|
|
Advanced
How To Guides
Internal IT Security Policy and Procedures
Sample Policy Document
Please
Note - Non-compliance may lead to disciplinary action
being taken.
"Company Name" IT SECURITY POLICY
1
NETWORK ACCESS
1.1 User Identification and Passwords
-
Each user is allocated an individual user name and
password. Logon passwords must not be written down
or disclosed to another individual. The owner of
a particular user name will be held responsible
for all actions performed using this user name.
-
Requests for new computer accounts and for termination
of existing computer accounts must be formally authorised
to the IT Help Desk/relevant IT resource by the
relevant manager. Requests for additional access
to specific business applications, e.g. Financial
Accounts must be authorised in writing to the IT
Dept/resource by the relevant application owner.
-
Staff must notify the IT Help Desk/relevant IT resource
when moving to a new position or location within
"Company Name". This ensures that the
necessary setups to provide fast access to the most
appropriate mail and file servers can be put in
place. Staff are not permitted to take IT equipment
such as PCs or notebook computers when moving to
another position within "Company Name".
-
Line management must notify IT of staff changes
that might affect security. An example of this would
be an individual who has access to restricted confidential
client information and moves to another role where
this access is not required.
-
All user accounts have the following password settings:
-
Minimum password length of 8 characters;
-
A combination of alpha, numeric and punctuation
should be used;
-
Users are forced to change their passwords every
(insert number) days;
-
Users cannot repeat passwords;
-
Accounts are locked after (insert number) incorrect
login attempts.
-
Passwords must not be easily guessed (i.e. names,
months of the year, days of the week, usernames,
etc. must not be used as passwords).
|
|
