McBride Financial Services security concern is the company’s number one priority.

During the requirements meeting with Hugh McBride has stated his top five concerns. They are:

1. Security of McBride’s Website – The first step to securing McBride’s website is a

dedicated IP address for the company’s website. If McBride select to host its website by

Yahoo, MSN or etc we must request a Private Key and Certificate Signing Request. The

Private Key must be kept safely and the Certificate Signing Request is required for the

Certificate Authority during the registration process. Upon completion and confirmation

of Hugh McBride’s identity by the Certificate Authority, a CRT file will be provided.

McBride must provide the KEY and CRT file to the webhost for installation of the SSL.

The recommended companies for the SSL are Thawte, GeoTrust,

SecureBusinessServices.com and RapidSSL.com.

2. Customer Information Security at all locations – I recommend eEye Digital Software

coupled with the eEye Security Management Appliance 1505. Retina provides Network

Security Scanner Appliance, which integrates security management appliance and

prioritized policy management, patch management and vulnerability management.

Network Vulnerability Assessments identifies network vulnerabilities, application

vulnerabilities plus zero day threats. Network Discovery and Patch Assessment discovers

all devices, operating systems, applications, patch levels and policy configurations.

Finally, the All-In-One Enterprise Security Management couples everything you need

pre-installed, pre-configured, pre-tunes for centralized vulnerability and patch

management plus security incident management.

3. Secure Employee VPN – VPN is based on the idea of tunneling that involves establishing

and maintaining logical network connection. With this connection, packets constructed in

a specific VPN protocol format are encapsulated within some other base or carrier

protocol. The packets are transmitted between a VPN client and the server, finally de-

encapsulated on the receiving side. While inside the VPN service, your IP address is

anonymous. The service hides your IP address behind its secured servers.

4. Secure Wi-Fi – Regardless of which wireless router you choose to use, a few simple steps

must be taken. First, change all default passwords and Service Set Identifier (SSID).

Filter wireless connection by MAC addresses only. Finally, disable the SSID

broadcasting. To protect your wired internal network from threats coming over the

wireless network, create a wireless DMZ or perimeter network that's isolated from the

LAN. That means placing a firewall between the wireless network and the LAN. Then

you can require that in order for any wireless client to access resources on the internal

network, he or she will have to authenticate with a remote access server and/or use a

VPN. This provides an extra layer of protection. The typical 802.11b WAP transmits up

to about 300 feet. A directional antenna will transmit the signal in a particular direction,

instead of in a circle like the omni-directional antenna that usually comes built into the

WAP. Thus, through antenna selection you can control both the signal range and its

direction to help protect from outsiders. In addition, some WAPs allow you to adjust

signal strength and direction via their settings. Transmit on a different frequency. One

way to "hide" from hackers who use the more common 802.11b/g wireless technology is

to go with 802.11a instead. Since it operates on a different frequency (the 5 GHz range,

as opposed to the 2.4 GHz range in which b/g operate), NICs made for the more common
 wireless technologies will not pick up its signals. Sure, this is a type of "security through

obscurity"--but it is perfectly valid when used in conjunction with other security

measures. After all, security through obscurity is exactly what we advocate when we tell

people not to let others know their social security numbers and other identification

information.

5. Remote Administrators – The remote administrators can use the same VPN to access or

correct issues with files or user caused problems.

Corporation User Policy

Computer Use and Internet Policy

Important disclaimer: The policy available on this page is only an example and is furnished

merely as an illustration of its category. It is not meant to be taken and used without consultation

with a licensed employment law attorney. If you are in need of a policy for a particular situation,

you should keep in mind that any sample policy such as the one available below would need to

be reviewed, and possibly modified, by an employment law attorney in order to fit your situation

and to comply with the laws of your state. Downloading, printing, or reproducing any of these

policies in any manner constitutes your agreement that you understand this disclaimer and that

you will not use the policy for your company or individual situation without first having it

approved and, if necessary, modified by an employment law attorney of your choice.

USE OF COMPANY COMPUTERS AND INTERNET ACCESS

The use of XYZ Company (Company) automation systems, including computers, fax machines,

and all forms of Internet/Intranet access, is for company business and is to be used for authorized
purposes only. Brief and occasional personal use of the electronic mail system or the Internet is

acceptable as long as it is not excessive or inappropriate, occurs during personal time (lunch or

other breaks), and does not result in expense to the Company.

Use is defined as "excessive" if it interferes with normal job functions, responsiveness, or the

ability to perform daily job activities. Company automation systems are Company resources and

are provided as business communications tools. Electronic communication "should not be used

to solicit or sell products, distract coworkers, or disrupt the workplace." (See the XYZ Company

Human Resources Handbook "Standards of Conduct").

Use of Company computers, networks, and Internet access is a privilege granted by management

and may be revoked at any time for inappropriate conduct including, but not limited to:

• Sending chain letters;

• Engaging in private or personal business activities;

• Misrepresenting oneself or the Company;

• Engaging in unlawful or malicious activities;

• Using abusive, profane, threatening, racist, sexist, or otherwise objectionable language in

either public or private messages;

• Sending, receiving, or accessing pornographic materials;

• Becoming involved in partisan politics;

• Causing congestion, disruption, disablement, alteration, or impairment of Company

networks or systems;
 • Infringing in any way on the copyrights or trademark rights of others;

• Using recreational games; and/or

• Defeating or attempting to defeat security restrictions on company systems and

applications.

Using Company automation systems to create, view, transmit, or receive racist, sexist,

threatening, or otherwise objectionable or illegal material is strictly prohibited. "Material" is

defined as any visual, textual, or auditory entity. Such material violates the Company anti-

harassment policies and is subject to disciplinary action. The Company's electronic mail system

must not be used to violate the laws and regulations of the United States or any other nation or

any state, city, province, or other local jurisdiction in any way. Use of company resources for

illegal activity can lead to disciplinary action, up to and including dismissal and criminal

prosecution.

Unless specifically granted in this policy, any non-business use of the Company's automation

systems is expressly forbidden.

If you violate these policies, you could be subject to disciplinary action up to and including

dismissal.

Ownership and Access of Electronic Mail and Computer Files

The Company owns the rights to all data and files in any computer, network, or other

information system used in the Company. The Company reserves the right to monitor computer

and e-mail usage, both as it occurs and in the form of account histories and their content. The

Company has the right to inspect any and all files stored in any areas of the network or on any
types of computer storage media in order to assure compliance with this policy and state and

federal laws. The Company will comply with reasonable requests from law enforcement and

regulatory agencies for logs, diaries, archives, or files on individual computer and e-mail

activities. The Company also reserves the right to monitor electronic mail messages and their

content. Employees must be aware that the electronic mail messages sent and received using

Company equipment are not private and are subject to viewing, downloading, inspection, release,

and archiving by Company officials at all times. No employee may access another employee's

computer, computer files, or electronic mail messages without prior authorization from either the

employee or an appropriate Company official.

The Company has licensed the use of certain commercial software application programs for

business purposes. Third parties retain the ownership and distribution rights to such software. No

employee may create, use, or distribute copies of such software that are not in compliance with

the license agreements for the software. Violation of this policy can lead to disciplinary action,

up to and including dismissal.

Confidentiality of Electronic Mail

As noted above, electronic mail is subject at all times to monitoring, and the release of specific

information is subject to applicable state and federal laws and Company rules, policies, and

procedures on confidentiality. Existing rules, policies, and procedures governing the sharing of

confidential information also apply to the sharing of information via commercial software. Since

there is the possibility that any message could be shared with or without your permission or

knowledge, the best rule to follow in the use of electronic mail for non-work-related information

is to decide if you would post the information on the office bulletin board with your signature.
It is a violation of Company policy for any employee, including system administrators and

supervisors, to access electronic mail and computer systems files to satisfy curiosity about the

affairs of others. Employees found to have engaged in such activities will be subject to

disciplinary action.

Message Tone for Electronic Mail

Users are expected to communicate with courtesy and restraint with both internal and external

recipients. Electronic mail should reflect the professionalism of the Company and should not

include language that could be construed as profane, discriminatory, obscene, sexually harassing,

threatening, or retaliatory.

It is recommended that using all capital letters, shorthand, idioms, unfamiliar acronyms, and

slang be avoided when using electronic mail. These types of messages are difficult to read.

Electronic Mail Tampering

Electronic mail messages received should not be altered without the sender's permission; nor

should electronic mail be altered and forwarded to another user and/or unauthorized attachments

be placed on another's electronic mail message.

Policy Statement for Internet/Intranet Browser(s)

This policy applies to all uses of the Internet, but does not supersede any state or federal laws or

company policies regarding confidentiality, information dissemination, or standards of conduct.

The use of Company automation systems is for business purposes only. Brief and occasional

personal use is acceptable as long as it is not excessive or inappropriate, occurs during personal

time (lunch or other breaks), and does not result in expense to the Company.
Use is defined as "excessive" if it interferes with normal job functions, responsiveness, or the

ability to perform daily job activities. Examples of inappropriate use are defined in

"Inappropriate Use of the Internet/Intranet". Managers determine the appropriateness of the use

and whether such use is excessive.

The Internet is to be used to further the Company's mission, to provide effective service of the

highest quality to the Company's customers and staff, and to support other direct job-related

purposes. Supervisors should work with employees to determine the appropriateness of using the

Internet for professional activities and career development. The various modes of

Internet/Intranet access are Company resources and are provided as business tools to employees

who may use them for research, professional development, and work-related communications.

Limited personal use of Internet resources is a special exception to the general prohibition

against the personal use of computer equipment and software.

Employees are individually liable for any and all damages incurred as a result of violating

company security policy, copyright, and licensing agreements.

All Company policies and procedures apply to employees' conduct on the Internet, especially,

but not exclusively, relating to: intellectual property, confidentiality, company information

dissemination, standards of conduct, misuse of company resources, anti-harassment, and

information and data security.

Violation of these policies and/or state and federal laws can lead to disciplinary action, up to and

including dismissal and possible criminal prosecution.

Inappropriate Use of the Internet/Intranet

Use of Company computer, network, or Internet resources to access, view, transmit, archive, or

distribute racist, sexist, threatening, or otherwise objectionable or illegal material is strictly

prohibited. "Material" is defined as any visual, textual, or auditory item, file, page, graphic, or

other entity. Such material violates the Company's anti-harassment policies and is subject to

company disciplinary action.

No employee may use the Company's Internet/Intranet facilities to deliberately propagate any

virus, worm, Trojan horse, trap-door program code, or other code or file designed to disrupt,

disable, impair, or otherwise harm either the Company's networks or systems or those of any

other individual or entity.

The Company's Internet/Intranet facilities and computing resources must not be used to violate

the laws and regulations of the United States or any other nation or any state, city, province, or

other local jurisdiction in any way. Use of Company resources for illegal activity can lead to

disciplinary action, up to and including dismissal and criminal prosecution.

Internet/Intranet Security

The Company owns the rights to all data and files in any information system used in the

Company. Internet use is not confidential and no rights to privacy exist. The Company reserves

the right to monitor Internet/Intranet usage, both as it occurs and in the form of account histories

and their content. The Company has the right to inspect any and all files stored in private areas of

the network or on any types of computer storage media in order to assure compliance with this

policy and state and federal laws. The Company will comply with reasonable requests from law
enforcement and regulatory agencies for logs, diaries, archives, or files on individual Internet

activities.

Existing rules, policies, and procedures governing the sharing of work-related or other

confidential information also apply to the sharing of information via the Internet/Intranet. Please

refer to the appropriate program handbook [Name of Handbook], the Confidentiality Guidelines,

and the Company rules regarding the release of confidential information. The Company has

taken the necessary actions to assure the safety and security of our network. Any employee who

attempts to disable, defeat, or circumvent Company security measures is subject to disciplinary

action, up to and including dismissal.

Virtual Private Network (VPN) Policy

1.0 Purpose

The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual

Private Network (VPN) connections to the <Company Name> corporate network.

2.0 Scope

This policy applies to all <Company Name> employees, contractors, consultants, temporaries,

and other workers including all personnel affiliated with third parties utilizing VPNs to access

the <Company Name> network. This policy applies to implementations of VPN that are directed

through an IPSec Concentrator.

3.0 Policy

Approved <Company Name> employees and authorized third parties (customers, vendors, etc.)

may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is

responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing

any required software, and paying associated fees. Further details may be found in the Remote

Access Policy. Additionally,

1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are

not allowed access to <Company Name> internal networks.

2. VPN use is to be controlled using either a one-time password authentication such as a token

device or a public/private key system with a strong passphrase.

3. When actively connected to the corporate network, VPNs will force all traffic to and from the

PC over the VPN tunnel: all other traffic will be dropped.

4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.

5. VPN gateways will be set up and managed by <Company Name> network operational groups.

6. All computers connected to <Company Name> internal networks via VPN or any other

technology must use the most up-to-date anti-virus software that is the corporate standard

(provide URL to this software); this includes personal computers.

7. VPN users will be automatically disconnected from <Company Name>'s network after thirty

minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other

artificial network processes are not to be used to keep the connection open.
8. The VPN concentrator is limited to an absolute connection time of 24 hours.

9. Users of computers that are not <Company Name>-owned equipment must configure the

equipment to comply with <Company Name>'s VPN and Network policies.

10. Only InfoSec-approved VPN clients may be used.

11. By using VPN technology with personal equipment, users must understand that their

machines are a de facto extension of <Company Name>'s network, and as such are subject to the

same rules and regulations that apply to <Company Name>-owned equipment, i.e., their

machines must be configured to comply with InfoSec's Security Policies.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and

including termination of employment.

Resources:

http://www.eeye.com/html/products/remappliance/

http://www.eeye.com/html/assets/pdf/ApplianceMatrix.pdf

http://articles.techrepublic.com.com/5100-10878_11-5876956.html

http://articles.techrepublic.com.com/5100-10878_11-1047941.html

http://techrepublic.com.com/5100-6350_11-5807148.html