Sunshine Machine Works

Memo
To: From: CC: Date: Re:

Wilma Stone, Margie Nelson, and Gary Thomas Desiree Carter Sunshine Machine Systems Employees 2/17/2014 Security Policy

Security and Proprietary Information Policy Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly; user level passwords should also be changed quarterly. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when the host will be unattended. Because information contained on portable computers is especially vulnerable, special care should be exercised.

Postings by employees from a Sunshine Machine Systems e-mail address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of <Company Name Here>, unless posting is in the course of business duties.

All hosts used by the employee that are connected to the Sunshine Machine Systems Internet/Intranet/Extranet, whether owned by the employee or Sunshine Machine Systems shall be continually executing approved virus-scanning software with a current virus database. Unless overridden by departmental or group policy.

Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

E-mail and Communications Activities

The following activities are strictly prohibited, with no exceptions:

Sending unsolicited e-mail messages, including the sending of junk mail or other advertising material to individuals who did not specifically request such material (e-mail spam).

Any form of harassment via e-mail, telephone or paging, whether through language, frequency, or size of messages.

Unauthorized use, or forging, of e-mail header information.

Solicitation of e-mail for any other e-mail address, other than that of the posters account, with the intent to harass or to collect replies.

Creating or forwarding chain letters, Ponzi or other pyramid schemes of any type.

Use of unsolicited e-mail originating from within Sunshine Machine Works networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Sunshine Machine Works or connected via Sunshine Machine Works network.

Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)

Page 2

Email Use Policy Prohibited Use

The Sunshine Machine Systems e-mail system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments or attachments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any e-mails with this content from any Sunshine Machine systems employee should report the matter to their supervisor immediately.

Personal Use

Using a reasonable amount of Sunshine Machine Systems resources for personal e-mails is acceptable, but non-work related e-mail should be saved in a separate folder from work related e-mail. Sending chain letters or joke e-mails from a Sunshine Machine Systems e-mail account is prohibited. Virus or other malware warnings and mass mailings from Sunshine Machine Systems shall be approved by Sunshine Machine Systems VP Operations before sending. These restrictions also apply to the forwarding of mail received by a Sunshine Machine Systems employee.

Monitoring

Sunshine Machine Systems employees shall have no expectation of privacy in anything they store, send or receive on the companys e-mail system. Sunshine Machine Systems may monitor messages without prior notice. Sunshine Machine Systems is not obliged to monitor e-mail messages.

Password Policy Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Sunshine Machine Systemss entire corporate network. As such, all Sunshine Machine Systems employees (including contractors and vendors with access to Sunshine Machine Systems systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.

All production system-level passwords must be part of the VSI administered global password management database.

Page 3

 All user-level passwords (e.g., e-mail, Web, desktop computer, etc.) must be changed at least every three months. The recommended change interval is every month.

User accounts that have system-level privileges granted through group memberships must have a unique password from all other accounts held by that user.

Passwords must not be inserted into e-mail messages or other forms of electronic communication.

Where SNMP is used, the community strings must be defined as something other than the standard defaults of public, private and system and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

All user-level and system-level passwords must conform to the guidelines described below.

Password Protection Standards

Do not use the same password for Sunshine Machine Systems accounts as for other non Sunshine Machine Systems> access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, dont use the same password for various Sunshine Machine Systems access needs. For example, select one password for the Engineering systems and a separate password for IT systems. Also, select a separate password to be used for an NT account and a UNIX account.

Do not share Sunshine Machine Systems passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential Sunshine Machine Systems information.

Here is a list of donts:

Dont reveal a password over the phone to ANYONE.

Dont reveal a password in an e-mail message.

Dont reveal a password to the boss.

Page 4

Dont talk about a password in front of others.

Dont hint at the format of a password (e.g., my family name).

Dont reveal a password on questionnaires or security forms.

Dont share a password with family members.

Dont reveal a password to co-workers while on vacation.

If someone demands a password, refer them to this document or have them call someone in the Information Security Department.

Do not use the Remember Password feature of applications (e.g., Eudora, Outlook, Netscape Messenger).

Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.

Change passwords at least once every three months (just as system-level passwords which must be changed quarterly). The recommended change interval is every month.

If you suspect that an account or password has been compromised, report the incident to someone in the Information Security Department immediately and change all the passwords.

Password cracking or guessing may be performed on a periodic or random basis. If a password is guessed or cracked during one of these scans, the user will be required to change it.

Register Access Points and Cards

Page 5

All wireless Access Points / Base Stations connected to the corporate network must be registered and approved. These Access Points / Base Stations are subject to periodic penetration tests and audits. All wireless Network Interface Cards (i.e., PC cards) used in corporate laptop or desktop computers must be registered.

Approved Technology

All wireless LAN access must use corporate-approved vendor products and security configurations.

VPN Encryption and Authentication

All computers with wireless LAN devices must utilize a corporate-approved Virtual Private Network (VPN) configured to drop all unauthenticated and unencrypted traffic. To comply with this policy, wireless implementations must maintain point-to-point hardware encryption of at least 56 bits. All implementations must support a hardware address that can be registered and tracked, i.e., a MAC address. All implementations must support and employ strong user authentication which checks against an external database such as TACACS+, RADIUS or something similar. Setting the SSID

The SSID shall be configured so that it does not contain any identifying information about the organization, such as the company name, division title, employee name, or product identifier.

Page 6