NDC INFORMATION SECURITY POLICY ACCEPTANCE
NDC INFORMATION SECURITY POLICY ACCEPTANCE
Access the services only if you are authorized. All activities are recorded and remember to adhere to NDC's Information Security Policy. Protect your password to protect your e-mails and other personal resources.
Your web transactions will be automatically monitored and processed to
detect dangerous content and to enforce NDC Information Security Policies.
By Accepting the policy below, you acknowledge this monitoring and accept that data about your visit may be recorded.
You will be periodically asked to acknowledge the presence of the monitoring system. You are responsible for following corporate information security policies.
National Drilling Company High-Level Information Security Policy
1.1. Role of Information and Information Systems: NDC is critically dependent on information and information systems. If important information were disclosed to inappropriate persons, the company could suffer serious losses. The good reputation that NDC enjoys is also directly linked with the way that it manages both information and information systems. For example, if private customer information were to be publicly disclosed, the organization’s reputation would be harmed. For these and other important business reasons, executive management working in conjunction with the board of directors has initiated and continues to support an information security effort. One part of that effort is definition of these information security policies.
1.2. Team Effort: To be effective, information security must be a team effort involving the participation and support of every NDC employee who deals with information and information systems. In recognition of the need for teamwork, this policy statement clarifies the responsibilities of users and the steps they must take to help protect NDC information and information systems. This document describes ways to prevent and respond to a variety of threats to information and information systems including unauthorized access, disclosure, duplication, modification, appropriation, destruction, loss, misuse, and denial of use.
1.3. Involved Persons: Every employee at NDC must comply with the information security policies found in this and related information security documents. Employees who deliberately violate this and other information security policy statements will be subject to disciplinary action up to and including termination.
1.4. Involved Systems: This policy applies to all computer and network systems owned by or administered by NDC. This policy applies to all operating systems, computer sizes, and application systems. The policy covers only information handled by computers and networks. Although this document includes mention of other manifestations of information such as voice and paper, it does not directly address the security of information in these forms. For information about the protection of information in paper form, see the Data Classification Policy.
1.5. Primary Divisions Working On Information Security: Guidance, direction, and authority for information security activities are centralized for all NDC organizational units in the Information Systems & Technology Division. IS&T is responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures with coordination with the concerned business division. Compliance checking to ensure that organizational units are operating in a manner consistent with these requirements is the responsibility of the Senior Auditors within the Internal Audit Division. Investigations of system intrusions and other information security incidents are the responsibility of the IS&T Infrastructure section. Disciplinary matters resulting from violations of information security requirements are handled by division managers working in conjunction with the Human Resources division.
1.6. Three Categories Of Responsibilities: To coordinate a team effort, NDC has established three categories, at least one of which applies to each employee. These categories are Owner, Custodian, and User. These categories define general responsibilities with respect to information security. More detailed information about these responsibilities can be found in the information ownership policy.
1.6.1. Owner Responsibilities: Information Owners are the division managers, members of the top management team, or their delegates within NDC who bear responsibility for the acquisition, development, and maintenance of production applications that process NDC information. Production applications are computer programs that regularly provide reports in support of decision making and other business activities. All production application system information must have a designated Owner. For each type of information, Owners designate the relevant sensitivity classification, designate the appropriate level of criticality, define which users will be granted access, and approve requests for various ways in which the information will be utilized.
1.6.2. Custodian Responsibilities: Custodians are in physical or logical possession of either NDC information or information that has been entrusted to NDC. While IS&T division staff members clearly are Custodians, local system administrators are also Custodians. Whenever information is maintained only on a personal computer, the User is also a Custodian. Each type of production application system information must have one or more designated Custodians. Custodians are responsible for safeguarding the information, including implementing access control systems to prevent inappropriate disclosure, and making backups so that critical information will not be lost. Custodians are also required to implement, operate, and maintain the security measures defined by information Owners.
1.6.3. User Responsibilities: Users are responsible for familiarizing themselves with and complying with all NDC policies, procedures, and standards dealing with information security. Questions about the appropriate handling of a specific type of information should be directed to either the Custodian or the Owner of the involved information.
1.7. Consistent Information Handling: NDC information, and information that has been entrusted to NDC, must be protected in a manner commensurate with its sensitivity and criticality. Security measures must be employed regardless of the media on which information is stored, the systems that process it, or the methods by which it is moved. Information must be protected in a manner that is consistent with it classification, no matter what its stage in the life cycle from origination to destruction.
1.8. Information Classification Designations: NDC has adopted an information classification system that categorizes information into three groupings. All information under NDC control, whether generated internally or externally, falls into one of these categories: Confidential, Internal Use Only, or Public. All Employees must familiarize themselves with the definitions for these categories and the steps that must be taken to protect the information falling into each of these categories. Details can be found in the Information Classification Policy.
1.9. Information Classification Labeling: If information is confidential, from the time it is created until the time it is destroyed or declassified, it must be labeled with an appropriate information classification designation. Such markings must appear on all manifestations of the information. The vast majority of NDC information falls into the Internal Use Only category. For this reason, it is not necessary to apply a label to Internal Use Only information. Information without a label is therefore by default classified as Internal Use Only. Further instructions about labeling confidential information can be found in the Information Classification Policy.
1.10. Need to Know: Access to information in the possession of, or under the control of NDC must be provided based on the need to know. Information must be disclosed only to people who have a legitimate business need for the information. At the same time, Employees must not withhold access to information when the Owner of the information instructs that it be shared. To implement the need-to-know concept, NDC has adopted an access request and Owner approval process. Employees must not attempt to access confidential information unless the relevant Owner has granted them access rights. When an employee changes job duties, including termination, transfer, promotion and leave of absence, his or her supervisor must immediately notify the IS&T division. The privileges granted to all Employees must be periodically reviewed by information Owners and Custodians to ensure that only those with a current need to know presently have access.
1.11. User IDs And Passwords: To implement the need-to-know process, NDC requires that each employee accessing multi-user information systems have a unique user ID and a private password. These user Ids must be employed to restrict system privileges based on job duties, project responsibilities, and other business activities. Each employee is personally responsible for the usage of his or her user ID and password.
1.11.1. Anonymous User IDs: With the exception of electronic bulletin boards, Internet sites, intranet sites, and other systems where all regular users are intended to be anonymous, users are prohibited from logging into any NDC system or network anonymously. Anonymous access might, for example, involve use of “guest” user IDs. When users employ system commands that permit them to change active user IDs to gain certain privileges, they must have initially logged on employing user IDs that clearly indicated their identities.
1.11.2. Difficult-to-Guess Passwords: Users must choose passwords that are difficult to guess. This means that passwords must not be related to one’s job or personal life. For example, a car license plate number, a spouse’s name, or fragments of an address must not be used. This also means passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, technical terms, and slang must not be used.
1.11.3. Easily Remembered Passwords: Users can choose easily-remembered passwords that are at the same time difficult for unauthorized parties to guess if they:
• string several words together
• shift a word up, down, left, or right one row on the keyboard
• bump characters in a word a certain number of letters up or down the alphabet
• transform a regular word according to a specific method, such as making every other letter a number reflecting its position in the word
• combine punctuation or numbers with a regular word
• create acronyms from words in a song, poem, or another known sequence of words
• deliberately misspell a word
• combine several preferences like hours of sleep desired and favorite colors.
1.11.4. Repeated Password Patterns: Users must not construct passwords with a basic sequence of characters that is then partially changed based on the date or some other predictable factor. Users must not construct passwords that are identical or substantially similar to passwords they have previously employed.
1.11.5. Password Constraints: Passwords must be at least 6 characters long. Passwords must be changed every 45 days or at more frequent intervals. Whenever an employee suspects that a password has become known to another person, that password must immediately be changed.
1.11.6. Password Storage: Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access control systems, or in other locations where unauthorized persons might discover them. Passwords must not be written down in some readily-decipherable form and left in a place where unauthorized persons might discover them.
1.11.7. Sharing Passwords: If employees need to share computer-resident data, they must use electronic mail, public directories on local area network servers, manual floppy disk exchange, and other mechanisms. Although user IDs are shared for electronic mail and other purposes, passwords must never be shared with or revealed to others. System administrators and other technical information systems staff must never ask an employee to reveal their personal password. The only time when a password should be known by another is when it is issued. These temporary passwords must be changed the first time that the authorized user accesses the system. If a user believes that his or her user ID and password are being used by someone else, the user must immediately notify the system administrator with coordination with IS&T Help Desk.
1.12. Compliance Statement: All employees who wish to use NDC multi-user computer systems must sign a compliance statement prior to being issued a user ID. Where users already have user IDs, such signatures must be obtained prior to receiving annually-renewed user IDs. A signature on this compliance statement indicates the involved user understands and agrees to adhere to NDC policies and procedures related to computers and networks, including the instructions contained in this policy.
1.13. Release of information to third parties: Unless it has specifically been designated as public, all NDC internal information must be protected from disclosure to third parties. Third parties may be given access to NDC internal information only when a demonstrable need to know exists, when a NDC non-disclosure agreement has been signed, and when such a disclosure has been expressly authorized by the relevant NDC information Owner. If confidential information is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, the information Owner and the IS&T division must be notified immediately.
1.14. Third-Party Requests For NDC Information: Unless an employee has been authorized by the information Owner to make public disclosures, all requests for information about NDC and its business must be referred to the Public Relations division. Such requests include questionnaires, surveys, and newspaper interviews. If an employee is to receive confidential information from third parties on behalf of NDC, this receipt must be preceded by the third-party signature on a NDC release form. Additional relevant information can be found in the External Communications Security Policy.
1.15. Physical Security to Control Information Access: Access to every office, computers, and other NDC work area containing confidential information must be physically restricted to those people with a need to know. When not in use, confidential information must always be protected from unauthorized disclosure. When left in an unattended room, confidential information in paper form must be locked away in appropriate containers. If a Custodian of such information believes he or she will be away for less than 30 minutes, information in paper form may be left on a desk or in some other readily observed spot only if all doors and windows to the unattended room are closed and locked. During non-working hours, Employees in areas containing confidential information must lock-up all information. Unless information is in active use by authorized people, desks must be clear and clean during non-working hours to prevent unauthorized access to information. Employees must position their computer screens such that unauthorized people cannot look over their shoulder and see the confidential information displayed.
1.16. Internal Network Connections: All NDC computers that store confidential information, and that are permanently or intermittently connected to internal computer networks must have a password-based access control system approved by the IS&T division. Regardless of the network connections, all stand-alone computers handling confidential information must also employ an approved password-based access control system. Users working with all other types of computers must employ the screen saver passwords that are provided with operating systems, so that after a period of no activity the screen will go blank until the correct password is again entered. Multi-user systems throughout NDC must employ automatic log off systems that automatically terminate a user’s session after a defined period of inactivity.
1.17. External Network Connections: When using NDC computers, NDC Employees must not establish connections with external networks including Internet service providers unless these connections have been approved by the IS&T division. For further information on this process, see the External Communications Security Policy.
1.18. Network Changes: With the exception of emergency situations, all changes to NDC computer networks must be documented in a computer service request CSR, and approved in advance by the IS&T division. All emergency changes to NDC networks must be made only by persons who are authorized by the IS&T division. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other problems. This process applies not only to employees but also to vendor personnel.
1.19. Internet Access: Employees are provided with Internet access to perform their job duties, but this access may be terminated at any time at the discretion of an employee’s supervisor. Internet access is monitored to ensure that employees are not visiting sites unrelated to their jobs, and also to ensure that they continue to be in compliance with security policies. Employees must take special care to ensure that they do not represent NDC on Internet discussion groups and in other public forums, unless they have previously received top management authorization to act in this capacity. All information received from the Internet should be considered to be suspect until confirmed by reliable sources. Employees must not place NDC material on any publicly-accessible computer system such as the Internet unless the posting has been approved by both the information Owner and IS&T division manager. Users are prohibited from establishing any electronic commerce arrangements over the Internet unless the IS&T division have evaluated and approved of such arrangements. Confidential information, including passwords and credit card numbers, must not be sent across the Internet unless this information is in encrypted form. These and related considerations are discussed in greater detail in the Internet Security Policy.
1.20. Electronic Mail: Every NDC employee who uses computers in the course of their regular job duties will be granted an Internet electronic mail address and related privileges. All NDC business communications sent by electronic mail must be sent and received using this company electronic mail address. A personal Internet service provider electronic mail account or any other electronic mail address must not be used for NDC business unless an employee obtains management approval. When transmitting messages to groups of people outside NDC, Employees must always use either the blind carbon copy facility or the distribution list facility. Unsolicited electronic mail transmissions to prospects and customers are prohibited. Emotional outbursts sent through electronic mail and overloading the electronic mail account of someone through a deluge of messages are forbidden. All business electronic mail communications must be proofread before they are sent, and professional and businesslike in both tone and appearance. Electronic mail is a public communication method much like a postcard. All NDC Employees must refrain from sending credit card numbers, passwords, or other confidential information that might be intercepted. All NDC staff must additionally employ a standard electronic mail signature that includes their full name, job title, business address, and business telephone number. Users should not store important messages in their electronic mail inbox. Additional details can be found in the Electronic Mail Security Policy.
1.21. Computer Virus Screening: All personal computer users must keep the current versions of approved virus screening software enabled on their computers. Users must not abort automatic software processes that update virus signatures. Virus screening software must be used to scan all software and data files coming from either third parties or other NDC locations. This scanning must take place before new data files are opened and before new software is executed. Employees must not bypass or turn off the scanning processes that could prevent the transmission of computer viruses.
1.21.1. Computer Virus Eradication: If Employees suspect infection by a computer virus, they must immediately stop using the involved computer and call the IS&T help desk ext. 3331. Floppy disks and other magnetic storage media used with the infected computer must not be used with any other computer until the virus has been successfully eradicated. The infected computer must also be immediately isolated from internal networks. Users must not attempt to eradicate viruses themselves. Qualified IS&T staff must complete this task in a manner that minimizes both data destruction and system downtime.
1.22. Clean Backups: All personal computer software must be copied prior to its initial usage, and such copies must be stored in a secure location such as a locked file cabinet. These master copies must not be used for ordinary business activities, but must be reserved for recovery from computer virus infections, hard disk crashes, and other computer problems.
1.23. Software Sources: NDC computers and networks must not run software that comes from sources other than other IS&T division. Software downloaded from electronic bulletin boards, shareware, public domain software, and other software from untrusted sources must not be used unless it has been subjected to a rigorous testing regimen approved by the IS&T division.
1.24. Written Specifications for Owners: All software developed by in-house staff, intended to process critical or confidential NDC information, must have a formal written specification. This specification must include discussion of security risks and controls including access control systems and contingency plans. The specification must be part of an agreement between the information Owner and the system developer. Macros in spreadsheets and word processing documents are not considered software in this paragraph.
1.24.1. Security Sign-Off Required: Before being used for production processing, new or substantially changed application systems must have received written approval from the IS&T Head of Application Systems for the controls to be employed. This requirement applies to personal computers just as it does to larger.
1.24.2. Formal Change Control: All computer and communications systems used for production processing must employ a documented change control process that is used to ensure that only authorized changes are made. This change control procedure must be used for all significant changes to production system software, hardware, communications links, and procedures. This policy applies to personal computers running production systems and larger multi-user systems.
1.24.3. Systems Development Conventions: All production software development and software maintenance activities performed by in-house staff must adhere to IS&T division policies, standards, procedures, and other systems development conventions. These conventions include the proper testing, training, and documentation. For further information on this topic, see the Software Development And Change Control Policy.
1.24.4. Adequate Licenses: NDC management must make appropriate arrangements with software vendors for additional licensed copies, if and when additional copies are needed for business activities. All software must be purchased through the IS&T division.
1.24.5. Unauthorized Copying: Users must not copy software provided by NDC to any storage media, transfer such software to another computer, or disclose such software to outside parties without advance permission from their supervisor. Ordinary backup copies are an authorized exception to this policy.
1.25. Backup Responsibility: Personal computer users must regularly back up the information on their personal computers, or ensure that someone else is doing this for them. For multi-user computer and communication systems, a system administrator is responsible for making periodic backups. If requested, the IS&T division must install, or provide technical assistance for the installation of backup hardware and software. All backups containing critical or confidential information must be stored at an approved off-site location with either physical access controls or encryption. A contingency plan must be prepared for all applications that handle critical production information. It is the responsibility of the information Owner to ensure that this plan is adequately developed, regularly updated, and periodically tested.
1.26. Theft Protection: Computer and network equipment may not be removed from NDC offices unless the involved person has obtained a property pass from the IS&T Head of support.
1.27. External Disclosure Of Security Information: Information about security measures for NDC computer and network systems is confidential and must not be released to people who are not authorized users of the involved systems unless approved by the IS&T Head of Infrastructure. For example, publishing modem phone numbers or other system access information in directories is prohibited. Public disclosure of electronic mail addresses is permissible.
1.28. Rights To Material Developed: While performing services for NDC, Employees must grant to NDC exclusive rights to patents, copyrights, inventions, or other intellectual property they originate or develop. All programs and documentation generated by, or provided by Employees for the benefit of NDC are the property of NDC. NDC asserts the legal ownership of the contents of all information systems under its control. NDC reserves the right to access and use this information at its discretion.
1.30. Personal Use: NDC information systems are intended to be used for business purposes only. Incidental personal use is permissible if the use does not consume more than a trivial amount of resources that could otherwise be used for business purposes, does not interfere with employee productivity, and does not preempt any business activity. Permissible incidental use of an electronic mail system would, for example, involve sending a message to schedule a luncheon. Personal use that does not fall into these three categories requires the advance permission of a division manager. All kind of computer games are prohibited. Use of NDC information systems for chain letters, charitable solicitations, political campaign material, religious work, transmission of objectionable material, or any other non-business use is prohibited.
1.31. Unbecoming Conduct: NDC management reserves the right to revoke the system privileges of any user at any time. Conduct that interferes with the normal and proper operation of NDC information systems, which adversely affects the ability of others to use these information systems, or that is harmful or offensive to others is not permitted.
1.32. Security Compromise Tools: Unless specifically authorized by the IS&T division, NDC Employees must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those that defeat software copy protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. Without this type of approval, Employees are prohibited from using any hardware or software that monitors the traffic on a network or the activity on a computer.
1.33. Prohibited Activities: Users must not test, or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful, and will be considered serious violations of NDC internal policy. Short-cuts bypassing systems security measures, and pranks and practical jokes involving the compromise of systems security measures are absolutely prohibited.
1.34. Mandatory Reporting: All suspected policy violations, system intrusions, virus infestations, and other conditions that might jeopardize NDC information or NDC information systems must be immediately reported to the IS&T division (Help Desk Team ext. 3331 OR Security@ndc.ae ).