Executive Summary

Policies are management instructions indicating how an organization is to be run. This policy is designed to be an addition to an existing corporate security policy. It can be an addition to a Remote Access Policy, if one exists, or to simply stand alone as a Modem Access policy if no current policy of this sort exists at [Your Company].

Acceptance of this kind of policy at a company is the first step to eliminating unauthorized or poorly implemented modems at a site. Near the end of this policy is a section entitled “Steps for Initial Deployment of this Policy,” which is an outline of necessary steps within an organization for ensuring that all internal modems are configured properly.

Having a Modem Policy displays due diligence with regards to security at a company. Acceptance of this policy at a management level will also help company auditors to access the security posture of [Your Company].

As with anything information security related at a company, a Risk Analysis must be made for each modem found. There are a myriad of business reasons for a modem to exist, and each one of those reasons needs to be weighed against the potential vulnerability a poorly configured modem opens up within a company. This policy outlines these potential areas of conflict between the security organization and the business operations aspect of a company. This policy also attempts to resolve these conflicts in a clear manner to enable a company to have a concise understanding of all issues relating to modems within [Your Company].

Background

Companies rely heavily on their internal automated resources (networks, computers, telephones, etc) to meet their operational, financial and information requirements. All information as it passes and is stored on these resources are important assets of [Your Company]. A system of internal controls and policies should exist to safeguard and control misuse of these assets. Information will be processed securely, and all employees share the responsibility for the confidentiality, integrity, and continued secure availability of [Your Company]’s information. This policy covers both accidental and intentional disclosure of, or damage to, Company assets due to improperly installed remote access devices, specifically, modems.

Scope

This policy statement applies to the confidentiality, integrity, and continued secure availability of [Your Company]’s assets with regards to remote access via telephone and ISDN lines and specifically modems. The main feature of this policy is to outline the extent that devices which allow such access are to be deployed within [Your Company], and how the enforcement of this policy will be carried out.

Definitions

Assets. Assets include all items which allow a company to stay in business. This includes not only physical items, such as hardware, computers, information stored on computers and cash on hand, as well as non-physical items, such as company reputation, information in transit over the internal network and operating expenses.

Company. The word “Company” means the entire corporation, organization or government entity which ultimately controls and owns all Assets within the scope of this document.

Information. Information entails both data stored on a computer system or storage medium, as well as data which is in transit

Modem. A device that enables one computer to communicate with another computer, or enables one computer to operate another device across a telephone or ISDN line.

Employee. Includes all people who work directly for [Your Company], and those who are temporarily receiving compensation for contributing to [Your Company]’s assets. This includes all direct employees, temporary personnel, consultants, contractors, and dedicated vendor representatives.

By extension, employees are directly responsible for enforcement of this policy by non-employees reporting to them, such as a vendor representative assisting [Your Company] in solving a problem with the vendor’s product.

Owner. The Owner of an asset is the employee responsible for the business results of that asset, or the business use of this asset. Where appropriate, ownership may be shared by managers of different departments.

Custodian. The Custodian is an employee or department responsible for the processing and storage of the asset. This term is most often used in relation to information. For instance, mainframe applications may have the Information Services department as the custodian; for smaller systems, the owner or user may retain custodial responsibilities. If a department is responsible for an asset, the head employee/manager/director of that department has the ultimate responsibility for all such assets, and the authority to implement necessary controls to keep the asset secure.

User. The User is any person or employee who has been authorized to utilize, read, enter, or update information or services, which the asset provides by the owner of that asset.

Outsider. An Outsider is any person who does not fall into the category of Employee. This includes groups or other businesses. Outsiders may not access any assets without approved supervision by an employee.

Responsibilities

Owner

Information processed within [Your Company] must have an identified owner, and this assignment must be formally documented. This owner can delegate ownership responsibilities to another employee. Within the scope of this Modem Usage policy, the owner has the authority and responsibility to:

1) Authorize access and assign custody of assets.

2) Determine the requirements regarding how access is to be enabled, and communicate this information to the Custodian of the asset.

3) Specify access controls and communicate these control requirements to the Custodian and Users of the information.

4) Support the Custodian’s responsibility and authority to perform the actions necessary to keep the assets secure.

Custodian

The Custodian is responsible for the administration of controls and requirements as specified by the Owner. This includes having the authority and responsibility to:

1) Provide physical and technical safeguards for the asset.

2) Provide procedural guidelines for the users of the asset.

3) Maintain a list of all authorized modems, along with their proper settings (i.e. “autoanswer mode off”) to facilitate the examination of the telephone auditing logs.

4) Administer access to the asset.

5) Evaluate the cost-effectiveness of controls.

To properly perform this activity, the Custodian will define, and keep up to date, a list of ALL modems deployed at [Your Company], and the activity that each of the modems provides which adds to the value of [Your Company].

The Custodian will also, at each testing period, update the list of all telephone numbers available to [Your Company], and regularly perform testing with automated software. This testing will be performed at regular intervals on a monthly or quarterly basis, and will ensure that:

1) All modems deployed at [Your Company] are configured properly.

2) No additional, unregistered modems have been deployed without proper authorization on any telephone/ISDN line within [Your Company].

Results of this testing will be regularly reported to the Owner of the asset and to the principals of [Your Company] (i.e. Vice Principal and higher in the executive chain, as appropriate to [Your Company]).

User

Each user has the responsibility to:

1) Comply with all controls/policies with regards to modem usage as outlined by the owner and custodian. This includes relaying information about this policy to Outsiders or new employees.

2) Acquire appropriate authorization from the owner/custodian of any
network a newly placed modem will be connected to BEFORE attaching and activating the modem.

3) Supply the Custodian with the telephone number, proper settings of the modem, and physical and logical location of all authorized modems the User deploys. This will help the Custodian when the Custodian performs the regular telephone audits.

4) Report any known violations of this policy to the custodian or owner immediately upon discovery.

Enforcement

If a violation of this policy is uncovered as a result of the Custodian’s normal audit process, the Custodian has the authority to shut down the offending modem immediately after determining the modem is not on the Custodian’s list of authorized modems.

A violation of standards, procedures or guidelines established pursuant to this policy shall be presented to the Management of [Your Company] for appropriate action. This could result in disciplinary action, including dismissal and/or legal prosecution.

Frequency of Review

This policy will be reviewed with each Employee on a yearly basis, and will be part of the new Employee orientation process to ensure that each Employee is aware of the importance of this policy to [Your Company].

Steps for Initial Deployment of this policy

1) Ensure that this policy is approved by appropriate management at [Your Company].

2) Obtain and acquire permission and authority to perform a telephone line scan on [Your Company]’s internal telephone system. The time of the scan (during business hours, outside of business hours, etc) needs to be defined during this stage.

3) The Custodian needs to gather an initial list of all telephone numbers, including internal extensions [Your Company] owns or can potentially own (whether or not the telephone number is currently known to be “in use” or not). This is the “block of numbers” the telephone company has reserved for use for this Company.

4) A telephone line scanning product, such as Sandstorm’s PhoneSweep product, should be chosen and purchased.

5) The telephone line scanning product will be used on all potential telephone numbers for [Your Company].

6) Examination of all results of the scan will be undertaken. With the assistance of the telephony department, all items will be addressed, and the initial list of authorized modems / configurations / locale will be created.

Policy Coordinator

Information Security Officer of [Your Company]