Observations/ suggestions for IS policy for Jubilant

Note : The suggestions highlighted have been incorporated in JOGPL IS policy

System Development and Maintenance [ 5.4.6]
1. Scope of development/ changes in existing applications should be specified in respect of
propriety applications (like BaaN), as there are copy right/intellectual rights issues attached with
any change in the source codes. The organisation can make only those changes which are
authorised as per terms of license. There is need to incorporate these precautionary measures
while undergoing any change/ development activity.
2. The organisation structure for development /changes must be there in the policy. There is
need to specify the segregation of duty between personnel responsible for
 System analysis and designing
 Developing / coding
 Testing
3. The policy should specify the segregation of development, test and production environment
(physically and logically) considering the following
 Financial impact;
 Downtime tolerance;
 Cost involved in setting up a separate development facility; and
 Risk exposure in absence of a separate development facility

Further, formal change management process required to be followed for implementing any
changes to the development, test, and operational facilities. Access to development/ test and
production environments of systems should be provided based on segregation of duties principle.
4. The policy should specify the implementation guidelines, once prototype is approved by the
user.
5. Once the system is released to production, the same should be handed over to maintenance
team and documentation should be maintained for the same.

Physical and Logical Access Control [5.4.1, 5.4.4]

1. There is no policy/ process for periodical reconciliation of user ids with records available with
HR department. Also policy for periodical assessment of privileged access granted to particular
employee is not there (should be done at east on quarterly basis). Further there should a process/
policy on used id deletion.
2. The policy does not prescribe the auto debarring of user access to the network, if remained
inactive (id not used) for a specific period (say one month).
3. Password policy does not enforce any ”Password History” rule (i.e. non repetition of say last 6
passwords).

1
4. This should be inserted in the policy “When creating Domain user ID’s, the option “User must
change password at first logon” should be enabled thereby ensuring that the user changes the
administrator assigned password.”
5. As far as password length is concerned, the policy is recommendatory in nature (It suggests
to keep password with at least 8 characters), the same should be made mandatory and computer
security features are to be configured to enforce a minimum password length of eight (8)
characters. The length of password must always be checked automatically at the time user
construct them.
6. The policy does not prescribe the maximum number of unsuccessful attempts. The number of
consecutive attempts to enter an incorrect password should be limited to a specified number (say
3). After three unsuccessful attempts to enter the password, system should suspend the involved
user-ID, until same is reset by the administrator.

General layer – Acceptable Use Policy [5.4.3]

1. As per present policy, disclaimer clause is to be included only in the mails addressed to
newsgroup. This requirement should be made mandatory for all e-mail messages sent to systems
outside of Jubilant’s network. All emails should include suitable disclaimer statement that protects
Jubilant’s copyright and business interests, ensures suitable authorization/ representation of
Jubilant communication and commitment levels to external organizations, personnel, and
public. (point no 6 under para 4.2)

Clock Synchronization
The IS policy should include a policy on ‘Network Time Protocol’ requiring that all systems
connected to Jubilant’s network will be time synchronized to ensure that the audit logs have
accurate information.

Incidence response Policy [6]

1. The policy needs to include the response procedure in cases of ‘Data Theft and Unauthorised
Data sharing’ (other than in case of attack on jubilant network/ intrusion).
2. The procedure should provide for local investigation with the help of HR/ Administration and
reporting to legal/ law enforcing authorities (if required). Efforts should be made to recover the data
stolen.

2
Few More Observations
1. Suggestion: All critical backup of servers should be retained maximum of 60 days and
backup of clients can be maintained for 30 days. All financial / production system’s backup should
be retained for 60 days. [Point 3.3 page 13]
2. Daily / weekly / monthly backups should be categorized as per the needs.
3. Following should be explicitly mentioned in the IS policy,
 Server / clients should be configured with static IP address so that in case of any malicious
activity, tracking of the system may be easier.
 Extra services on server / client should be disabled, if the services are necessary to run then
appropriate control should be in place to monitor it.
 Administrator account should be renamed, all users will have unique user IDs. Nomenclature
used for user IDs will be such that it does not give any indication of the user’s privilege level.
Default system IDs providing indication of the privileges will be renamed appropriately. Access
to all the systems on the company’s network will require authentication. Privileged access to
the ‘Critical’ systems will be provided using strong authentication.
 All local PCs administrators’ password should be changed and recorded in a register and the
same should be changed in 60 days period.
 No public IP should be assigned to any production server.
 All computers should be on network and work under the domain policy (i.e. appropriate
hygiene check should be carried out before allowing external computers to work on
company’s network.)
4. Further following need to be provided in IS policy
 Sharing of folder shall be allowed only through authorized person in accordance with
business needs.
 Antivirus policy should restrict the user to disable/ enable the antivirus or to make any
changes to client antivirus policy. It can be done through providing a password to the policy.
 Antivirus rules should be set such that all removable disks/ device should be scanned
immediately upon activation of the device. (As user can use USB drive).
5. There is one contradicting point in the IS policy ( point no 3, page 26), it states that
:
 No local user accounts are configured on the router. Routers must use TACACS+ for all user
authentications. However in second line it is states that “The enable password on the router
must be kept in a secure encrypted form”. This needs to be changed.
6. Further there is no policy on documentation and approval of network documentation. All
network diagrams should be approved by the IT head and then implemented, because this is the
most critical phase in network design and implementation.
7. Network Connection Policy (Page 45 Print Services in case of Access to Source
Code Repository): It is suggested that “Source code printed for review by the developer should
be in secured place. Printer access should be only to the developer or the printer should not be

3
available to general public or the same are should be restricted solely to the developer as the
source code is the critical information to the organization.

4
8. Points for Password/ Access rights:
 The terminal logon procedure must disclose a minimum amount of information
about the
 system.
 A logon banner must appear on all information systems prior to login on to the
system stating
 that the information system should only be accessed by authorized users and un-
authorized
 access is prohibited, monitored and liable for punitive actions.
 The logon procedure must not identify the system or application until the logon
process has
 been successfully completed.
 The system must validate the logon information only on completion of all input
data. After a
 rejected logon attempt, the logon procedures must terminate. The procedure must
not
 explain which piece of information (the User-ID or password) was the reason for
the logon
 termination.
 Unsuccessful logon attempts shall be logged, monitored, and investigated.