Great American Title Company is hereinafter referred to as "the company."

1.0 Overview

The company wishes to provide a secure network infrastructure in order to protect the integrity of corporate data and mitigate risk of a security incident. While security policies typically avoid providing overly technical guidelines, this policy is necessarily a more technical document than most.

2.0 Purpose

The purpose of this policy is to establish the technical guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support the company's comprehensive set of security policies. However, this policy purposely avoids being overly-specific in order to provide some latitude in implementation and management strategies.

3.0 Scope

This policy covers all IT systems and devices that comprise the corporate network or that are otherwise controlled by the company.

4.0Policy

4.1Network Device Passwords

A compromised password on a network device could have devastating, network-wide consequences. Passwords that are used to secure these devices, such as routers, switches, and servers, must be held to higher standards than standard user-level or desktop system passwords. Refer to Password Policy for details.

4.1.1 Failed Logons

Repeated logon failures can indicate an attempt to 'crack' a password and

surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, FAST will lock a user's account after 3 unsuccessful logins.

In order to protect against account guessing, when logon failures occur the error

message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as "the username and/or password you supplied were incorrect."

4.1.2 Change Requirements

Passwords must be changed according to the company's Password Policy.

4.2 Networking Hardware

Networking hardware, such as routers, switches, hubs, bridges, and access points, should be implemented in a consistent manner. If possible for the application, switches are preferred over hubs.

4.3 Network Servers

Servers typically accept connections from a number of sources, both internal and external. As a general rule, the more sources that connect to a system, the more risk that is associated with that system, so it is particularly important to secure network servers.

At this time, the company has no servers

4.4Intrusion Detection/Intrusion Prevention

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) technology can be useful in network monitoring and security. The tools differ in that an IDS alerts to suspicious activity whereas an IPS blocks the activity. When tuned correctly, IDSs are useful but can generate a large amount of data that must be evaluated for the system to be of any use. IPSs automatically take action when they see suspicious events, which can be both good and bad, since legitimate network traffic can be blocked along with malicious traffic.

The company neither requires nor prohibits the use of IDS or IPS systems. The decision to use IDS/IPS systems is left to the discretion of the IT Manager.

4.5 Security Testing

Security testing, also known as a vulnerability assessment, a security audit, or penetration testing, is an important part of maintaining the company's network security. Security testing can be provided by IT Staff members, but is often more effective when performed by a third party with no connection to the company's day-to-day Information Technology activities.

4.6 Disposal of Information Technology Assets

IT assets, such as network servers and routers, often contain sensitive data about the company's network communications. When such assets are decommissioned, the following guidelines must be followed:

Any asset tags or stickers that identify the company must be removed before disposal.

Any configuration information must be removed by deletion or, if applicable, resetting the device to factory defaults.

The company should consider the use of data wiping technology. Simply reformatting a drive or erasing data does not make the data unrecoverable. If the company chooses to use data wiping technology, it should use the most secure commercially-available methods for data wiping if possible. Alternatively, destroying the device's data storage mechanism (such as its hard drive or solid state memory) will make the data unrecoverable.

4.7Network Documentation

Network documentation, specifically as it relates to security, is important for efficient and successful network management. Further, the process of regularly documenting the network ensures that the company's IT Staff has a firm understanding of the network architecture at any given time.

The company encourages network documentation, but does not require it.

4.8 Antivirus/Anti-Malware

Computer viruses and malware are pressing concerns in today's threat landscape. If a machine or network is not properly protected, a virus outbreak can have devastating effects on the machine, the network, and the entire company. The company provides the following guidelines on the use of antivirus/anti-malware software:

All company-provided user workstations must have antivirus/anti-malware software installed.

Workstation software must maintain a current "subscription" to receive patches and virus signature/definition file updates.

Patches, updates, and antivirus signature file updates must be installed in a timely

manner, either automatically or manually.

4.9 Software Use Policy

Software applications can create risk in a number of ways, and thus certain aspects of software use must be covered by this policy. The company provides the following requirements for the use of software applications:

Only legally licensed software, authorized by Management, may be used. Licenses for the company's software must be stored in a secure location.

Open source and/or public domain software can only be used with the permission of the IT Manager.

Software should be kept reasonably up-to-date by installing new patches and releases from the manufacturer.

Vulnerability alerts should be monitored for all software products that the company uses. Any patches that fix vulnerabilities or security holes must be installed expediently.

4.10Maintenance Windows and Scheduled Downtime

Certain tasks require that network devices be taken offline, either for a simple re-boot, an upgrade, or other maintenance. When this occurs, the IT Staff should make every effort to perform the tasks at times when they will have the least impact on network users.

4.11 Change Management

Documenting changes to network devices is a good management practice and can help speed resolution in the event of an incident. The IT Staff should make a reasonable effort to document hardware and/or configuration changes to network devices.

4.12 Suspected Security Incidents

When a security incident is suspected that may impact a network device, the IT Staff should refer to the company's Incident Response Policy for guidance.

4.13 Redundancy

Redundancy can be implemented on many levels, from redundancy of individual components to full site-redundancy. As a general rule, the more redundancy implemented, the higher the availability of the device or network, and the higher the associated cost. The company wishes to provide the IT Manager with latitude to

determine the appropriate level of redundancy for critical systems and network devices. Redundancy should be implemented where it is needed.

4.14 Manufacturer Support Contracts

Outdated products can result in a serious security breach. When purchasing critical hardware or software, the company should consider purchasing a maintenance plan, support agreement, or software subscription that will allow the company to receive updates to the software and/or firmware for a specified period of time.

4.15 Security Policy Compliance

It is the company's intention to comply with this policy not just on paper but in its everyday processes as well. With that goal in mind the company requires the following:

4.15.1 Information Security Officer

An employee must be designated as a manager for the company's security program. He or she will be responsible for the company's compliance with this security policy and any applicable security regulations. This employee must be responsible for A) the initial implementation of the security policies, B) ensuring that the policies are disseminated to employees, C) training and retraining of employees on the company's information security program (as detailed below), D) any ongoing testing or analysis of the company's security in compliance with this policy, E) updating the policy as needed to adhere with applicable regulations and the changing information security landscape.

4.15.2 Security Training

A training program must be implemented that will detail the company's information security program to all users and/or employees covered by the policy, as well as the importance of data security. Employees must sign off on the receipt of, and in agreement to, the user-oriented policies. Re-training should be performed annually.

4.15.3 Security Policy Review

The company's security policies should be reviewed annually. Additionally, the policies should be reviewed when there is an information security incident or a material change to the company's security policies. As part of this evaluation the company should review:

Any applicable regulations for changes that would affect the company's compliance or the effectiveness of any deployed security controls.

If the company's deployed security controls are still capable of performing their intended functions.

If technology or other changes may have an effect on the company's security strategy.

If any changes need to be made to accommodate future IT security needs.

4.16Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

5.0 Enforcement

This policy will be enforced by the Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

6.0 Definitions

ACL A list that defines the permissions for use of, and restricts access to, network resources. This is typically done by port and IP address.

Antivirus Software An application used to protect a computer from viruses, typically through real time defenses and periodic scanning. Antivirus software has evolved to cover other threats, including Trojans, spyware, and other malware.

Firewall A security system that secures the network by enforcing boundaries between secure and insecure areas. Firewalls are often implemented at the network perimeter as well as in high-security or high-risk areas.

Hub A network device that is used to connect multiple devices together on a network.

IDS Stands for Intrusion Detection System. A network monitoring system that detects

and alerts to suspicious activities.

IPS Stands for Intrusion Prevention System. A networking monitoring system that detects and automatically blocks suspicious activities.

NTP Stands for Network Time Protocol. A protocol used to synchronize the clocks on networked devices.

Password A sequence of characters that is used to authenticate a user to a file, computer, network, or other device. Also known as a passphrase or passcode.

RAID Stands for Redundant Array of Inexpensive Disks. A storage system that spreads data across multiple hard drives, reducing or eliminating the impact of the failure of any one drive.

Switch A network device that is used to connect devices together on a network. Differs from a hub by segmenting computers and sending data to only the device for which that data was intended.

VLAN Stands for Virtual LAN (Local Area Network). A logical grouping of devices within a network that act as if they are on the same physical LAN segment.

Virus Also called a "Computer Virus." A replicating application that attaches itself to other data, infecting files similar to how a virus infects cells. Viruses can be spread through email or via network-connected computers and file systems.

7.0 Revision History

Revision 1.0, 10/13/2012

Revision 2.0, 09/01/2014