In order to protect our network, computers and the confidential data of our clients, [Firm Name] (the “Firm”) has instituted this Network And Computer Access Policy. We’re protecting against not just the damages and liability created when unauthorized access occurs, but also against viruses and physical damage to our systems.
This document sets forth standards which must be adhered to by all employees, contractors and any user granted access to any machine on the Local Area Network (LAN) at any time, whether physically present at the Firm or via remote access.
Failure to comply with the policies set forth in this document will result in disciplinary action, and may result in termination of employment.
For the purposes of this document, an “Employee” is any employee, contractor, agent, temporary worker, vendor and any other person in a position to know or obtain information about computers or devices on the LAN.
The firewall is a hardware or software device which protects the ports of computers on the LAN. For the purposes of this document, “Remote Access” shall mean access to the Local Area Network from any location outside the firewall by any method, including but not limited to Virtual Private Network (VPN), dial-in modem, frame-relay, SSH, cable-modem and any other method of accessing the LAN from outside the firewall.
The Policy applies to any person granted authorization to access any computer or device on the Firm’s LAN (an “Authorized User”). This includes but is not limited to contractors, temporary workers, vendors, sub-contractors, employees, attorneys and partners authorized to access any of the Firm’s computers, locally or via Remote Access, for any reason, including email and Internet or intranet web browsing.
All computers and devices on the LAN must be physically secured when leaving them unattended. All servers must be additionally secured with locking devices such as keyboard locks.
Any notebook or laptop computer, Personal Digital Assistant (PDA), Internet-capable cellular device, Wi-Fi-enabled device or other device capable of connecting via Remote Access to the LAN (A “Mobile Device”) must be secured with a BIOS password, and user authentication. Any Mobile Device must run up-to-date anti-virus protection and properly configured software firewall (see __ below).
Any Authorized User must take reasonable steps to ensure that any Remote Access to the LAN is treated with the same security approach as a connection made within the Firm.
It is essential that each Employee be instructed never to tell even the most seemingly innocuous detail about the Firm’s Information Technology (“Sensitive Information”) to a third party. While it may seem inconvenient or rude, all Employees – from temporary receptionist to senior Partner – must treat as suspicious any request from any third party person not personally Known to that Employee. Private detectives and others who specialize in information retrieval may call several people in a firm, asking each for a seemingly innocuous detail, which combined can result in a breach of the Firm’s security. Employees must jealously protect any information about the Firm’s Information Technology, including but not limited to:
- Never telling a caller any details including but not limited to server names, Internet Service Providers, telephone provider, email server information (including email server name), printer type, computer brand, router type or brand;
- Never telling a caller the name of your Information Technology specialist, whether that Information Technology person is in-house or contracted;
- Never telling a caller the name of any Wireless Access Point (WAP) SSID; never confirming the presence of a Wi-Fi WAP;
Any caller not personally known to the Employee who requests Sensitive Information must be referred to the appropriate department head or Partner, without giving such person the name of such appropriate department head or Partner. If such referral is not possible or practical, then the Employee must request from the caller a callback number, to be given to the appropriate department head or Partner, without giving such person the name of such appropriate department head or Partner.
All Authorized Users must use strong passwords. Unacceptable passwords include but are by no means limited to,
- first or last names, or combinations thereof;
- names of an Authorized User’s children or pets;
- words found in a dictionary, combinations of dictionary words with a sound alike digit (second2, etc);
- use of the words or variants on the word password, admin, update, access, login, computer, terminal, workstation, work, home, etc.
Strong Passwords are a string of at least eight characters of upper and lower case letters and numbers.
Authorized Users should change their password regularly.
No Employee may leave a password written down in proximity to the computer or device which the password accesses.
No Employee may ever provide their login or email password to anyone, including family members.
Authorized User may access the Internet for Firm business or personal information provided that they:
- do not jeopardize the security of any Firm or confidential client information which may be present on the computer being used to access the Internet;
- do not violate any of the Firm’s policies;
- do not engage in illegal or prurient activities;
- do not engage in outside business interests;
Any Wi-Fi Access Point (WAP) must be configured to comply with the four-step Proposed Standard of Reasonable Wireless Network Security in Law Firms available at http://www.delmaropensource.com/standard.htm. This proposed standard provides four steps to securing a WAP, which includes:
- Changing the WAP defaults (administration password, router name, router IP address, SSID name, etc);
- Encrypting the signal using the best available encryption method, in order from most to least desirable, WPA2, WPA, 128-bit WEP;
- Requiring VPN access into the LAN from anywhere outside the Firewall;
- Implementing a written access policy, such as this one
Wireless (Wi-Fi) Access
Any access to any computer or device on the LAN behind the firewall must be via VPN. Any Authorized User accessing the LAN via VPN from their home or other WAP (a, “Remote WAP”) must apply all four steps above to the Remote WAP.
Any Employee using any Remote Device must ensure that such device is updated with the most recent security patches for their Operating System.
All machines on the LAN and any Remote Device must run current versions of anti-virus software with regularly updated virus definitions. Note that new viruses are introduced every hour; “regularly updated virus definitions” means at a minimum of once each week. It could be argued it is reasonable to update every 24 hours.
Any Remote Device must be running a properly-configured firewall program such as Zone Alarm or Computer Associates eTrust. Users at Public Hotspot must be aware that, if such Remote Device is not running a firewall, a malicious user can gain access to the Remote Device and install software or remove files from the Remote Device’s hard drive.
Any Authorized User using a Remote Device outside the firewall must use the VPN to send and receive Firm email. No Firm email may be sent using third-party email services (including but not limited to gmail, hotmail, etc).
Any Authorized User accessing any computer or device on the LAN for remote management or administration must use SSH or VPN. For remote file transfer, SCP, SFTP or VPN must be used. Under no circumstances shall Telnet, FTP or other un-encrypted access method be used.
No Employee using any Remote Device shall access the LAN while connected to any other network, except a personal network over which such Employee has complete control.
Also in this series…
A proposal for Reasonable Wireless Security for law firms