer, etc.) must be changed at least every sixty days.

6.4.1.4. Authorized User accounts that have system-level privileges granted through group memberships or Programs must have unique passwords different from all other accounts held by that Authorized User.

6.4.1.5. Passwords must not be included in Email messages, phone conversations, or other forms of electronic communication.

6.4.1.6. Where Simple Network Messaging Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults ("public," "private," or "system") and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g. SNMP version 2).

6.4.1.7. All user-level and system-level passwords must conform to the guidelines described below.

6.4.2. Standards
6.4.2.1. General Password 6.4.2.1. General Password Construction Guidelines

Passwords are used for various purposes at the Company. Some of the more common uses include: user-level accounts, web accounts, Email accounts, screen saver protection, voice mail passwords, and local Router logins. Very few systems have support for one-time Tokens (i.e. dynamic passwords which are only used once), thus everyone must be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:
6.4.2.2. The password contains less than eight characters

6.4.2.3. The password is a word found in a dictionary (English or foreign)

6.4.2.4. The password is a6.4.2.4. The password is a common usage word, such as:

• Names of family members, pets, friends, co-workers, fictional characters, etc.
• Computer terms and names, commands, sites, companies, Hardware and Software terms
• The words "OraniWD Company", "sanjose", "sanfran" or any derivation
• Birthdays and other personal information, such as addresses and phone numbers
• Word or number patterns like aaabbb, qwerty, xyzzy, 123321, etc. 
• Any of the above spelled backwards
• Any of the above preceded or followed by a digit (e.g. secret1, 1secret)

6.4.2.5. Strong passwords have the following characteristics:

• The password contains both upper and lower case characters (e.g. a-z, A-Z)
• The password has numbers and punctuation characters as well as letters, if possible (e.g. 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
• The password is at least eight alpha-numeric characters long • The password is not a word in any language, slang, dialect, jargon, etc.
• The password is not base• The password is not based on personal information, names of family, etc.

6.4.2.6. Passwords must never be written down or stored on-line. Passwords should be created so that they can be easily remembered while still having strong password characteristics. One way to do this is to create a password derived from a song title, affirmation, or other phrase. For example, the phrase might be "This May Be One Way To Remember" and the corresponding password might be "TmB1w2R!", or "Tmb1W>r~", or some other variation.

NOTE: These particular examples are now public, and must not be used as real passwords!

6.4.3. Password Protection Standards

Authorized Users must not use their passwords for Company IT network accounts in their other non-Company accesses. Wherever possible, the same password must not be used for various Company access needs. Also, a separate password must be selected for a Windows account. Company passwords must not be shared with anyone, including administrative assistants or secretaries. All passwords are to be treated as confidential Company information. Group accounts (an account shared among two or more users) are prohibited.

Users must not do the following:

6.4.3.1. Revealing of passwords to anyone even a superior, co-worker or family member, in any questionnaire or email.

6.4.3.2. The "Remember Password" feature of applications (e.g. Eudora, Outlook, or Netscape Messenger) must not be used. If someone demands a password, it should be referred to this Policy. Passwords must not be stored in a file on ANY computer system (including PDA or similar devices) without Encryption. If an account or password is suspected to be compromised, the incident must be reported to Information Security /MIS and the password must be changed immediately. Password Cracking or guessing may be performed on a periodic or random basis by the MIS/Information Security personnel. If a password is guessed or cracked during one of these scans, the user shall be required to change it.

6.4.3.3. Store Password Using Reversible Encryption For All Users
Passwords in the password database shall be encrypted

6.4.4. Use of Passwords an6.4.4. Use of Passwords and Pass-phrases for Remote Access Users

Remote Access to the Company Information Technology Network must be controlled using either one-time password authentication or a public / private key system with a strong Pass-phrase.

6.4.4.1. Pass-phrases

Pass-phrases are generally used for public / private key authentication. A public / private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the Authorized User. Without the Pass-phrase to unlock" the private key, the Authorized User cannot gain access. Pass-phrases are not the same as passwords. A Pass-phrase is a longer version of a password and is, therefore, considered more secure. A Pass-phrase is typically composed of multiple words. Because of this, a Pass-phrase is more secure against "dictionary attacks." A good Pass-phrase is relatively long and contains a combination of upper- and lower-case letters, numerals, and punctuation characters. The following is an example of a good Pass-phrase: "R34d car3fu!!y. B3 h0n3$t." All of the rules above that apply to passwords, also apply to Pass-phrases.

6.5. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

7. Acceptable Encryption Policyr />
7.1. Purpose 7.1. Purpose

The purpose of this policy is to encourage the use of Encryption by Authorized Users according to the methods that already received substantial public review and scrutiny.

7.2. Scope
This policy applies to all Authorized Users.

7.3. Policy
7.3. Policy

Proven, standard Encryption methods (e.g. DES, Blowfish, RSA, RC5, IDEA, etc.) must be used. For example, Network Associate's Pretty Good Privacy (PGP) technology uses the IDEA method in combination with RSA or Diffie-Hellman methods, while Secure Socket Layer (SSL) technology uses RSA Encryption. Symmetric Cryptosystem key lengths must be at least 128 bytes. Asymmetric Cryptosystem keys must be of a length that yields equivalent strength.

OraniWD Company’s key length requirements are reviewed annually and upgraded as technology allows. Authorized Users shall not use Proprietary Encryption Algorithms for any purpose, unless approved by Information Security/ MIS personnel.

7.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

8. Remote Access Policyr />
8.1. Purpose 8.1. Purpose

This policy defines standards for connecting to the Company Information Technology Network from any Host. These standards are designed to minimize potential exposure of the Company to damages that result from Unauthorized Use of the Company Information Technology Network. Damages include, but are not limited to the loss of sensitive or confidential data, loss of Intellectual Property, damage to the Company’s public image, damage to the Company’s internal systems, and financial damages of all kinds.

8.2. Scope

This policy applies to all Users who utilize Company-owned or personally-owned information technology resources to connect such devices to the Company Information Technology Network. This policy applies to Remote Access connections used to do work on behalf of the Company, including but not limited to Email correspondence and accessing Intranet web resources. Remote Access implementations that are covered by this policy include, but are not limited to dial-up Modems, Network (ISDN) connections, Digital Subscriber Line (DSL) connections, Cable Modems, among others.

8.3. Policy
8.3.1. General 8.3.1. General

8.3.1.1. Authorized Users for desktop computing shall be required to apply and submit their Company-issued and personal devices to gain remote access privileges.

8.3.1.2. Authorized Users with Remote Access privileges to the Company Information Technology Network must ensure that their Remote Access connection complies with the Company Information Technology Policies and Procedures, and treat it with the same consideration as their on-site connection to the Company.

8.3.1.3. General access to the Internet through the Company Information Technology Network on personal computers of immediate household members of Company employees for reasonable recreational use may be permitted. Each Authorized User shall be responsible for ensuring that the family member does not perform illegal activities; does not use the access for outside business purposes and complies with the Company Information Technology Policies and Procedures,. Each Authorized User shall bear the responsibility for the consequences of misuse.

8.3.1.4. Authorized Users must review the following policies for the acceptable use of the Company Information Technology Network and determine how to protect information when accessing the Company Information Technology Network via Remote Access methods:

a. The Company Acceptable Encryption Policy b. The Company Wireless Communications Policy
c. The Company Acceptable Use Policy

8.3.1.5. Additional information regarding the Company's Remote Access connections may contact the Information Technology /MIS personnel.

8.3.2. Requirements 8.3.2. Requirements
8.3.2.1. Secure Remote Access must be strictly controlled. Control shall be enforced via one-time password authentication or public / private keys with strong Pass-phrases.

8.3.2.2. Authorized Users must not provide their log-in identification to the Company Information Technology Network or MIS resources to anyone, not even to family members.

8.3.2.3. Authorized Users who have granted Remote User Access privileges, must ensure that Company-owned or personal information technology resources are not connected to any other Network at the same time they are connected to the Company Information Technology Network (with the exception of personal Networks that are under the complete control of the Authorized User).

8.3.2.4. Authorized Users, being Company employees with remote User access privileges to the Company Information Technology Network must not use non-Company Email accounts (e.g. Hotmail, Yahoo, and Gmail) or other external resources to conduct official Company business, thereby ensuring that official business is never confused with personal business.

8.3.2.5. Routers for dedicated ISDN lines configured for access to the Company Information Technology Network must meet the minimum authentication requirements of the Challenge Handshake Authentication Protocol (CHAP).

8.3.2.6. Reconfiguration of an Authorized User’s home equipment for the purpose of Split-Tunneling or Dual Homing is not permitted.

8.3.2.7. Non-standard Hardware configurations are prohibited.

8.3.2.8. All Hosts that are connected to the Company Information Technology Network via Remote Access technologies, including personal computers, must use the most recent corporate-standard Anti-Virus Software. Third-party connections to the Company Information Technology Network must comply with requirements as stated in the Third Party Agreement documentation.

8.3.2.9. Personal equipment that is used to connect to the Company Information Technology Network must meet the same requirements applied to Company owned equipment for Remote Access.

8.3.2.10. Implementation of non-standard Remote Access solutions to the Company Information Technology Network is prohibited.

8.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

9. Physical Security Policyr />
9.1. Overview 9.1. Overview

Physical Security means providing environmental safeguards on and controlling physical access to the equipment of and data on the Company Information Technology Network in order to protect information technology resources from Un-authorized Use.

Purpose

The purpose of this policy is to establish standards for granting, monitoring, and terminating physical access to the Company Information Technology Network and to protect equipment on the Company Information Technology Network from environmental factors.

9.2. Scope

This policy applies to the entire Company Information Technology Network, including but not limited to computers, Network Closets, and the Information Technology / MIS Network Operations Center.

9.3. Policy
9.3.1. Environmental Safe9.3.1. Environmental Safeguards

9.3.1.1. Adequate air conditioning must be operational in Company Information Technology Network facilities that house information technology resources, to prevent long-term heat damage and equipment failure.

9.3.1.2. All Company Information Technology Network facilities must have adequate fire extinguishing devices present in the office area. These devices must be inspected by regularly by Company Public Safety personnel.
9.3.1.3. All Company Information Technology Network information technology resources must be fitted with effective Surge Protectors to prevent power spikes and subsequent damage to data and Hardware.

9.3.1.4. Each of the critical Company Information Technology Network information technology resources must be connected to an Uninterrupted Power Supply (UPS) in order to prevent power spikes, brownouts, and subsequent damage to data and Hardware.

9.3.1.5. Electrical outlets must not be overloaded by connecting too many devices. Proper and practical usage of extension cords are to be reviewed annually.

9.3.2. Physical Access

9.3.2.1. All Company Information Technology Network physical Security systems must comply with all regulations, including, but not limited to, building codes and fire prevention codes.

9.3.2.2. Physical access privileges to all Company Information Technology Network facilities must be documented and managed by Information Technology/ MIS section.

9.3.2.3. All facilities that house Company Information Technology Network information technology resources must be physically protected in proportion to the importance of their function.

9.3.2.4. Access to Company Information Technology Network restricted facilities shall be granted only to Company staff whose job responsibilities require access to that facility.

9.3.2.5. The process of granting access to Company Information Technology Network facilities must include recommendation from the Information Technology /MIS personnel and approved by the General Manager.

9.3.2.6. Secured access de9.3.2.6. Secured access devices (e.g. access cards, keys, combinations, etc.) must not be shared with others by Authorized Users.

9.3.2.7. Secured access devices that are no longer needed must be returned to the Company Information Technology / MIS section and logged appropriately before they are re-allocated to another Authorized User.

9.3.2.8. Lost or stolen Company Information Technology Network secured access devices must be reported to IT Security personnel immediately.
9.3.2.9. Company Employees responsible for Company Information Technology Network facilities must immediately remove the secured access device rights of individuals that no longer require access.

9.3.2.10. Company Visitors must be escorted and monitored while in restricted Company Information Technology Network facilities.

9.3.2.11. Company Employees responsible for Company Information Technology Network facilities must review access records and visitor Logs for the facility on a periodic basis, and investigate any unusual access.

9.3.2.12. Company Employee9.3.2.12. Company Employees responsible for Company Information Technology Network facilities must lock all spaces housing them when not occupied by a Company Employee, in order to reduce the occurrence of unauthorized entry and access.

9.3.2.13. Any piece of Company Information Technology Network equipment which resides in a public access area must be secured to a piece of furniture, countertop, or other suitably deterrent object with a theft-inhibiting device. Portable computers that are part of the Company Information Technology Network must also be secured with theft-inhibiting devices.

9.4. Enforcement
Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

10. Workstation Configuration Security Policy

10.1. Purpose 10.1. Purpose

The purpose of this policy is to establish standards for the base configuration of workstations that are owned or operated by the Company. Effective implementation of this policy will minimize unauthorized access to the Company Information Technology Network and other Proprietary Information and technology.

10.2. Scope

This policy applies to all Company Information Technology Network workstation equipment owned or operated by the Company, and to workstations registered under any Company-owned internal Network domain.

10.3. Policy
10.3.1. Ownership and Resp10.3.1. Ownership and Responsibilities

All Company Information Technology Network workstations at the Company must be the responsibility of an operational group that is responsible for system administration. Approved workstation configuration standards must be established and maintained by each operational group, based on business needs. Operational groups must monitor configuration compliance and request special approval for any noted exceptions. Each operational group must establish a process for changing the configuration standards, which includes review and approval by appropriate Information Security /MIS personnel.

10.3.1.1. Workstations must be registered within the Company Security Management System. At a minimum, the following information is required to positively identify the point of contact:

a. Workstation contact(s) and location, and a backup contact b. Hardware and Operating System (OS) version numbers
c. Main functions and applications, if applicable

10.3.1.2. Information in the Company Security Management System must be kept current.

10.3.1.3. Configuration changes for workstations must comply with the Change Management Policy documentation.

10.3.2. General Configuration Standards

10.3.2.1. OS configuration must comply with approved Information Security Standards.

10.3.2.2. Services and applications that are unused must be disabled where practical. Exceptions must be noted and approved by authorized Information Security personnel.

10.3.2.3. Access to Services must be protected through authorized access-control methods (e.g. TCP wrappers), if possible.

10.3.2.4. The most recent Security Patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.

10.3.2.5. Trust Relationships between systems constitute a Security risk, and their use is prohibited.

10.3.2.6. The standard Security principle of Least Required Access must be utilized when performing a function. If a methodology for Secure Channel connection is available (i.e. technically feasible), privileged access must be performed over Secure Channels (e.g. encrypted Network connections using IPSec or Secure Shell).

10.3.3. Monitoring

Security-related events must be reported to appropriate Information Security/MIS personnel, who reviews Logs and reports incidents to management-level personnel in the Information Technology /MIS section. Corrective measures must be immediately done as needed. Security-related events include but are not limited to:

1. Port scan attacks
2. Evidence of un-authorized access to privileged accounts or data
3. Anomalous occurrences not related to specific applications on the Host

10.3.4. Compliance 10.3.4. Compliance
10.3.4.1. Audits of the IT network must be performed on a regular basis by authorized parties within the Company.

10.3.4.2. Audits are managed by the Company’s internal audit group or appropriate Information Security personnel, in accordance with the Audit Policy documentation. Findings not related to a specific operational group are filtered by Information Security /MIS personnel, and then presented to the appropriate support staff for remediation or justification.

10.3.4.3. Reasonable efforts must be made to prevent audits from causing operational failures or disruptions.

10.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

11. Server Configuration Security Policyr />
11.1. Purpose 11.1. Purpose

The purpose of this policy is to establish standards for the base configuration of server equipment owned or operated by the Company. Effective implementation of this policy will minimize Unauthorized Use of the Company Information Technology Network or other access to the Company’s Proprietary Information and technology.

11.2. Scope

This policy applies to server equipment owned or operated by the Company, and to servers registered under any Company-owned internal Network domain. This policy applies specifically to equipment connected to the internal Company Information Technology Network.

11.3. Policy
11.3.1. Ownership and Res11.3.1. Ownership and Responsibilities

All internal servers deployed at the Company must be the responsibility of an Operational Group that is responsible for system administration. Approved server configuration standards must be established and maintained by each Operational Group, based on business needs. Operational Groups must monitor configuration compliance and request special approval for any noted exceptions. Each Operational Group must establish a process for changing the configuration standards, which includes review and approval by Information Security personnel.

11.3.1.1. Servers must be registered within the Company Security Management System. At a minimum, the following information is required to positively identify the point of contact:
a. Server contact(s) and location, as well as a backup contact
b. Hardware and Operating System (OS) version numbers
c. Main functions and applications, if applicable

11.3.1.2. Information in the Company Security Management System must be kept current.

11.3.1.3. Configuration changes made by Authorized Users for production servers must comply with the Change Management Policy documentation.

11.3.2. General Configuration Standards

11.3.2.1. OS configuration must be in accordance with approved Information Security Standards.

11.3.2.2. Services and applications that are unused must be disabled immediately where practical. Exceptions must be noted and approved by Information Security personnel.

11.3.2.3. Access to Services must be logged or protected through appropriate Access Control methods (e.g. TCP wrappers), if possible.

11.3.2.4. The most recent Security Patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.

11.3.2.5. Trust Relationships between systems are a Security risk, and is prohibited. Do not use a Trust Relationship when some other method of communication will do.

11.3.2.6. Authorized Users must always use the standard Security principle of Least Required Access to perform a function.

11.3.2.7. If a methodology for Secure Channel connection is available (i.e. technically feasible), privileged access must be performed over Secure Channels (e.g. encrypted Network connections using IPSec or Secure Shell).

11.3.2.8. All servers must be physically located in an access-controlled environment.

11.3.2.9. Authorized Users are specifically prohibited from operating servers in un-controlled office areas.

11.3.3. Monitoring

11.3.3.1. All Security-related events on critical or sensitive systems must be logged by Information Security personnel and audit trails saved, as follows:

a. All Security-related Logs must be kept online as required in the specific server standards document.
b. Daily incremental tape Backups must be retained as required in the specific server standards document.
c. Weekly full tape Backups of Logs must be retained as required in the specific server standards document.
d. Monthly full Backups must be retained as required in the specific server standards document.

11.3.3.2. Security-related events must be reported by Authorized Users to Information Security / MIS Personnel, who reviews Logs and reports incidents to management level personnel in the Information Technology / MIS section. Corrective measures are prescribed as needed.

Security-related events include, but are not limited to:

a. Port scan attacks
b. Evidence of unauthorized access to privileged accounts or data
c. Anomalous occurrences that are not related to specific applications on the Host

11.3.4. Compliance

11.3.4.1. Audits must be p11.3.4.1. Audits must be performed on a regular basis by authorized parties within the Company.

11.3.4.2. Audits must be managed by the internal audit group or Information Security personnel, in accordance with the Audit Policy documentation. Findings not related to a specific Operational Group are filtered by Information Security personnel, and then presented to the appropriate Information Technology staff for remediation or justification.

11.3.4.3. Every effort shall be made to prevent audits from causing operational failures or disruptions.
11.4. Enforcement
11.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

12. General Configuration Policyr />
All Company Information Technology Network equipment must be in compliance with the following configuration policy:

12.1. Policy 12.1. Policy

12.1.1. Hardware, Operating Systems, Services and applications must be approved by Company Information Security /MIS personnel, as part of the pre-deployment review phase.

12.1.2. Operating System configuration must be done in accordance with the secure server and Router installation and configuration standards, as defined in the Server Configuration and Workstation Configuration policy.

12.1.3. All Patches and updates recommended by the equipment vendor and Information Security personnel must be installed. This applies to all Services installed, even though those Services may be temporarily or permanently disabled. Operational Groups must have processes in place to stay current on appropriate Patches and updates.
12.1.4. Services and applications not serving business requirements must be disabled immediately.

12.1.5. Trust Relationships between systems are prohibited.

12.1.6. Services and applications not for general access must be restricted by Access Control Lists.

12.1.7. Insecure Services or Protocols (as determined by Company Information Security personnel) must be replaced with more secure equivalents whenever such exist.

12.1.8. Remote administration must be performed over Secure Channels (e.g. encrypted Network connections using Secure Shell) or Console Access independent from a DMZ Network.

12.1.9. All server content updates must occur over Secure Channels.

12.1.10. Security-related events must be logged and audit trails saved to Logs approved by Company IT personnel. Security-related events include, but are not limited to, the following:
a. User login failures
b. Failure to obtain privileged access
c. Access policy violationc. Access policy violations

12.1.11. New Company Information Technology Network Installations and Change Management Procedures All new installations and changes to the configuration of existing Company Information Technology Network equipment and applications must comply with the following standards:

12.1.11.1. New installations must be done in compliance with the DMZ Equipment Deployment Process.
12.1.11.2. Configuration changes must comply with the Company Change Management Policy.

12.1.11.3. Information Sec12.1.11.3. Information Security personnel must be notified to perform system or application audits prior to the deployment of new Services.

12.1.11.4. 12.1.11.4. Information Security personnel must be engaged, directly or in accordance with the Company Change Management System, to approve all new deployments and configuration changes. Company Information Technology Network Equipment Outsourced to External Service Providers The responsibility for the Security of Company Information Technology Network information technology resources deployed by external service providers must be articulated in the contract with the service provider and must include Security contacts. Escalation procedures must also be documented. Contracting Company MIS Section is responsible for the third-party organization’s compliance with this policy

12.2. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

13. Wireless Communication Policyr />
13.1. Purpose

This policy defines the standards that govern the use of wireless communication equipment to access the Company Information Technology Network.

13.2. Scope
13.2. Scope

This policy covers all wireless data communication devices, including, but not limited to, personal computers, cellular phones, PDAs, iPads or Networks connecting to the Company Information Technology Network.

13.3. Policy

Authorized Users shall only access the Company Information Technology Network via wireless systems that meet the criteria set forth in this policy, unless they have been granted a written waiver by Information Security personnel. Register Access Points and Cards All WAPs and base stations connected to the Company Information Technology Network must be registered with and approved by Information Security personnel. Use of these devices by Authorized Users subjects the devices to periodic penetration tests and audits by Information Security. All Wireless Network interface cards used in resources owned by the Company must be registered with the Information Technology Services /MIS section. All wireless Local Area Network (LAN) access must use vendor products and Security configurations approved by Information Security /MIS personnel before being connected to the Company Information Technology Network.

13.3.1. VPN Encryption and Authentication

All computers with wireless LAN devices intended for connection to the Company Information Technology Network for the purpose of conducting Company business must utilize a Virtual Private Network (VPN) configured to drop all unauthenticated and unencrypted traffic, and must be approved by Information Security personnel before being connected to the Company Information Technology Network. To comply with this policy, Authorized Users must use wireless implementations that maintain point-to-point Hardware Encryption of at least 128 bytes. All implementations must support a Hardware address that can be registered and tracked (e.g. a Media Access Control address). All implementations must support and employ strong User Authentication. The Service Set Identifier (SSID), must be configured for it not contain any identifying information about the Company, such as the Company name, division title, employee name, or product identifier.

13.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

14. Change Management Policyr />
14.1. Purpose 14.1. Purpose

This policy describes a systematic process to document and manage changes to the Company Information Technology Network in order to permit effective planning by the Company Information Technology /MIS to serve the Company user-base.

14.2. Scope

This policy applies to all Authorized Users who maintain, or operate Company information technology resources, including, but not limited to: computer Hardware, Software, and Networking devices.

14.3. Policy
14.3.1. Any change to a Co14.3.1. Any change to a Company Information Technology Network information technology resource is subject to this policy, and must be performed in compliance with the Company’s Change Management Procedure.

14.3.2. All changes affecting Company Information Technology Network computer based environmental facilities, including but not limited to air-conditioning, water, heat, plumbing, electricity, and alarms, must be reported to or coordinated with the Information Technology /MIS section.

14.3.3. A formal written change request must be submitted to the Information Technology /MIS for all changes, both scheduled and unscheduled.
14.3.4. All scheduled change requests and supportive documentation must be submitted in compliance with the Change Management Procedure. The request will then be reviewed by the Change Management Committee, and a decision will be made whether to allow or delay the request.

14.3.5. The Change Management Committee may deny a scheduled or unscheduled change for reasons that include, but are not limited to, the following: inadequate planning, inadequate reversion plans, negative impact of change timing on a key business process, or inadequate resource availability.

14.3.6. Customer notification must be completed for each scheduled or unscheduled change, in compliance with the Change Management Procedure documentation.

14.3.7. A Change Review must be completed for each change to the Company Information Technology Network, whether scheduled or unscheduled, successful or not.

14.3.8. A Change Management Log must be maintained for all changes. The Log must contain (but is not limited to):

• Date of submission
• Requestor of change
• Date of change
• Implementer of change
• Nature of the change
• Results of the change

14.4. Enforcement
14.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

15. Information Security Audit Policyr />
15.1. Purpose 15.1. Purpose

Information Security /MIS personnel utilize various methods to perform electronic scans of the Company’s Networks and Firewalls, or on any system connected to the Company Information Technology Network. Information Security /MIS personnel are authorized to conduct audits to:

15.1.1. Ensure integrity, confidentiality and availability of information and resources
15.1.2. Investigate possible Security incidents 15.1.3. Ensure compliance to Company Information Technology Policies and Procedures documentation
15.1.4. Monitor Authorized User or system activity where appropriate

15.2. Scope
15.2. Scope

This policy covers all computer and communication devices connected to the Company Information Technology Network that are owned or operated by the Company, as well as those that are not. Information Security /MIS personnel may perform Denial of Service or other disruptive activities as needed.

15.3. Policy
15.3.1. Authorization to A15.3.1. Authorization to Audit

Only Information Security /MIS personnel or other specifically authorized parties may audit devices that are owned by the Company or are connected to the Company Information Technology Network. Third-party organizations may perform audits only if explicit written permission from the GM office /MIS is granted.

15.3.2. Access
Information Security /MIS personnel shall grant access to the following in order to effectively perform audits:
15.3.2.1. User level or system level access to any computing or communications device
15.3.2.2. Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on the Company Information Technology Network
15.3.2.3. Access to work areas ( offices, cubicles, storage areas, etc.)
15.3.2.4. Access to interactively monitor and Log traffic on the Company Information Technology Network

15.3.3. Remediation

Information Security /MIS personnel shall report all results to the GM office and shall follow up with the processes necessary to resolve any exceptions.

15.4. Enforcement
15.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

16. Data Management and Access Policyr />
16.1. Purpose 16.1. Purpose

Company data captured and maintained at OraniWD are valuable company resources. While these data may reside in different database management systems and on different machines, these data in aggregate may be thought of as forming one logical company resource, which will herein be called the Company Enterprise Database (CEDB). The CEDB contains data from multiple operational areas that need to be integrated in order to support institutional research, business analysis, reporting, and decision-making. This policy establishes uniform data management standards and identifies the shared responsibilities for assuring that the CEDB has integrity and that it efficiently and effectively serves the needs of the company. This policy applies to all data necessary to the administration of the company.

Policy
16.1.1. Data Management Ro16.1.1. Data Management Roles and Responsibilities

Information Technology /MIS Officer - The company official responsible for overseeing the management of the Company Information Resource. The Information technology Officer (ITO) has the signature approval authority for the Administrative Data Management and Access Policy. In consultation with the General Manager, the ITO mediates conflicts and discrepancies between the interest of the data trustees, the Company GM and the needs and interests of the Company.

16.1.2. Database Administrator Responsibilities

16.1.2.1. Information technology staff in a functional area with day-to-day responsibilities for the capture, maintenance, and dissemination of data for a particular operation.

16.1.2.2. The data management activities assigned to a Data Administrator may be specified in this policy or by the Information Technology organization.

16.1.2.3. He has responsibilities for managing business processes and establishing the business rules for the production transaction systems.

16.1.2.4. He makes recommendations related to data, issues, and standards that affect more than one administrative area.
16.1.3. Systems Administrator Responsibilities

16.1.3.1. Establishes and documents integration standards for code mappings and crosswalks between operation applications and systems, and insure that individual responsibilities and procedures are clearly outlined and appropriately communicated.

16.1.3.2. Specifies, implements, and maintains appropriate security controls and authorized access for Data Users

16.1.3.3. Implements data warehousing system that collects, structures, and delivers Company data to support timely, effective decision-making.

16.1.3.4. Plans for /maintains security policies and practices and keeps abreast of security related issues internally within the Company operating hardware and software platforms

16.1.3.5. Implements official guidelines and tools to manage the Company's information resources and shares responsibility for data administration activities among the company Authorized Users.

16.1.3.6. Documents proces16.1.3.6. Documents processes and identifies responsibilities in system-shared-information environment.

16.1.3.7. Specifies, implements, and maintains access controls to assure that Data Users have the appropriate authorized access needed to perform assigned duties and/or fulfill Company roles
16.1.4. Data Users 16.1.4. Data Users

Individuals who access company data in order to perform their assigned duties or fulfill their roles in the company are responsible for protecting their access privileges and for proper use of the Company data they access.

16.2. Procedures
16.2.1. Data Administratio16.2.1. Data Administration

16.2.1.1. An official data storage location or system-of-record for each data element is identified by the Database Administrator (DBA). An official data storage location for valid codes and values for each data element is identified by the appropriate DBA. OraniWD Database element definitions and codes are managed by the DBA to assure they are consistent across all applications and that they conform to pre-established integration standards for code mappings and crosswalks between systems.

16.2.1.2. Archiving requirements and strategies for storing and preserving archived historical data are pre-determined by the DBA for each CEDB data element. Information Technology/MIS assists in determining archiving requirements and data storage location for CEDB data.

16.2.2. Data Integrity, Validation and Correction

16.2.2.1. DBA are responsible for assuring that applications that capture and update CEDB data incorporate edit and validation checks to protect the integrity of the data.

16.2.2.2. Any Data User may question the accuracy of any data element.
16.2.2.3. The Data User is responsible for helping to correct the problem by supplying as much detailed information as possible about the nature of the problem.

16.2.2.4. DBA are responsible for assuring data integrity, responding to questions about the accuracy of data, and correcting inconsistencies if necessary. Upon written identification and notification of erroneous data, corrective measures are immediately taken to:

16.2.2.4.1. Correct the cause of the erroneous data.

16.2.2.4.2. Correct the data in the official storage location.

16.2.2.4.3. Notify users who have received or accessed erroneous data.

16.2.3. Data Collection and Maintenance

DBA is responsible for complete, accurate, valid, and timely data collection. Delegation and decentralization of data collection and maintenance responsibility are encouraged in order to assure that electronic data are efficiently updated at or near the data source or creation point. Furthermore, data-handling steps that do not add value should be eliminated. Procedures may be added instead to provide new informational status reports to interested parties.

16.2.4. Data Extracts and Reporting

16.2.4.1. DBA is responsible for specifying business rules regarding the manipulation, modification, or reporting of CEDB data elements.

16.2.4.2. DBA is also responsible for establishing standard CEDB data transformations to create pertinent summary or derived data. Note that summary or derived data are considered part of the CEDB and therefore subject to the same data management standards.

16.2.4.3. DBA is responsible for specifying proper dissemination of CEDB data; individual Data Users are held accountable for their own use of the data. All sets of data extracted or reported from the CEDB should include a notation or display of the time and date they were extracted from the source operational system/s so the currency of disseminated data can be clearly communicated. DBA work with Data Users to define useful and meaningful schedules for creating standard data extracts.

16.2.5. Data Archiving

16.2.5.1. DBA is responsible for defining the criteria for archiving the data to satisfy retention requirements.

16.2.5.2. The DBA develops appropriate data archiving strategies and procedures. The capture of historical data into a Data Warehouse does not relieve the DBA of the responsibility for maintaining archives of detail transactional data in accordance with legal record retention requirements

16.2.6. Data Warehousing

16.2.6.1. The DBA is responsible for establishing an informational database known as the Data Warehouse. The Data Warehouse stores sharable historic data from operational systems-of-record, as well as transactional data derived from the operational data and deemed to be useful management information.

16.2.6.2. It supports Data User queries to track and respond to business trends and to facilitate forecasting and planning efforts. Data Warehouse often contains summarized data derived from transaction detail and may not contain all the supporting transaction details stored in the operational system-of-record or in the data archives.

16.2.6.3. The Data Warehouse design is based on a Data Integration Model, which is a logical construct that describes entities that comprise the Company Enterprise Database (CEDB). The Data Integration Model clarifies the linkages among data collected or maintained by the various organizational units of the Company.

16.2.7. Access and Security Administration

16.2.7.1. Data Access Philosophy

The value of data as a Company resource is increased through MIS widespread and appropriate use; MIS value is diminished through misuse, misinterpretation, or unnecessary restrictions to MIS access. Increased data access and use improve data integrity because discrepancies are identified and errors are subsequently corrected. Permission to view or query data contained in the CEDB should be granted to all Data Users for all legitimate purposes. Updated access should be restricted as necessary, but granted to Company employees at the location where data are initially received or originated whenever this is feasible. Information specifically protected by law or regulation must be rigorously protected from inappropriate access. Examples include company records or employee information that are identifiable with a specific person.

16.2.7.2. Implementation of Security Controls

The DBA shares security administration responsibilities (i.e., the functions of specifying, implementing, and managing system and data access control). To the extent possible, the DBA will define a single set of Company procedures for requesting and authorizing access to limited-access data elements in the CEDB. DBA is responsible for documenting these access request and authorization procedures. DBA, with the assistance of Information Technology, are responsible for monitoring and annual reviews of security implementation and authorized access.

All Data Users who are cleared for the limited-access of CEDB data must acknowledge (by signed statement or other documented means) that they understand the level of access provided and accept responsibility to both protect their access privileges and to maintain the confidentiality of the data they access. DBA is responsible for defining and implementing procedures to assure that data are backed up and recoverable in response to events that could compromise data integrity. Information Technology or other Company organizations may assist in this effort. The Company Information Technology Security Officer is responsible for maintaining a plan for security policies and practices and for keeping abreast of security related issues internally within the Company community and externally throughout the information technology marketplace.

16.2.8. System Administration

Company enterprise data may be stored on a variety of computing hardware platforms, provided such platforms are fully integrated components of a managed Company Information System. Whenever Company enterprise data are stored on any component of a Company information system, that system component must have a defined System Administration function with a designated system administrator whose responsibilities include:

1. physical site security
2. administration of security and authorization systems
3. backup, recovery, and system restart procedures
4. data archiving
5. capacity planning
6. performance monitoring

16.2.9. User Support and Responsibilities

DBA is responsible for providing user support to assist Data Users with interpretation and use of CEDB data. DBA is responsible for providing documentation of the information resource and also for training and consulting services as needed.

16.3. Scope

This policy covers all Unauthorized Use of the company Information Technology Database, whether such Unauthorized Use is done by a person who is not an Authorized User, or by an Authorized User who exceeds Authorized Use permitted by the company, all of whom are referred to in this policy as “Unauthorized Users.”

16.4. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

17. Source Code Policy

17.1. Purpose

This is for the protection of the OraniWDS source code from licensing agreement violations, unauthorized modification, or destruction.

OraniWDS is a Company-wide financial management system. It has been modified to support company business functions.

The overall management concept for OraniWDS is that a single integrated set of software, which has been acquired by the Company, functions under a cooperative effort which includes the active participation of all the Management Team and the OraniWD Board of Directors.

OraniWDS is maintained by the MIS Department OraniWD Systems, which is responsible for the requirements identification, design, programming, testing, software configuration management, OraniWDS system documentation, and other activities associated with the deployment and maintenance of the OraniWDS software.

17.2. Policy

17.2.1. The Program Developer and the OraniWD Management using OraniWDS shall protect the OraniWDS source code from licensing agreement violations, unauthorized modification, redistribution or destruction.

17.2.2. All Employees of OraniWD, have the individual responsibility for the company-wide management of the OraniWDS program.

17.2.3. The designee is the individual responsible for determining access authorization and for maintaining an up-to-date list of all personnel who have been granted access to the OraniWDS source code.

17.3. Definition

17.3.1. “Authorized IT personnel” are those individuals who have written approval by the management OraniWDS Head to have access to the OraniWDS source code.

17.3.2. “Single, integrated financial management system” means a unified set of financial systems and the financial portions of mixed systems encompassing the software, hardware, personnel, processes (manual and automated), procedures, controls and data necessary to carry out financial management functions, manage financial operations for the agency and report on the agency’s financial status to government agencies, Commission on Audit, and the public. Unified means that the systems are planned for and managed together, operated in an integrated fashion, and linked together electronically in an efficient and effective manner to provide agency-wide financial system support necessary to carry out the agency’s mission and support the agency’s financial management needs.

17.3.3. The “OraniWDS software” is defined as:

17.3.3.1. All software modules of the OraniWDS, Total General Ledger System (TGLS), Total Utility Billing System (TUBS), Total Works Management System (TWMS), Total Attendance and Payroll System (TAAPS) and Meter Reading and Billing System (MRBS), Human Resource Information System (HRIS), and any administrative module containing financial data maintained by the Developer. This includes database objects, e.g., Structured Query Language (SQL) scripts, triggers, and stored procedures and functions and packages that the developer delivers to or maintains for the company.

17.3.3.2. “OraniWD software” is defined as any software developed and maintained by an in-house developer to support or enhance OraniWDS. This includes unique administrative modules, interfaces, documentation, and additional database objects such as tables, indices, views, snapshots, reports, and so forth.

“Modifications to the OraniWDS Software” include:

17.3.3.2.1. All changes to OraniWDS software, documentation, and supporting database objects as listed in Section above.

17.3.3.2.2. The creation of any new programs or database structures that modify OraniWDS software.

17.3.3.2.3. Any upgrades to the software development technologies and database technologies (technology migration) upon which the OraniWDS applications have been developed. System Configuration contains systems supported desktop and server system configurations. The configurations listing can be found in the user manual.

17.3.3.3. An “interface” is defined as an automated process for transferring data between OraniWDS databases and external systems consisting of one or more programs that load data files into the OraniWDS databases. The interface may include interactive user screens needed to control the processes or correct problems in the transfer. An interface does not include the creation of data entry screens to manually enter data from a feeder system.

17.4. Responsibilities

17.4.1. Serves as the Company’s OraniWDS software developer and ensures that policies concerning the protection of OraniWDS software are followed.

17.4.2. Develop and implement modifications to the OraniWDS software and manage the software change control process under which all software changes are made.

17.4.3. Coordinates and controls the release and deployment of OraniWDS software releases, new OraniWDS software modules, and emergency fixes to operational sites within the company, and investigates and corrects any logic errors detected in the OraniWDS software code and database.

17.4.4. Provides required development, design, or programming resources to complete software development assignments according to the process discussed in “Making Changes to OraniWD Softwares”.

The OraniWDS developer will:

17.4.4.1. Provide a secure site for the operations of the OraniWDS software and ensure that access to the OraniWDS source code is given only to authorized personnel who have a specific need to know the code.

17.4.4.2. Implement security controls to protect the OraniWDS source code, including the following:

17.4.4.2.1. Designate a secure drive, in which the source code will be saved, to which access is restricted.

17.4.4.2.2. Restrict user access to the network drive to only those individuals required to process the OraniWDS source code.

17.4.4.2.3. Separate duties for those individuals handling the source code so that more than one person is responsible for performing the functions of the database administrator, system administrator, tester, and configuration manager.

17.4.4.2.4. Distribute the “Rules of Behavior” form to all personnel and specify that the rules must be followed with respect to the OraniWDS source code.

17.4.4.2.5. Maintain “Request for OraniWDS Source Code” forms and a listing of approvals, including the name of the requestor, medium onto which the OraniWDS source has been copied, location to which the copy is to be transported, purpose of use, and duration of authorization.

17.4.4.2.6. Ensure that contractors who are granted access to the OraniWDS source code sign a Non-Disclosure Agreement that prohibits them from distributing the code to any non-authorized individuals, and from using the code other than in direct support of the company use of OraniWDS.

17.4.4.2.7. Refrain from modifying OraniWDS software, the financial system on record for the ORANIWD System. Un-authorized OraniWDS user are prohibited from modifying OraniWDS software and from executing the modified OraniWDS software in company production environments. The only exceptions to this policy are found in Appendix A, “Making Changes to OraniWDS Software”.

17.4.4.2.8. The Management or designee will determine access authorization and grant permission, on a case-by-case basis, to government personnel to make or transport copies of the OraniWDS source code outside of company-controlled facilities.

17.4.4.2.9. The Management or designee will maintain a list of approvals, including the name of the requestor, medium onto which the OraniWDS source code was copied, location to which copy is to be transported, purposes of use, and duration of authorization.

17.4.4.2.10. Authorized OraniWDS personnel will read and sign the “Rules of Behavior” (see Appendix B) document that specifies the rules which must be followed with respect to the OraniWDS source code.

17.4.4.2.11. Authorized OraniWDS personnel will use the “Request for OraniWDS Source Code” for any requests to make and/or transport copies of the OraniWDS source code outside company-controlled facilities.

17.4.4.2.12. Authorized OraniWDS personnel at the end of the authorization period, return the OraniWDS source code copy to the company OraniWDS designee, or provide written notice to the company OraniWDS designee that the copy has been destroyed.

17.4.4.2.13. The In-House Programmer will sign a Non-Disclosure Agreement that prohibits them from distributing the code to any non-authorized individuals, and from using the code other than in direct support of the company use of OraniWDS.

17.5. Scope

This policy covers all Un-authorized Use of the company Information Technology Source Codes, whether such Unauthorized Use is done by a person who is not an Authorized User, or by an Authorized User who exceeds the Authorized Use permitted by the company, all of whom are referred to in this policy as “Unauthorized Users.”

17.6. Enforcement

Any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

18. Mobile Device Security Policy

18.1. Introduction

Every member of the Company community who utilizes a laptop computer or mobile electronic data device (e.g. Laptop, Blackberry, Flash Drive, Smart Phone, Hand Held PC, iPad, MacBook, etc.) is responsible for the Company data stored, processed and/or transmitted via that computer or device, and for following the security requirements set forth in this policy and in the Information Security Policy. This Policy applies to all devices regardless they are institution or individually-owned.

18.2. Purpose

The purpose of the Mobile Device Security Policy is to assure data integrity and confidentiality of employees and employees’ information, as well as control access and to educate users regarding limitations and liabilities pertaining to data access. Information is a vital Company asset and requires protection from unauthorized access, modification, disclosure or destruction.

Further, through this policy, OWD will comply with national regulations governing privacy and security of information, and to protect Confidential Data in the event of laptop computer or mobile electronic data device theft.

18.3. Definitions

18.4. Policy Statements

18.4.1. Protection of Confidential Data

18.4.1.1. Every user of laptop computers or other electronic data mobile devices must use reasonable care, as outlined in the Company’s Information Security Policy, to protect Company Confidential Data as defined in the Data Classification Security Policy.

18.4.1.1.1. Protection of Confidential Data against physical theft or loss, electronic invasion, or unintentional exposure is provided through a variety of means, which include user care and a combination of technical protections such as authentication, encryption, and remote sanitization capability that work together to secure mobile devices against unauthorized access. Prior to use or display of Confidential Data via laptop computer or other electronic data mobile device, the following security measures must be in place.

18.4.1.1.1.1. A laptop or other electronic data mobile device must authenticate the user before access to services shall be permitted. Mobile devices must be configured to timeout after 10 minutes of inactivity and require re-authentication before access to services be permitted. The authentication mechanism(s) must not be disabled. This can also include the use of security features on mobile devices (i.e. - automatic lock). Furthermore, if institutional data is being placed on a personal device, approval would need to be obtained (i.e. - Company e-mail on personal phone). Implicit approval can be assumed upon issuing a Company owned device. Temporary access of Company devices can be obtained with proper approval (i.e. – vendors).

18.4.1.1.1.2. The MIS approved encryption option must be enabled on laptop computers that transmit or store Company confidential information.

18.4.1.1.1.3. Laptops shall be protected with antivirus software and updated daily if supported by the device. OWD email is protected with centralized anti-virus and anti-spam software. This protection may not apply to email systems outside of OWD.

18.4.1.1.1.4. The issuance of Company owned laptops/iPads and their use outside of Company premises are determined by employee functions. Exempt employees are permitted to take and/or use their laptop outside of work premises. Non-exempt employees are not permitted to bring out any company-owned computer, drives or any computer accessories from office premises.

18.4.1.1.2. The use of unprotected/personally-owned mobile devices to access or store Company Confidential Data is prohibited even the equipment is Company-issued.

18.4.1.1.2.1. Reporting Loss/Theft of Equipment or Data

18.4.1.1.2.2. Company employees who are issued Company-owned laptop computers and other portable electronic devices are expected to secure & take care of them. The Company will not shoulder the cost for the loss of a laptop computer or other portable electronic device unless it is found to be caused by burglary (i.e. taken from a locked desk, cabinet, closet, or office, the item was secured by using a locking cable, and there are signs of forced entry thereto).

18.4.1.1.2.3. For Company equipment, all recipients are required to maintain the physical care of the device as well as the content within. All Company-issued laptops & iPads shall be covered under ADP (Accidental Damage Protection).

18.4.1.1.2.4. In the event a Company-owned laptop computer or other device is lost or stolen, the theft or loss must be reported immediately to Company Security.

18.4.1.1.2.5. In the event Company Confidential Data is accessed/contained illegally through any personally-owned computer or any device or even Company-issued one, the MIS must be contacted immediately, who in turn, must report such activity to the GM’s office.

18.4.1.1.2.6. In the event of lost /stolen Company-issued mobile device, the Company, through the MIS section has the right to wipe out the contents of the device.

18.4.2. Requirements When Traveling Overseas

18.4.2.1. OWD personnel and employees carrying Company-issued laptops or other electronic data mobile devices while traveling abroad, whether on business or for pleasure, must comply with Philippine trade control laws. Philippine Export Control laws may prohibit or restrict such activities without special Philippine government licenses. Before traveling abroad with a laptop or other electronic data mobile device, OWD officers & employees must understand the restrictions and must be responsible for investigating and complying with the laws of both the Philippines and countries they are visiting.

18.5. General Configuration Standard

18.5.1. The MIS can be contacted to determine if appropriate protections are already in place or assist in enabling the security measures for laptops or other electronic data mobile devices.

19. Internet Use Policy

19.1. Introduction

Information resources are strategic assets of OWD that must be managed as valuable institutional resources. Thus this policy is established to achieve the following:

• To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources.
• To establish prudent and acceptable practices regarding the use of the internet.
• To educate individuals who may use the internet, the intranet, or both with respect to their responsibilities associated with such use.

19.2. Purpose

To fulfill Orani Water District Company’s mission, OWD Company provides access to a broad range of information resources, including those available through the Internet. We make this service available as part of our mission to offer a broadly defined program of informational, educational, recreational and cultural enrichment opportunities for the members of the Company and the communities it is serving. Orani Water District Company only assumes responsibility for the information provided on the home page and the supporting web pages on the Orani Water District Company’s server network. Orani Water District Company does not monitor and has no control over the information accessed through the Internet. The Internet offers access to many valuable local, national, and international sources of information. However, not all sources on the Internet provide accurate, complete, or current information. A good information consumer evaluates the validity of information found.

19.3. Scope

The OWD Internet Use Policy applies equally to all individuals granted access to any OWD Information Resource with the capacity to access the internet, the intranet, or both.

19.4. Ownership

Electronic files created, sent, received, or stored on computers owned, leased administered or otherwise under the custody and control of OWD are the property of OWD.

19.5. Privacy

Electronic files created, sent, received, or stored on OWD MIS Information Resources owned, leased, administered, or otherwise under the custody and control of OWD are not private and may be accessed by OWD employees at any time without knowledge of the user-owner. Electronic file content may be accessed by appropriate personnel in accordance with the provisions and safeguards established in this policy manual.

19.6. Policy

19.6.1. Responsibility of users - The user shall not engage in any activity which abuses any resource of the Orani Water District Company network, whereby the network is restricted in use or is damaged in any manner. The Information Technology /MIS personnel constantly monitors the OWD network to insure the proper operation of the service. The MIS staff shall counsel with individuals whose practices impinge on the capabilities of services and assist those individuals in eliminating any abusive practices.

19.6.2. Software for browsing the Internet is provided to authorized users for business, academic and research use only.

19.6.3. All software used to access the Internet must be part of the OWD standard software suite or approved by the ISO. This software must incorporate all vendor provided security patches.

19.6.4. All files downloaded from the Internet must be scanned for viruses using the approved MIS distributed software suite and current virus detection software.

19.6.5. All software used to access the Internet shall be configured to use the firewall http proxy.

19.6.6. All sites accessed must comply with the OWD Acceptable Use Policies.

19.6.7. All user activity on OWD MIS resource assets are subject to logging and review.

19.6.8. Content on all OWD Web sites must comply with the OWD Acceptable Use Policies.

19.6.9. No offensive or harassing material may be made available via OWD Web sites.

19.6.10. Non-business related purchases made over the internet are prohibited. Business related purchases are subject to OWD procurement rules.

19.6.11. No personal commercial advertising shall be made available via OWD Web sites.

19.6.12. OWD internet access may not be used for personal gain or non-OWD personal solicitations.

19.6.13. No OWD data will be made available via OWD Web sites without ensuring that the material is available to only authorized individuals or groups.

19.6.14. All sensitive OWD material transmitted over external network must be encrypted.

19.6.15. Electronic files are subject to the same records retention rules that apply to other documents and must be retained in accordance with division records retention schedules.

19.6.16. Incidental Reasonable Use

19.6.16.1. Incidental/reasonable personal use of Internet access is restricted to OWD approved users; it does not extend to family members or other acquaintances.

19.6.16.2. Incidental use must not result in direct costs to OWD.

19.6.16.3. Incidental use must not interfere with the normal performance of an employee’s work duties.

19.6.16.4. No files or documents may be sent or received that may cause legal liability for or embarrassment to, OWD.

19.6.16.5. Storage of personal files and documents within OWD’s MIS resources should be nominal. All files and documents within OWD’s MIS resources – including personal files and documents- are owned by OWD, thus may be subject to “open records” requests, and may be accessed in accordance with this policy.

19.7. General Configuration Standard

19.7.1. Choosing and evaluating resources - The Internet is a global entity with a highly diverse user population and information content. OWD patrons use it at their own risk. The Company cannot censor access to materials or protect users from materials they may find offensive. The user alone is responsible for the information accessed through the Internet. OWD reserves the right to choose sources to link to its home page. In doing so, the Company will provide links only to those sites that conform to the Company's mission and goals. Beyond this, it does not monitor or control information accessible through the Internet. The Company is not responsible for changes in content of the sources to which it links to, nor for the content of sources accessed through secondary links. As with printed information, not all sources on the Internet provide accurate, complete, or current information. Users should evaluate Internet sources just as they do printed publications, questioning the validity of the information provided. The Company expressly disclaims any liability or responsibilities arising from access to or use of information obtained through MIS electronic information systems or any consequences thereof.

19.8. Enforcement

Violation may result in a denial of access to Company computer resources and any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

20. E-mail Use Policy

20.1. Introduction

Electronic mail is available to facilitate the professional and business work of persons employed at Orani Water District Company. It provides a way to communicate with individuals and with designated groups. Orani Water District Company encourages appropriate use of E-mail to enhance productivity through the efficient exchange of information in furtherance of education, public service and the expression of ideas. Use of this resource must be consistent with these concepts. As a responsible member of the Company community, employees are expected to act in accordance with the following general guidelines. These guidelines are not meant to be all-inclusive. Generally accepted practices of common sense, decency, civility and legality should be taken in to account when E-mail is utilized. OWD information resources are strategic assets that must be managed as valuable resources. Thus this policy is established to achieve the following:

• To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources.
• To establish prudent and acceptable practices regarding the use of email.
• To educate individuals using email with respect to their responsibilities associated with such use.

20.2. Purpose

The purpose of the OWD Email Policy is to establish the rules for the use of OWD email for the sending, receiving, or storing of electronic mail.

20.3. Scope

The OWD Email Policy applies equally to all individuals granted access privileges to any OWD information resource with the capacity to send, receive, or store electronic mail.

20.4. Definitions

20.4.1. Electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another.

20.4.2. Electronic mail (email): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.

20.4.3. “Mass e-mailings” are considered those sent to the entire Company, employee body or a subset of employees larger than a division, program, or satellite Company.

20.5. Policies

20.5.1. The Information Technology Service (MIS) staff is charged with maintaining the hardware, software and network for maximum efficiency of the E-mail system. Lack of adherence to these guidelines will adversely impact the capabilities of Company-wide servers. MIS staff will counsel with individuals or supervisors of individuals whose practices impinge on the capabilities of the services and assist them in reducing their drain on resources.

20.5.2. Messages sent as electronic mail should meet the same standards for distribution or display as if they were tangible documents. The user should identify him or herself clearly and accurately in all electronic communications. A user's concealing or misrepresenting identity or affiliation is prohibited.

20.5.3. Alteration of the source of electronic mail or MIS message is unethical, illegal and prohibited. Such action can get Orani Water District Company blacklisted as a spammer.

20.5.4. Electronic mails are properties of the Company; however, no attempt to access another's electronic mail by unauthorized individuals is permitted.

20.5.5. The Company respects privacy, thus, network system administrator shall not intentionally access contents of E-mail messages and if content is accidentally accessed, it shall be treated as confidential.

20.5.6. The Company shall not be able to guarantee absolute privacy and confidentiality of electronic documents. Password security and confidentiality are the responsibility of the user. MIS will provide guidelines for the frequency of change and the nature of passwords. In keeping with good judgment, users should create electronic documents as if they were to be made available to the public.

20.5.7. Abusive, threatening, or harassing E-mail is prohibited.

20.5.8. The user is expected to promote efficient use of network resources consistent with the instructional, research, public service and administrative goals of the company. The user is expected to refrain from any use that may interfere with another's work or disrupt network resources. The user should avoid wasteful and disruptive practices such as allowing large amounts of E-mail to go unattended, spreading chain letters, or sending of other unsolicited material.

20.5.9. Restraint in the use of the Everyone Group feature of the E-mail software is expected of the user. Use of the Everyone Group feature for non-OWD related content must have superior’s approval.

20.5.10. The user shall not use the Everyone Group to send recipes, jokes or humor, large attachments, requests for placement of a pet, distribution of any form of spam, or any non- Company related announcement.

20.5.11. E-mail and any other network resources shall not be used for commercial purposes or for personal financial gain. This does not preclude the user from investigating the relative advantages or disadvantages of a potential product or service for the Company.

20.5.12. Standards of conduct expected of employees with regard to the use of telephones, libraries and other institutional resources apply to E-mail use. Users shall be held accountable for their actions, as they would be when using other forms of communication.

20.5.13. Company employees must not send, forward or receive confidential or sensitive OWD information through non-OWD email accounts. Examples of non-OWD email accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, and email provided by other Internet Service Providers (ISP).

20.5.14. Employees must not send, forward, receive or store confidential or sensitive OWD information utilizing non-OWD accredited mobile devices. Examples of mobile devices include, but are not limited to, Personal Data Assistants and cellular telephones.

20.5.15. Sending Mass E-Mailings to Employees and Consumers

20.5.15.1. The purpose of this policy is to provide guidance on the appropriate use of mass e-mailings to the Company employees. For the purposes of this policy, “mass e- mailings” are considered those sent to the entire employee body or a subset of employees larger than a division, program, or satellite Company. This policy does not limit the rights of individual employee, division, program, or Company directors to send e-mails to their respective constituencies nor does it limit the right of the Company Relations Office to use prospective employee email addresses for marketing and recruitment purposes.

20.5.15.2. All requests for employee e-mail address extracts from the Employee database must be initiated through the Administrative Division and approved by the GM’s office.

20.5.15.3. Mass e-mailings are an internal form of communication to be used for official company purposes only. The sale/distribution of OWD employee e- mail addresses to non-OWD entities is prohibited. In such cases where distribution is allowed, the request must be fulfilled by the Admin office.

20.5.15.4. E-mail addresses extracted for purposes of mass mailings shall only be used by officially designated individuals assigned to approve mass e-mailings for certain employee/consumer populations. They should never be provided to “end-users”.

20.5.15.5. Mass e-mailing approvals shall be handled by various Gatekeepers as follows: Company mass e-mailings to the entire employee/consumer body or a subset greater than the Division level must have the approval of the General Manager (or designee).

20.5.15.6. Company mass e-mailings to a subset of employees/consumer at the Division level must have the approval of the appropriate General Manager (or designee).

20.5.15.7. Administrative mass e-mailings to employees/consumer must have the approval of the General Manager (or designee) regardless of the employee/consumer population targeted.

20.5.15.8. Recruitment-oriented mass e-mailings to prospective employees must have the approval of the General Manager, regardless of the size of the population targeted.

20.5.15.9. Mass e-mailings to all employees will be restricted to those messages that are considered to be an emergency, time-sensitive, or critical to support the administrative functions of the Company.

20.6. Guidelines and Standard Operating Procedures (SOP)

20.6.1. Examples of Acceptable Uses of E-mail

20.6.1.1. The distribution of minutes of various committees as well as other notices of general interest to all officers and staff.

20.6.1.2. The use of personal groups is appropriate in circumstances, such as updating mailing lists, announcing committee assignments, and distributing facts about pending projects.

20.6.2. Examples of Inappropriate Uses of E-mail

20.6.2.1. Announcement of the sale of personal property or the solicitation of support for a particular political position. However, point-to-point communication with governmental representatives is acceptable.

20.6.2.2. User subscription to listservs is an acceptable method of keeping current on many issues. The user is expected to confine subscriptions to a limited number and not backlog the E-mail system with large number of unattended items.

20.6.2.3. The sending of large attachments such as personal photographic images is prohibited.

20.6.2.4. The user is expected to be honest, legal, and ethical and consider what he or she is sending before sending it. Abuse of computing privileges and any violations of these guidelines and policies established by the Company will be treated as a serious matter. By using the Company's E-mail system, the user agrees to abide by these policies. These policies are subject to change as technology advances, legal outcomes, or other unforeseen events that may occur.

20.6.2.5. General Guidelines

20.6.2.5.1. Keep messages simple and direct.

20.6.2.5.2. Ensure that any non-directory information is sent only to the employee.

20.6.2.5.3. Use plain text in messages--do not include HTML or formatted content.

20.6.2.5.4. Format messages so that lines wrap at 72 characters or less.

20.6.2.5.5. Include the name, title, and e-mail address of both the sender and the approving Gatekeeper.

20.6.2.5.6. Include the recipient e-mail addresses in the BCC (Blind Carbon Copy) field if the e-mail is sent to more than one individual at a time.

20.6.2.5.7. Include requestor’s phone number/extension.

20.6.2.5.8. Inserting attachments in the e-mail is discouraged, instead, use links to web pages of the said documents.

20.6.2.5.9 Content and grammar are the responsibility of the requestor.

20.6.2.5.10 When a message is to be sent to more than 1,000 employees and customers, send separate mailings in groups of no more than 1,000 email addresses.

20.7. Procedure

20.7.1. Make request to Admin and obtain proper approval, obtain email listing, compose message and send.

20.7.2. Requests for mass e-mailings can be submitted by filling out the web-based request form located on the Admin Intranet site.

20.7.3. Turnaround time goals for sending mass e-mailings

20.7.3.1. As soon as possible for critical e-mailings

20.7.3.2. Within 3 business days for standard e-mailings

20.7.3.3. Within 3 business days of receiving the employee population extract from the Admin Office for specialized populations.

20.8. Enforcement

Violation may result in a denial of access to Company computer resources, and any Authorized User found to be violating this policy shall be considered an Un-authorized User, and may be subject to actions pursuant with the Enforcement section of the Un-authorized Use Policy.

Data Handling Guidelines for Exiting Employees

Procedures for the HR and IT Departments

Overview

The intention of this document is to help ensure exiting employee’s data and hardware is handled in a manner consistent with policy and best practice. It may also serve as documentation for audit purposes.

Procedures

The following form shall be used for managing hardware and data for exiting employees. Both IT/MIS and HR representatives must sign at the bottom to affirm that these procedures were followed by their respective sections. A copy of the signed document shall be kept in the Human Resources shared drive.

Retention

After 30 days any data copied to the shared drive during the recovery process will be deleted, except, for any signed exit procedure form(s). HR may request the user data be kept for a defined length of time with permission from the GM’s office. Holding of data for indefinite periods of time is discouraged.

Data Access

Requests from exited employees or approved employees for data or email access shall be handled by HR. Data and email are kept for 30 days after termination date. HR is given access rights to exited employees email and copied data as a part of the procedures below.

Orani Water District Information Technology Services Privileged Access Agreement

INTRODUCTION

Privileged access enables an individual to take actions which may affect computing systems, network communication, or the accounts, files, data, or processes of other users. Privileged access is typically granted to system administrators, network administrators, staff performing computing account administration, or other such employees whose job duties require special privileges over a computing system or network.

Individuals with privileged access must respect the rights of the system users, respect the integrity of the systems and related physical resources, and comply with any relevant laws or regulations. Individuals also have an obligation to inform themselves regarding any procedures, business practices, and operational guidelines pertaining to the activities of their local division.

Individuals with privileged access may have the inherent ability to peruse confidential and proprietary information in the course of an assigned duty. While pursuing appropriate actions required to provide high-quality, timely, and reliable computing services, the Information Technology Services (ITS) employees must comply with applicable policies, laws, and regulations pertaining to confidential and sensitive information. The ITS policies are defined in the ITS Policies document and it is the responsibility of the ITS employee to be cognizant of changes and/or updates to said and other institutional policies. Changes shall be communicated to OWD by the Information Technology personnel.

GENERAL PROVISIONS

1. Privileged access is granted only to authorized individuals. Privileged access shall be granted to individuals only after they have read and signed this Agreement.

2. Privileged access may be used only to perform assigned job duties.

3. Privileged access may be used to perform standard system-related duties. Examples may include:

o installing system software;
o relocating other individuals' files from critically overloaded locations;
o performing repairs required to return a system to normal function, such as fixing files or file processes, or killing runaway processes;
o running security or data checking programs.

4. Privileged access may be used to grant, change, or deny resources, access, or privilege to another individual only for authorized account management activities or under exceptional circumstances. Such actions must follow any existing organizational guidelines and procedures. Examples may include:

o Disabling an account apparently responsible for serious activities such as: attacking the network or using a hosting to send harassing or threatening email, or using software to mount attacks on other hosts, or engaging in activities designed to disrupt the functioning of the host itself;
o Disconnecting a host or subnet from the network when a security compromise is suspected;
o Accessing files for law enforcement authorities with a valid subpoena.

In the absence of compelling circumstances, the investigation of information in, or suspension of, an account suspected to be compromised may be delayed until normal business hours to allow appropriate authorization and/or notification procedures. With the exception of emergencies, suspension of a network account or access to data requires approval of the account holder’s supervisor.

5. In all cases, access to electronic information that belongs to other employees shall be limited to the least perusal of contents and the least action necessary to resolve a situation.

6. Individuals with privileged access shall take necessary precautions to protect the confidentiality of information encountered in the performance of their duties.

7. If, during the performance of their duties, individuals with privileged access inadvertently see information possibly indicating inappropriate use, they are advised to consult with their supervisor. If the situation is an emergency, intervening action may be appropriate.

8. If, in the course of performing their duties, an employee makes discovery of a student or employee violating the terms of the Acceptable Use Policy, ITS or other Company policies, the GM, the Administrative division Manager and the Human Resource Officer, shall be informed of the alleged violation immediately.

Authorization

Under most circumstances, the consent of the account owner should be obtained if possible, before accessing their files or interfering with their processes or before performance routine maintenance. However, if good faith efforts to obtain consent are not successful, or would unduly interfere with performance of assigned duties; permission can be obtained from the individual’s direct supervisor, or the GM, before taking such actions without consent.

Notification

If inspection of data or files is imminent, the affected individual’s Manager, or other authority shall, at the earliest possible opportunity, attempt to notify the affected individual of the action(s) that will be taken and the reasons for the action(s) taken. This notification must occur before action is taken.

Attempts to notify the affected individual are not required if the individual is suspect of Company and/or division policy violations.

AGREEMENT

• I have read this Privileged Access Agreement and the ITS Policies.

• I agree to comply with the provisions of this Privileged Access Agreement and the ITS Policies of Orani Water District.

APPENDIX “A”

Making Changes to OraniWD Software

Any modification on or redistribution of OraniWDS Software shall not be made without the express written approval of the General Manager.

If the Company Management or designee approves a user’s request to make modifications to the OraniWDS software, these changes may proceed to complete requirement designing, programming, testing, and documentation according to the request.

The developer shall prepare the software project plan & delivery schedule and shall be required to meet that schedule. The management must approve a plan for all software change activities to be completed by a programmer and must agree that resources have been identified as needed to complete all required tasks in software development life cycle before software change activities may begin. If software developer finds it necessary to propose a revised delivery schedule, it must be approved by the management before the schedule is adopted. If the developer falls behind schedule due to changes in management priorities, policies, procedures or standards, the developer shall seek a management review to adjust the schedule accordingly and have the project completed; otherwise, it must be completed based on approved schedule. Suspension or termination of initially-approved work may only be done upon the approval of the GM’s office.

The company software developer/ personnel shall provide support and be responsible for correcting any errors in the delivered code.

Applications testing Guidelines:

The purpose of this guideline is to provide a common methodology sufficient to assure completion of successful systems development. The testing is conducted in three areas:

Internal Testing:

 Verify Screen Navigation functionality.
 Assure appropriate performance of developed application or system.
 Ensure implementation of secure system up to the appropriate level.
 Ensure that system functionality is matching system requirements and that system runs successfully.
 Ensure system documentations are completed using standard documentations templates.
 Provide testing scripts to end users.
 Staff are also responsible for completing integration testing if the system requires integration with other systems

User Acceptance Testing:

The purpose of such testing is to ensure that developed system or application is matching end user requirements. All user acceptance testing will need to be conducted in the test environment and based on testing scripts provided by OraniWDS. End users may be allowed to add other testing scenarios to test scripts if not included. User acceptance testing must handle the following:

• Match developed system to requirements document and testing script document.
• Verify system navigation functionality
• Validate system controls such as error handling.
• Verify functionality related to other systems if integration is part of the system development process.
• Verify data input and output.
• Ensure that system security is at appropriate level and functioning according to requirements.


APPENDIX “B”

Rules of Behavior

1. Introduction

The following rules of behavior are to be followed by all users of the OraniWD System. Non-compliance with these rules shall be considered grave misconduct and shall be addressed by sanctions commensurate with the level of infraction. Actions taken will be determined by the management, as appropriate. Actions may range from a verbal or written warning, removal of system access privileges to the OraniWD System for a specific period of time, removal of system access indefinitely, or possible prosecution, depending on the severity of the violation.

2. Rules and Responsibilities
OraniWD users are those individuals who utilize OraniWD in an official capacity in submitting or processing OraniWDs information. These users include personnel employed by company as software programmer and/or the IT personnel of the Company’s OraniWD System. Wherever “users” is stated in this Rules of Behavior document, it refers to all OraniWD System users. Wherever “system” is stated in this Rules of Behavior document it refers to the OraniWD System.

3. Application Rules
Application rules specify rules and guidelines that must be followed by users in order to be granted access and retain authorization to use the system.

a. Rules and Guidelines for Authorized Use

i. Authorized use of OraniWD System by users is restricted by the following rules and guidelines:

1. Users are required to access only the module(s) or application(s) to which access has been authorized.

2. When access to the OraniWD System is no longer required, the users are required to immediately notify the OraniWD System administrator.

3. No anonymous login accounts are allowed on the OraniWD System.

4. All attempts and accesses to the OraniWD system must be logged. Monthly Reports of log-in history must be submitted to the GM’s office.

b. Responsibilities of Authorized Users

i. Users are responsible for taking protective measures with the information in the OraniWD System, including but not limited to the following:

1. User logon IDs and passwords for the system shall never be transferred to or shared with another for any reason.

2. Users must prevent, protect, and safeguard the information obtained from the system to prevent any unauthorized access.

3. Users are required to safeguard all printed materials or information in other formats obtained from the system that may be sensitive in nature.

4. Users are required to destroy or shred all printed materials or information in other formats obtained from the system that have sensitive information if these materials are no longer needed.

5. Users are responsible for virus-checking any potentially infected files before uploading the files to the OraniWD System.

6. Users are responsible for virus-checking any potentially infected files after downloading these files from the OraniWD System to their systems and before using the files.

7. If any sensitive information including Personally Identifiable Information (PII) is downloaded to any removable/portable devices, users are required to use compliant encryption.

c. Unattended Access

i. Rules and guidelines when a user leaves a login session unattended:

1. Users are required to use screen-saver mechanisms to prevent any unauthorized viewing of sensitive information displayed on the monitor screens when they are unattended.

2. Users are required to lock (screen-lock) their computers or workstation when they are unattended.

d. Prohibited Activity
i. Users are prohibited from conducting malicious activity on the system that can cause loss of data integrity, alter system performance or otherwise endanger its normal operations, including but not limited to the following:

1. Users shall not use the system to engage in any unlawful activities and shall not use un-attended authorized login session without permission from the authorized user.

2. Users shall not use their access to spread viruses and have any intention to harm other users’ computing resources.

3. Tampering with the system, database, source code, or reverse engineering of OraniWD System.

4. Users’ activities shall not contain any viruses, Trojan horses, worms, or other computer programming routines that may damage the system or data. Activities include, but are not limited to, sending or receiving electronic mail, and uploading or downloading files to or from the OraniWD System.

5. Interfering or disrupting the service of the OraniWD or MIS associated software and hardware in any way.

6. Impeding or interfering with others' use of the OraniWDS service. Altering or tampering any information or materials associated with the applications on the system in a manner other than completion of assigned tasks.

7. Engaging in Denial of Service activities in any form.

8. Engaging in any activities to intercept or modify any data transmitted between the OraniWD System and end users.

e. Privacy and Confidentiality
i. The OraniWD System is for business use only and users must refrain from activities that endanger the privacy of other users or threaten the confidentiality of the information in the system including but not limited to the following:

1. Un-authorized personal use of information resources.

2. Copying of any data, source code, and any resources for personal use.

3. Utilizing, selling or sharing information from the system for compiling mailing lists.

4. Utilizing, selling or sharing information from the system to solicit additional information unrelated to the system process.

5. Downloading sensitive information containing Personally Identifiable Information (PII) to portable/removable devices or media including flash drives and laptop computers unless authorized. If required, FIPS compliant full disk encryption must be used to encrypt the data.

6. If sensitive information containing PII is stored on desktop PCs/workstations, full disk encryption of the hard drive is required.

f. Passwords
i. OraniWD password rules and guidelines:

1. Users must never share their password for any reason.

2. Passwords must not be written down & kept where it can be accessed by someone else.

3. Passwords should not be stored in keyboard macros, scripts, or files.

4. The minimum length of a password is nine non-blank characters and the maximum length is twelve non-blank characters.

5. The users must change their passwords at least every six (6) months.

6. If forgotten, users are provided a temporary password that must be changed before access is granted. The purpose is to force the users to create their own passwords by following the password guidelines.

7. Complex/strong passwords are required and enforced to access the servers. Password must consist of upper and lower case letters, numeric character(s), and special character(s).

8. At least one special character must be in the first seven characters of the password.

9. Numbers within the password cannot be in the first and last positions.

10. Passwords must not contain the user’s login ID.

11. Passwords must not contain words from the English dictionary.

12. Users shall not re-use the last 24 passwords.

4. Consequences
a. Users are subject to consequences for failure to comply with the Rules of Behavior for the OraniWD System defined in this document. These consequences include, but are not limited to:

i. Users will be held accountable for any unauthorized access or misuse of the resources obtained from the OraniWD System.

ii. OraniWD System users have no explicit or implicit expectation of privacy. Any or all uses of the system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to an authorized site, law enforcement personnel, as well as by authorized officials. By using the system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure. All actions are subject to privacy and confidentiality issues in accordance with the Law.

iii. Unauthorized or improper use of the OraniWD System may result in administrative disciplinary action of grave misconduct, civil or criminal penalties. The OraniWD System user verifies they are aware of and consents to the rules indicated in this document.

iv. Users are required to acknowledge receipt of, understand the responsibilities, and shall comply with the rules of behavior provided in this document.

I acknowledge receipt of, understand my responsibilities, and will comply with the Rules of Behavior for the OraniWD System.

Conforme:

Appendix “C”

Defined Terms

1. Access Control: The prevention of Unauthorized Use of a resource, including the prevention of use of a resource in an unauthorized manner.

2. Access Control List: A means of determining the appropriate access rights to a given object given certain aspects of the user process that is requesting them, primarily the process user identity.

3. Algorithm: A finite set of well-defined instructions for accomplishing some task.

4. Anti-Virus Software: Computer Programs that attempt to identify, prevent and eliminate computer Viruses and other Malicious Software.

5. Asymmetric Cryptosystem: A method of Encryption in which two different Pass-phrases are used: one for encrypting and one for decrypting the data.

6. Authorized Use: The use of the Company Information Technology Network by any person who is authorized to do so by the Company within the limit of that person’s authorization, and as described in and permitted by the Company Information Technology Policies and Procedures.

7. Authorized User(s): Person(s) authorized by the Company to use the Company Information Technology Network including but not limited to officers, staff, employees, and guests, within the limit of such person’s authorization.

8. Backup: The process of periodically copying all of the files on a computer's disks onto a magnetic tape or other removable medium.

9. Blowfish: A method for encrypting information included in a large number of Encryption products, developed as a general-purpose Algorithm unencumbered by patents; non-proprietary, and open to the public.

10. Cable Modem: A type of Modem that allows people to access the Internet via their cable television service.

11. Certificate: A set of Security-relevant data issued by a trusted third-party organization, together with Security information which is used to provide the integrity and data origin authentication Services for the data (Security Certificate).

12. Chain Email: A term used to describe Emails that encourage you to forward them on to someone else.

13. Challenge Handshake Authentication Protocol (CHAP): An authentication Protocol used to log-in a user to an Internet access provider.

14. Change Management: The process of developing a planned approach to changes in an organization.

15. Cipher: A private alphabet, system of characters, or other mode of writing, contrived for the safe transmission of secrets.

16. Console Access: Communicating with an information technology resource through a locally-connected device, such as a keyboard / pointer device / monitor combination.

17. Cracking: The act of breaking into an information technology resource; what a cracker does.

18. Database: Any set of information may be called a Database. In this context, the term refers to computerized data, represented as an information set with a regular structure.

19. Data-Link Connection Identifier (DLCI): A unique number assigned to an end point in a Frame Relay Network.

20. Decryption: The reverse of Encryption by which the encrypted text is transformed to a readable text.

21. De-militarized Zone (DMZ): Any un-trusted Network connected to, but separated from, the Company's Information Technology Network by a Firewall, used for external (Internet/partner, etc.) access from within the Company, or to provide information to external parties.

22. Denial of Service (DoS): An attack on a computer system or Network that causes a loss of Service to users, typically the loss of Network connectivity and Services by overloading the computational resources of the victim system.

23. Data Encryption Standard (DES): A method for encrypting information selected as an official Federal Information Processing Standard for the United States, and which has enjoyed widespread use internationally, but is now considered to be insecure for many applications.

24. Database Administrator : A database administrator (short form DBA) is a person responsible for the installation, configuration, upgrade, administration, monitoring and maintenance of databases in an organization

25. Digital Subscriber Line (DSL): A family of digital telecommunications Protocols designed to allow high speed data communication over the existing copper telephone lines between end-users and telephone companies.

26. Domain Name System (DNS): A system that stores information about computer and Network names in a kind of distributed Database on Networks, such as the Internet.

27. Dual Homing (Split-tunneling): Having concurrent connectivity to more than one Network from a computer or Network device.

28. Email: The electronic transmission of information through a mail Protocol such as SMTP.

29. Email Bomb: Causing a user’s Email account to reach maximum storage capacity through excessive sending of Email messages for the sole purpose of being malicious.

30. Encryption: The process of making data unreadable to unauthorized entities by applying a cryptographic Algorithm (an Encryption Algorithm).

31. Extranet: An interconnection between two or more organizations in order to create a private Network to share information.

32. File Transfer Protocol (FTP): A Software standard for transferring computer files between machines with widely different Operating Systems

33. Firewall: A piece of Hardware or Software that functions in a Networked environment in preventing some communications forbidden by the Network policy. It has the basic task of preventing intrusion from a connected Network device into other Networked devices.

34. Forwarded Email: Email explicitly redirected from one account to another.

35. Frame Relay: An efficient data transmission technique used to send digital information quickly and cheaply to one or many destinations from one point.

36. Functions: a subroutine, also termed procedure, function, routine, method, or subprogram, is a part of source code within a larger computer program that performs a specific task and is relatively independent of the remaining code.

37. Guest User: Any visitors to the Company, not including officers, staff, or Employees who are properly authorized to use the Company Information Technology Network.

38. Hardware: The physical, touchable, material parts of a computer or other system. The term is used to distinguish these fixed parts of a system from the more changeable Software or data components which it executes, stores, or carries.

39. HyperText Transfer Protocol (HTTP): The primary method used to communicate information on the World Wide Web.

40. Host: Any computing device attached to a computer Network.

41. Information Security: Information Security is the part of Information Technology Services that is responsible for coordinating and overseeing Company-wide compliance with Company policies and procedures regarding the confidentiality, integrity, and Security of MIS information assets.

42. Information Security Awareness Initiative: An educational initiative developed by Information Security that will train Authorized Users about the Company Information Technology Policies and Procedures and how to stay in compliance with them. This will include, but is not limited to, sending alerts and reminders, and writing guidelines.

43. Information Security Guidelines: Detailed instructions attached to these policies to help users comply with these policies.

44. Instant Messaging: An on-line communication Service in which conversations happening in real-time, in an "on-line status" between users are conveyed such that as if contacts are actively using computers.

45. Integrated Services Digital Network (ISDN): A set of communications standards allowing a single wire or optical fibre to carry voice, digital Network Services and video.

46. Intellectual Property: A form of legal entitlement which allows MIS holder to control the use of certain intangible ideas and expressions.

47. International Data Encryption Algorithm (IDEA): A method for encrypting information which is patented but is free for non-commercial use, and is considered to be the best and most secure method available.

48. Internet: The publicly available worldwide system of interconnected computer Networks.

49. Internet Message Access Protocol (IMAP): A Protocol used for accessing Email on a remote server from a local client.

50. Internet Protocol (IP) Address: A unique number used by machines (usually computers) to refer to each other when sending information through the Internet.

51. IP Security (IPSec): A standard for securing Internet communications by encrypting and authenticating all data.

52. IP Security (IPSec) Concentrator: A device where IPSec connections merge into a Network and are no longer encrypted.

53. Intranet: An Intranet is a Network used internally in an organization.

54. Layer 2 Tunneling Protocol (L2TP): A Protocol used to support virtual private Networks.

55. Log: A chronological record of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event (also known as an audit trail).

56. MAC Address: A code in most forms of Networking equipment that makes a device to be uniquely identified.

57. Macros: A rule or pattern that specifies how a certain input sequence (often a sequence of characters) should be mapped to a replacement input sequence (also often a sequence of characters) according to a defined procedure.

58. Malicious Software (malware): Any Software developed for the purpose of doing harm to a computer system.

59. Mass Emailing/Mail Broadcast: An Email that is sent to a group of individuals.

60. MIS: Management Information System

61. Modem: An electronic device for converting data from a computer to an audio signal suitable for transmission over a telephone line connected to another Modem.

62. Network: A system for communication among two or more computers.

63. Network Auto-Discovery: A process for automatically learning what information technology resources are available on a Network.

64. Network Closet: A physically-secured room where production network devices reside.

65. Network Drive: A computer storage medium accessible in a Network connection.

66. Network Sniffing: The act of watching Internet Protocol packets as they traverse a local Network.

67. Operating System (OS): The system Software responsible for the direct control and management of Hardware and basic system operations, as well as running application Software.

68. Packet Spoofing: To capture, alter, and re-transmit a communication stream in a way that misleads the recipient.

69. Pass-phrase: A collection of 'words' used for access control, typically used to gain access to a computer system.

70. Patch: An update to an existing piece of Software that corrects errors or adds new features (also known as a hot-fix).

71. Phishing: The act of sending Email for the purpose of surrendering private information that will be used for identity theft.

72. Ping: Slang term for a small Network message sent by a computer to check for the presence and alertness of another computer.

73. Post Office Protocol version 3 (POP3): A Protocol used to retrieve Email from a remote server to a local client.

74. Pretty Good Privacy (PGP): A computer Program which provides cryptographic privacy and authentication.

75. Principle of Least Access: A user must have access to the resources necessary to accomplish a given task, but not to resources unnecessary for completing the task, thus minimizing potential Security risks.

76. Program: See Software.

77. Program Developer : See Software Developer

78. Proprietary Encryption: An Encryption Algorithm that has not been made public and/or has not withstood public scrutiny.

79. Proprietary Information: Information in the Company Network owned by the Company; a form of Intellectual Property.

80. Protocol: A convention or standard that controls or enables the connection, communication, and data transfer between two computing endpoints.

81. Public Switched Telephone Network (PSTN): The concatenation of the world's public telephone Networks.

82. Public-key Cryptography: A form of modern cryptography which allows users to communicate securely without previously agreeing on a shared secret key.

83. Remote Access: Communicating with an information technology resource from different location.

84. Restoration: Action taken to repair and return to Service one or more information technology resources that have a degraded quality of Service or have a Service outage.

85. Risk Analysis: A process to ensure that Company Network is fully protected against MIS risks.

86. Risk Assessment: The process of assessing Security-related risks of internal and external threats to an entity, MIS assets, or personnel.

87. Rivest Cipher 5 (RC5): A method of Encryption notable for MIS simplicity.

88. Router: A device that forwards data across Networks toward their destination Network.

89. Routing: Routing provides the means of discovering paths along which information can be sent.

90. RSA: A public-key method for both Encryption and authentication, the entire Security of which depends on the difficulty of factoring.

91. Scanning: Checking for Services presented in Networks, usually as part of a Cracking attempt or computer Security scan.

92. Secure Channel: A communication that uses strong Encryption.

93. Secure Shell (SSH): Both a computer Program and an associated Network Protocol designed for logging into and executing commands on a remote computer. It provides secured encrypted communications between two untrusted Hosts over an unsecured Network

94. Secure Sockets Layer (SSL): A cryptographic Protocol to provide secure communications on the Internet.

95. Security: The term “Security” is used in the sense of minimizing the Vulnerabilities of assets and resources.

96. Security Audit: This function provides monitoring and collection of information about security-related actions, and subsequent analysis of the information to review security policies, controls and procedures.

97. Security Guideline: A guideline is a collection of system-specific “suggestions or procedures” for best practice.

98. Security Policy: A policy is a document that outlines specific requirements or rules that must be met.

99. Security Standard: A standard is a collection of system-specific or procedural-specific requirements that is required from every user.

100. Sensitive Information: Information is considered sensitive if it can be damaging to Company or MIS reputation.

101. Service: Work performed (or offered) by a server.

102. Service Set Identifier (SSID): A code attached to all data on a Wireless Network to identify the data as part of that Network.

103. Simple Mail Transfer Protocol (SMTP): The de-facto standard for Email transmission across the Internet.

104. Simple Network Management Protocol (SNMP): Supports monitoring of Network-attached devices for all conditions that warrant administrative attention

105. Software: A loadable set of instructions which determines how the computer will operate autonomously or in reaction to user input, when running.

106. Software Developer: A person concerned with facets of the software development process. Their work includes researching, designing, developing, and testing software. A software developer may take part in design, computer programming, or software project management. They may contribute to the overview of the project on the application level rather than component-level or individual programming tasks. Software developers are often still guided by lead programmers but the description also encompasses freelance software developers.

107. Source Code: In computer science, source code is any collection of computer instructions (possibly with comments) written using some human-readable computer language, usually as text. The source code of a program is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source code. The source code is automatically translated at some point to machine code that the computer can directly read and execute. An interpreter translates to machine code and executes it on the fly when the program is run, while a compiler translates the program in advance to machine code and stores it as executable files that can then be executed as a separate step

108. SPAM: Unauthorized or unsolicited electronic mailings.

109. Stored procedures: A sub-routine available to applications that access a relational database system. It is actually stored in the database data dictionary and sometimes called a proc, sproc, StoPro, StoredProc, sp or SP)

110. Structured Query Language (SQL): It is a special-purpose programming language designed for managing data in relational database management systems (RDBMS).

111. Surge Protector: An appliance designed to protect electrical devices from power surges.

112. Symmetric Cryptosystem: A method of Encryption in which the same key is used for both Encryption and Decryption of the data.

113. System Administrator: A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network. System administrators may be members of an information technology (IT) or Electronics and Communication Engineering department.

114. Telecommunication Circuit: The complete path between two resources over which one-way or two-way communications may be provided.

115. Terminal Access Controller Access Control System (TACACS+): A remote authentication Protocol that is used to communicate with an authentication server.

116. Threat: A potential violation of Security.

117. Token: An abstract concept passed between cooperating agents to ensure synchronized access to a shared resource.

118. Total General Ledger System (TGLS) – Accounting Software

119. Total Utility Billing System (TUBS) – Water Billing and Collections Systems

120. Total Works Management System (TWMS) – Stocks Pricing and Inventory System

121. Total Attendance and Payroll System (TAAPS) - HR Management Systems (Payroll, Time In/Time Out or Attendance)

122. Meter Reading and Billing System (MRBS) – a software installed in Personal Data Assistance (PDA) mobile devices for meter reading.

123. Traffic Flooding: To send an excessive amount of traffic to an information technology resource, causing a Denial of Service.

124. Triggers: A trigger (in Database) is a procedural code that is automatically executed in response to certain events in a particular table or view in a database. The trigger is mostly used for maintaining the integrity of the information on the database. For example, when a new record (representing a new worker) is added to the employees table, new records should be created also in the tables of the taxes, vacations and salaries.

125. Trojan Horse: Malicious Software that is disguised as legitimate Software.

126. Trust Relationship: A relationship between two Networks that enables a user in one Network to access resources in the other.

127. Unauthorized Disclosure: The intentional or unintentional revealing of restricted information to people, both inside and outside the Company, who are not authorized to know that information.

128. Unauthorized Use: Use of the Company Network by Unauthorized Users in violation of the law or in violation of the Company Information Security Policies and Procedures.

129. Unauthorized Users: Use of the Company Network who are not Authorized Users, or use of the Company Information Technology Network in violation of the law or in violation of the Company Information Technology Policies and Procedures.

130. Uninterrupted Power Supplies (UPS): A device or system that maintains a continuous supply of electric power.

131. Company Address Management System: A System that stores IP addresses routed within the Company Technology Network.

132. Company Change Management System: A System that manages the approval process for any modifications to the Company Information Technology Network, and stores documentation for each modification.

133. Company Password Management System: A System that stores and manages passwords on the Company Information Technology Network for all system levels and user-level accounts.

134. Company Security Management System: A System that stores information about the Company Information Technology Network, including but not limited to contact information, Hardware, and Software.

135. Company Information Technology Policies and Procedures: Policies and Procedures of the Company that govern the use of the Company Information Technology Network, as from time to time amended, all as approved by the Board of Directors.

136. Company Information Technology Network: Internet/Intranet/Extranet related systems, including but not limited to computer/Networking equipment, Software, Operating Systems, storage media, Network accounts providing electronic mail, Instant Messaging, employee information system, WWW browsing, and FTP, are the properties of the Company.

137. Company Computer Labs: A collection of publicly accessible Company computers that are connected to the Company Information Technology Network, from which Authorized Users can access the Company Information Technology Network.

138. Company Data: Data that belong to the Company that are entered into the Company Information Technology Network by Company and other Authorized Users.

139. Company Employees: Persons employed by the Company including faculty members, staff, and employee workers.

140. Company Operational Group: Group responsible for system administration on all internal servers deployed at the Company.

141. Un-Trusted Network: Any Network separated by a Firewall from the corporate Network to avoid impairment of production resources from irregular Network traffic, unauthorized access, or anything else identified as a potential Threat to those resources.

142. User Authentication: A method by which the user of a system can be verified as a legitimate user independent of the system being used.

143. Virtual Private Network (VPN): A method for accessing a remote Network via an encrypted "tunnel" through the Internet.

144. Virus: A self-replicating Program that spreads by inserting copies of itself into other Programs or documents.

145. Vulnerability: Any weakness that could be exploited to violate a system or the information it contains.

146. Wireless Networks: Telephone or computer Networks that use radio as their carrier or physical layer.

147. World Wide Web (WWW): A distributed system that operates over the Internet, primarily used for displaying documents which contain automated cross-references to other documents.

148. Worm: A self-replicating Program that is self-contained and does not need to be part of another Program to propagate itself.