Table of Contents. Blog and Personal Web Site Policy

Transcription

1

2 Table of Contents Blog and Personal Web Sites Policy... 2 Policy... 2 Rights to content... 3 Option for More Restrictive License Terms... 3 Attribution... 4 Guidelines... 4 Personal Website and Blog Guidelines Non ENTERPRISE domains... 6 Security Standards... 7 Best Practice Blog Guideline for Publishers... 8 Blog Best Practices to Improve the Value of Your Blog... 9 Issues to Manage with SLAs for Blog and Web Site Security Proposed Service Level Agreement Metrics Blog Policy Compliance Agreement What s New Copyright Janco Associates, Inc. ALL RIGHTS RESERVED - 1 -

3 Blog and Personal Web Sites Policy Policy ENTERPRISE regards blogs as primarily a form of communication and relationship among individuals. When the company wishes to communicate publicly as a company whether to the marketplace or to the public it has well-established means to do so. Only those officially designated by ENTERPRISE have the authorization to speak on behalf of the company. This policy applies to all employees and contractor who identify themselves or represent themselves as being associated with ENTERPRISE in Multi-media and social networking websites such as WordPress, Twitter, Facebook, Yahoo! Groups and YouTube Blogs (Both ENTERPRISE Blogs and Blogs external to ENTERPRISE) Wikis such as Wikipedia and any other site where text can be posted All these activities are referred to as postings in this Policy Please be aware that violation of this policy may result in disciplinary action up to and including termination. ENTERPRISE believes that everyone can both derive and provide important benefits from exchanges of perspective. ENTERPRISE personnel are personally responsible for their posts. Activities in or outside of work that affect your ENTERPRISE job performance, the performance of others, or ENTERPRISE s business interests are a proper focus for company policy. ENTERPRISE supports dialogue among ENTERPRISE employees, contractors, partners, clients, members of the many communities in which we participate and the general public. Such dialogue is inherent in our business model of innovation, and in our commitment to the development of open standards. A blog is a tool an individual can use to share their insights, express their opinions and communicate within the context of a globally distributed conversation. As with all tools, it has proper and improper uses. While ENTERPRISE encourages all of its employees to join a global conversation, it is important for those who choose to do so to understand what is recommended, expected and required when they discuss ENTERPRISE-related topics, whether at work or on their own time. ENTERPRISE trusts and expects ENTERPRISE employees to exercise personal responsibility whenever they blog. This includes not violating the trust of those with whom they are engaging. Bloggers should not use this medium for covert marketing or public relations. If and when members of ENTERPRISE's Communications, Marketing, Sales or other functions engaged in advocacy for the company have the authorization to participate in blogs, they should identify themselves as such. The Chief Information Officer or his delegate must approve all blogs and personal websites that contain references to ENTERPRISE by ENTERPRISE employees, contractors, suppliers, and or agents. This includes, but is not limited to, blogs and websites that reside on ENTERPRISE s domains or domains that are outside of the control of ENTERPRISE Copyright Janco Associates, Inc. ALL RIGHTS RESERVED - 2 -

4 Security Standards Enterprise-wide security weakness need include everything from encryption to shared logins. Blog maintenance process that should be followed include: Protect sensitive data. Protect encryption keys, user ids, and passwords Protect secure systems and applications Manage user ids to meet security requirements Restrict physical access to secure data paper and electronic files Regularly monitor and test networks Monitor all access to network resources and sensitive data Test security systems and processes Maintain an information security policy 2019 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED - 7 -

5 Issues to Manage with SLAs for Blog and Web Site Security Problems with Blogs and Web Sites security that need to be addressed on an on-going basis are: Single level verification for access to sensitive data - Password authentication is more easily cracked than cryptographic key-based authentication. The purpose of a password is to make it easier to remember the login credentials needed to access a secure resource, however biometric or key-based authentication is a stronger authentication method which makes credential more difficult to crack. Public workstations or access point is connected to a secure network - If workstation that anyone can use or re-boot is connected to a secure resource you can t guarantee it is secure. Keyloggers, compromised network encryption clients, and other tricks of the malicious security cracker s trade can all allow someone unauthorized access to sensitive data regardless of all the secured networks, encrypted communications, and other networking protections you employ. Sharing login credentials - The more login credentials are shared, the more they likely they are commonly known by too many others, even with people who should not have access to the system. The more they are shared, the more difficult it is to establish an audit trail to help track down the source of a problem. The more they are shared, the greater the number of people affected when logins need to be changed due to a security breach or threat. Data validation for forms is contained in client-side JavaScript - A malicious security cracker can develop a form that accesses the resource at the other end of the Web page s form action that does not include any validation at all. In addition, JavaScript form validation can be circumvented simply by deactivating JavaScript in the browser or using a Web browser that does not support JavaScript at all. Serverside validation does not fall prey to the shortcomings of client-side validation because a malicious security cracker must already have gained access to the server to be able to compromise it. Connect to the network from a unsecured access point - When traveling users need to avoid connecting from open wi-fi networks, networks with unknown or uncertain security characteristics or from those with known poor security such wireless access points in coffee shops. This is especially important whenever you must log in to the server or Web site for administrative purposes or otherwise access secure resources. If you must access the Website or Web server when connected to an unsecured network, use a secure proxy so that your connection to the secure resource comes from a proxy on a secured network. The corporate website is encrypted but the login process is not - Encrypting a session after login may be useful but failing to encrypt logins is a bit like leaving the key in the lock when you are done locking the barn door. Even if a login form POSTs to an encrypted resource, in many cases this can be circumvented by a malicious security cracker who develops their own login form to access the same resource and allow them access to sensitive data. Weak encryption for back-end management - Using Windows Remote Desktop without and encrypted user-id and password in a non-vpn environment are opening your site to the world. Using proprietary platform-specific technologies often leads to resistance to use of secure encryption for Web site access. Crossplatform-compatible strong encryption such as SSH is usually preferable to platform-specific, weaker encryption tools such as Windows Remote Desktop Copyright Janco Associates, Inc. ALL RIGHTS RESERVED

6 Blog Policy Compliance Agreement Employee Name ID Number Job Title Location I hereby certify that I have reviewed ENTERPRISE s Blog Policy and understand the policy, its standards, and procedures contained therein. I understated that if I violate this policy, its standards or procedures, I am subject to immediate termination without recourse. I understand that my employment with ENTERPRISE requires me to disclose any outside blogging efforts and any potential conflicts of interest that may arise from those efforts. I certify that all blogs to which I contribute or have contributed in the past are listed below. I agree to notify the company in writing before starting any new blog or joining any blog as an author. I understand the company policy on blogging and agree to post any necessary disclosures on sites where I participate as an author. By signing this form, I affirm my willingness to abide by ENTERPRISE s blog policies, procedures, and guidelines. Signature: Date: List Blogs and Social Networks that I am or have been a contributor Blog Name Blog Address User ID used 2019 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED

7 What s New Version 3.0 Updated electronic form Updated statistics referred to in the policy Validated compliance to all mandated requirements Version 2.7 Updated electronic form Added graphic on Enterprise Wide Security Weakness Version 2.6 Updated to meet the latest compliance requirements Added best practices blog guideline for Publishers Version 2.5 Added section on issues to manage with SLAs for blogs and personal websites Added proposed metrics for blogs and personal websites SLAs Version 2.4 Added section on Blog Best Practices to Improve the Value of Your Blog Updated Electronic Blog Compliance Agreement Form Version 2.3 Updated Blog Compliance Agreement Form Provided Blog Compliance Agreement Form as an electronic document Version 2.2 Updated to CSS style sheet Updated to meet compliance guidelines Version 2.1 Update policy to reflect recent court ruling on anonymous blog posting. Version 2.0 Updated to meet Sarbanes-Oxley requirements Update Blog and Personal Web Site Compliance Agreement Added section on Rights to Content 2019 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED