Protect Plus Air Property
Protect Plus Air provides a data network for your use on company business. Protect Plus Air assets are only used for company business. Remember that all workstations, copiers, facsimile machines, telephone voice mail systems, computer hardware, software and files (including e-mails and other types of written communication), as well as hard copy documents, are property of Protect Plus Air and that Protect Plus Air reserves the right to access and search all Protect Plus Air property at any time, without prior notice to the employee. If such a search uncovers information that conflicts with Protect Plus Air policies, you may be subject to disciplinary action, up to and including termination.
Data Network
Network security is becoming increasingly important as more data is stored electronically, as businesses and individuals become more dependent on electronic data for daily functions, and as attacks on computers and networks become more sophisticated.
Organizations like Protect Plus Air who process credit card transactions have an even higher standard of network security to maintain. A security breach of Protect Plus Air's data network could result in fines and/or the loss of the ability to process credit cards. For this reason, network security procedures must be followed.
If you suspect any compromise or breach of security, inform your supervisor immediately. If your supervisor is not immediately available, contact a member of the IT Department. DO NOT WAIT FOR YOUR SUPERVISOR TO BECOME AVAILABLE IF HE/SHE IS NOT IMMEDIATELY AVAILABLE.
Each and every employee is responsible for safeguarding the security of the organization.
Certain security measures have been implemented on Protect Plus Air computers to protect our network.
Disabling such security measures is prohibited.
Hardware: Only hardware approved and owned by Protect Plus Air should be used on the Protect Plus Air network and only by or under the explicit direction of the IT Department.
- Do not bring hardware from home to use on the Protect Plus Air network.
- Do not purchase or otherwise obtain hardware on your own to use on the Protect Plus Air network.
If you need additional hardware to do your job, request it of your supervisor.
Software: Only software approved and legally licensed by Protect Plus Air should be installed on office computers, and only by or under the explicit direction of the IT Department.
- Do not bring software from home to install on your computer.
- Do not buy software on your own to install on your computer.
- Do not download software from the Internet and install on your computer.
If you need additional software on your computer to do your job, request it of your supervisor.
Network Accounts: Your network account is unique to you and should be carefully protected.
- Do not allow anyone to use your computer under your login.
- Do not work on any computer under a login other than your own.
- Do not use your Protect Plus Air login on any other network.
- Do not save your Protect Plus Air webmail login on any computer, in particular not on any computer outside Protect Plus Air's network.
- If for any reason you suspect someone else may have learned any of your login credentials, inform your supervisor (or a member of the IT Department, if your supervisor is not available) and change your passwords immediately.
Passwords. Your network passwords are unique to you and should be carefully protected.
- Do not store your passwords in written or electronic form.
- Do not display your passwords.
- Do not share your passwords with anyone.
- Do not use your Protect Plus Air passwords on any other network.
- Do not save your Protect Plus Air webmail passwords on any computer, in particular not on any computer outside Protect Plus Air's network.
- Do not send passwords via email.
- No one at Protect Plus Air will tell you your password, nor ask you for your password, via email or any other means. If you receive such a request, inform your supervisor immediately (or a member of the IT Department, if your supervisor is not available).
- If for any reason you suspect someone else may have learned any of your passwords, inform your supervisor (or a member of the IT Department, if your supervisor is not available) and change your passwords immediately.
The electronic mail system at Protect Plus Air exists to facilitate the business of Protect Plus Air. E-mail is an important form of business communication, and should be responded to as such. Where possible, e-mail should be read at least on a daily basis, and responded to promptly. You should take care to use e-mail appropriately. Remember that email doesn't go away and could become public; therefore, all email correspondence should reflect the same high professional standards as all other correspondence.
If you receive an "executable" or "clickable" program as an attachment or part of an e-mail from an unknown outside source, please do not open it. This is often the means that individuals use to spread computer viruses through a business. If you receive such a file, inform your supervisor immediately (or a member of the IT Department if your supervisor is not available). DO NOT OPEN OR FORWARD these messages. This same response should be followed if you receive any emails which violate any of Protect Plus Air's policies (specifically including, but not limited to, Protect Plus Air's prohibition against pornography and harassment).
Internet
We provide access to the Internet as a tool for conducting the company's business. The guidelines listed below should be followed when using the Internet at work:
- Download only work related information.
- Under no circumstances is any streaming media software, or devices are to be used on the Internet unless specifically allowed by the IT Department.
- Do not download any software from the Internet for installation on your computer except under the explicit direction of the IT Department.
- You should only use your Protect Plus Air login to access Protect Plus Air's network, not for logging into other networks, online shopping or banking, etc.
- Your Protect Plus Air passwords should be unique to Protect Plus Air network and should not be used for any other computer or network access.
- Internet should only be used in a way consistent with EEO and harassment policies.
- You should not participate in non-work-related Internet forums or services except with your supervisor's approval.
- You should not participate in non-work-related Internet forums or services using your Protect Plus Air credentials.
SSL Certificates:
Clear Text Transmission is a common method to transmit data from one location to another. It is often associated with email or even text messaging. It is completely 100% unencrypted data being sent from one location to another. Obviously, the easiest way to ensure that data is not being obtained is to never send something crucial, like a password or bank account number, over a text message or even in an email. This is a practice fervently recommended to all employees.
A man in the middle attack in cryptography is a technically eavesdropping in terms of computer security or at least a form of it. It is when an attacker makes an independent connection with a client or server and the forwards or relays the information. Un-encrypted WiFi is generally flooded with people who try to have a man in the middle attack because information is already de-crypted. A man in the middle attack is only possible where there is a form of mutual authentication which basically means that the man has to be trusted.
Therefore, if an SSL is in place then there is a certification authority beyond the general connection which protects from these types of attacks. Our Network Administrator is capable of setting up a SSL Certificate and different types of encryption methods to protect the transmission of data from one location to any location. This ensures that all transmission is secured and limits the possibility a hacker has access to restricted files.
Remember that sensitive data might be delivered to a mobile device. If it is in an unencrypted WiFi network (such as a coffee shop or public hot spot) you should heed caution upon opening such messages. You are responsible for the data you receive on all Accounts on the Protect Plus Air network.
SSL Compromise Prevention:
SSL Compromises occur when the SSL Certificate is not configured properly or the information is bad. This happens when a file is corrupt. If a user allows access to an SSL Certificate it can be signed with Malware. Some websites have fake SSL Certificates and users who access these sites compromise their security and information. Companies like Fortigate, Adobe and DigiNotar have a co-signer trust and they have software that detects SSL Compromises.
It is important to ensure that data being sent is secured. Having a man in the middle attack or a harvester of data during transmission is a huge possibility; especially on the Internet. You never know who is watching. Thus, our SSL Certificates are purchased with a 256 Bit Encryption and only from a reliable and well known vendor. Additionally, SSL Certificates are tested in detail and their setup is confirmed via our SSL Vendor. We place these certificates on the required servers to prevent intrusion. Your personal computer and actions on Protect Plus Air property is your responsibility as all preventive measures have already been put in place.
Social Media
The definition of social media is very broad, given the increasing tendency to integrate such technology in to conventional, broadly used applications like email. Social media does however represent a significant risk to information security, being both a heavily targeted resource for malware/hacking and a place where corporate data is inadvertently leaked.
- Social Media sites are only to be used when required for your job, as specified by your supervisor.
- You must use a secure password for social media systems, in compliance with Protect Plus Air’s password policy. This password must not be the same as any credentials used within the enterprise.
- Users accessing social media systems, must do so with a compliant system, specifically:
- Running up to date enterprise anti-malware technology
- Patched and up to date, both the operating system but particularly the browser and associated applications like Flash or PDF applications.
- Using an IT supported web browser
- The system must pass through a web security system, providing content filtering for malicious content and blocking of known bad sites.
- Use of social media systems will be monitored by Protect Plus Air IT Department to protect against the loss of data. Traffic, files, and content will be inspected in accordance with Protect Plus Air Security Policy.
Data Storage
Protect Plus Air provides network servers with ample storage space, redundant hardware and backup procedures for the storage and protection of data required to perform your job duties.
If for any reason you require additional data storage capacity, make a request of your supervisor, and the IT Department will see that your need is met. You should not install on your computer or anywhere on Protect Plus Air network any storage or other device that was not provided to you or pre-approved by the IT Department for use on the Protect Plus Air network.
The IT department reserves the right to move or delete files as needed to maintain proper operation of the Protect Plus Air network.
Customer Credit Card Information
It is the policy of Protect Plus Air to safeguard Customer Credit Card Information (CCCI).
- You should not access CCCI unless required to do so (e.g., communicating with customer with regards to an order, issuing a refund, etc.).
- CCCI should not be written on any paper other than an approved Protect Plus Air Order Form.
- At the end of each work day (or whenever you leave for the day, if you leave earlier than the normal end of your shift), all Protect Plus Air Order Forms containing CCCI should be given to your supervisor (or a member of the IT Department, if your supervisor is not available) for proper storage and disposal.
- CCCI should not be stored in any medium outside designated and approved areas of the Protect Plus Air network and ordering system.
- CCCI should not be carried off premises of the Protect Plus Air campus, nor transmitted by phone, text, photo, video, audio or any other means of communication.
- Once a customer's CCCI has been entered into the Protect Plus Air system, it should not be written down or otherwise stored or transmitted via any medium.
- CCCI should not be stored in any non-approved format or manner.
Remote Access to Protect Plus Air Network
Remote access to the Protect Plus Air Network will be permitted only for those who need remote access for completing their job duties. All remote access to the Protect Plus Air network will be effected in strict compliance with security and connectivity instructions provided to you by the IT Department.
Home PCs used to access the Protect Plus Air network must be secured:
-
· Install
personal firewall.
-
· Install
antivirus software with regular updates, activity logging and automatic
periodic scanning.
-
· Configure
auto-screensaver and auto-logout-when-idle.
Access to Protect Plus Air Network by Personal Devices
Personal devices may be permitted on the Protect Plus Air network under limited circumstances:
-
· Explicit prior approval of your
supervisor;
-
· IT Department authorization for use
of the technology;
-
· Filing device information with the IT
Department including make, model, serial number, owner, contact information and
purpose of use on the Protect Plus Air
network;
- · Strict adherence to this Security Policy and any additional requirements and/or restrictions promulgated by the IT Department.
Personal devices MAY NOT BE USED to copy, move or store CCCI for any reason whatsoever.
Removable Media
For security reasons, removable media are normally not permitted on the Protect Plus Air network without prior permission from the IT Department. "Removable media" refers to external hard drives, thumb drives or other portable hard drives, CD/CDR/CDRW/DVD/DVDR/DVDRW/HD-DVD, Blue-Ray and so on.
In the normal course of business, there should be no reason for employees outside the IT and Marketing departments to use removable media on the Protect Plus Air Network. If an occasion arises whereby you have need of such to perform your job duties, please inform your supervisor and make written request to the IT Department. Your request should describe the exact type and number of removable media required, for what purpose, how you plan to secure the media while in use and how it will be disposed of it after use.
Confidential information should never be copied to removable media nor removed from the Protect Plus Air campus without prior written consent of management as well as the IT department.
Credit card data should never be copied to removable media for any reason other than secured backup under the direct supervision of the IT Department and with the express written consent of management.
Physical Security of Protect Plus Air Premises
All visitors to the Protect Plus Air campus should be easily identifiable as such, logged as to time in and out and destination, and given a Visitor's Badge which is collected at departure. It is the responsibility of the employee entertaining a visitor to be certain these procedures are followed at each visit.
It is the responsibility of all personnel to be aware of all individuals on campus and to report suspicious activity. For example, you should inform your supervisor (or a member of the IT Department, if your supervisor is not available) immediately if you:
- Notice an employee in an area which is unrelated to his job duties or in a restricted area;
- See someone wearing a visitor's badge who is not being escorted by an employee;
- Observe suspicious behavior by any individual, whether employee or visitor.
Wireless Devices
Because wireless devices provide a point of entry to the Protect Plus Air network which cannot easily be monitored or controlled, these devices are not permitted on the Protect Plus Air network without prior written consent of the IT Department. If an occasion arises whereby you have need of such to perform your job duties, please inform your supervisor and make written request to the IT Department. Your request should describe the exact type and number of wireless device(s) required, for what purpose, as well as how the devices will be secured while in use and how they will be disposed of after use.
Personal cellphone use may be permitted on the Protect Plus Air campus with the explicit prior permission of your supervisor.
Cameras, video recorders, audio recorders, and all other recording devices are prohibited on the Protect Plus Air campus without the prior written permission of management. Management permission will specify when, where and how such devices may be used and these specifications must be followed by all affected employees.
Personal Responsibility
If you suspect your computer, login or password may have been compromised in any way, or if you notice any suspicious activity on the Protect Plus Air campus, inform your supervisor immediately. If your supervisor is not immediately available, contact a member of the IT Department. DO NOT WAIT FOR YOUR SUPERVISOR TO BECOME AVAILABLE IF HE/SHE IS NOT IMMEDIATELY AVAILABLE.
Assigned Responsibility of IT Staff
Duties of IT related functions are split between a several individuals. Should you need IT Support seek out the following individuals based on the support request:
-
Reporting
and Database Modification Requests: Steven
Levin
-
Microsoft
Dynamics Great Plains: Jeff
Spears
-
Desktop
or Laptop Support: Michelle
Gilmore, Jon Hopson
-
Phones
(Mobile and Desk) or Voicemail: Michelle
Gilmore
-
Route
Handhelds: Dan
Cuda
-
Network
Inquiries: Joshua Hopper
-
Security
Inquiries: Joshua
Hopper
- Backup or Restore Inquiries: Joshua Hopper
- Evaluative or Financial Inquires: Jeff Stokes
|
Name
|
Ext
|
DID Line
|
|
Jon Hopson
|
2154
|
828.449.1837
|
|
Michelle Gilmore
|
2147
|
828.449.1395
|
|
Steven Levin
|
2180
|
828.449.2180
|
|
Dan Cuda
|
2121
|
828.449.1830
|
|
Jeff Spears
|
2169
|
828.449.2027
|
|
Jeff Stokes
|
2108
|
828.449.1388
|
|
Josh Hopper
|
2160
|
828.449.1839
|
Incident Response:
Severity is determined by level where Level 1 is low and Level 3 is very high (as in a whole site is down).
-
· Level
1 Contact: Michelle Gilmore, Mitch Turner
-
o Example:
My mapped drives are not working, I need
a password reset
-
· Level
2 Contact: Joshua Hopper, Mitch Turner
-
o Example:
A file was deleted, I need VPN access
-
· Level
3 Contact: Joshua Hopper, Jeff Stokes
- o Example: Our whole site is down
· Assigned Responsibility for Maintaining this Program: Jeff Stokes
· Assigned Responsibility for Maintaining Assets/Controls/Equipment Rooms: Joshua Hopper
Audit Trails
Our IT Staff keep track of Assets, Security Logs, Backup Logs, Change Requests and Access Logs. As an Employee of Protect Plus Air you are obligated to comply with any inquiry audited. Furthermore, should an audit occur and determine specific access or authentication be revoked (and formally approved by management) you must also comply. If any dispute were to arise, please consult your direct supervisor.
Audit Trails are available upon request for upper Management or Supervisors who are authorized to review this as well.
Vendor and 3rd Party Access Control
Vendor access is accepted at Protect Plus Air under strict guidelines. Should you need a Vendor to have access to our network or facilities in any way, shape or from:
· A supervisor and IT must be informed and approve such access
o A document trail is required stating:
§ What access is needed
§ Duration of Access
§ Reason for Access
§ Document must be approved by upper management
· A unique ID must be set for that vendor
· Should network access be granted a Vendor abides by the same password policy as stated above
· Should network access be granted a Vendor must:
o Sign a 3rd party Remote Access Agreement
o The vendor must abide by all factors and guidelines within the Remote Access Agreement
· Access will be revoked immediately upon termination
· If an event is to happen (such as a network, software or the like) change occur on behalf of the vendor:
o A document trail is required stating:
§ The type of event
§ When (date and time) of the event
§ Source of the event
§ The outcome of the event
§ Identify users associated
§ The document must be approved by upper management
· The employee requesting Vendor Access is responsible for safeguarding company information and practices. They are the responsible for that Vendor.
· The employee must provide, or request IT provide, formal training and awareness of our security practices the Vendor must abide by
For more information on the Vendor Access Controls please contact Joshua Hopper or Jeff stokes
Platform and Application Controls
All users at Protect Plus Air are required to abide by the security practices of all platforms and application controls set in place by the IT Department. As an Employee, you authorize the IT Department to remotely connect to your computer or session for the purpose of IT Support or IT Auditing. Additionally, you as an Employee agree to have limited access to the extent that you are authorized to access required files, platforms and application controls specific to your occupation and those approved by your Supervisor.
Disposal of hardware and Software
In an effort to stay current on as many Green practices as possible, the IT Department recycles all hardware. In order to dispose of hardware:
· Contact the IT Department
· Inform them of the request to dispose of hardware
o Include the type of hardware
o Reason for disposal
· The IT Department will approve or disapprove of the disposal request
· If approved the Employee is required to abide by all requests of the IT Department for proper disposal
User Provisioning Process
The user provisioning can be completed by one of the following IT Department individuals:
|
Name
|
Ext
|
DID Line
|
|
Jon Hopson
|
2154
|
828.449.1837
|
|
Michelle Gilmore
|
2147
|
828.449.1395
|
All requests must be made through a supervisor and if not already approved it must be by upper management. All software and hardware setup will be done by the IT Department unless explicitly told otherwise. All hardware assets must be documented and Asset Tagged.
As of 2013, new computers are purchased form Dell with OEM copies of Windows 7 already installed on them. The idea is to install all general programs, map drives, LogMeIn account setup, and join the PuraFilter2000 Domain. Once this is done then a computer will be assigned to a user and the user must be logged into the device and setup with the correct Printer, Outlook and Updates. Run Windows Distribution Server first to install an OS. Then follow the directions below. (See Windows Distribution Server section).
In terms of software, the below is the approved software:
Standard Software for Everyone:
|
.NET
|
|
7-zip
|
|
Adobe Flash Player
|
|
Adobe Reader
|
|
Adobe Shockwave Player
|
|
CCleaner
|
|
CutePDF/PDF Creator
|
|
Flash for IE
|
|
Google Chrome
|
|
Java
|
|
LogMeIn
|
|
Malwarebytes Anti-Malware
|
|
ESET NOD32
|
|
Microsoft Office Applications
|
|
Mozilla FireFox
|
|
Silverlight
|
|
Accepted Software as needed:
|
|
|
AccPac
|
CyberLink PowerDVD
|
|
Acrobat
|
Dazzle
|
|
Adobe Creative Suite
|
FedEx Ship Manager
|
|
Adobe Photoshop
|
Filezilla
|
|
ADP
|
Flamingo
|
|
AT&T Communication Software
|
Flashnote
|
|
AutoCAD
|
Flipshare
|
|
Blackberry Desktop Manager
|
Flowcharts
|
|
Cisco VPN Client
|
FRx
|
|
Corel
|
Garmin Communicator
|
|
Crystal Reports
|
Google Earth
|
|
UC Client Manager (Mitel)
|
TSPrint Client
|
|
UniPrint Client
|
TurboTax
|
|
VaultLogix
|
VZ Access Manager
|
|
Visio
|
WebEx
|
|
WinDirStat
|
Jzip
|
|
Putty
|
Bullzip pdf printer
|
|
GoToAssistant
|
Nero
|
|
ID Automation
|
Pandora
|
|
ID Maker
|
PC*MILER
|
|
iTunes
|
PowerDVD
|
|
LabelVision
|
Printer Software (HP, Canon, Epson, etc)
|
|
Logitech SetPoint
|
Quicken
|
|
Lotus Notes
|
QuickTime
|
|
Microsoft Great Plains
|
Rhinoceros
|
|
Microsoft Streets & Trips
|
Route Administrator
|
|
Microsoft Works
|
Roxio
|
|
Monarch
|
Skype
|
|
TimeVue
|
SnagIt
|
|
Transaction Manager
|
Spotify
|
|
YouSendIt Express/Outlook Add-In
|
Microsoft Visual Studio
|
|
VMware vSphere Client
|
|
|
Picasa 3
|
|
|
Microsoft SQL Server Management Studio
|
Each and every employee is responsible for safeguarding the security of the organization.
ACKNOWLEDGEMENT
I have received a copy of the Protect Plus Air.com, Inc. employee Security Policy and Absentee Policy. I also understand that it is my responsibility to read the information contained therein, and ask my supervisor or another member of management if I have questions on how the information may affect me.
I understand that any provisions of these Policies may be amended or revised by the company at any time without prior notice.
___________________________________________________________________________________
Employee’s Signature Date
___________________________________________________________________________________
Supervisor’s Signature Date