May 28th, 2003 03:18 PM
Network Scanning Policy - Template
While digging for some unrelated info, I came across this network scanning policy that I thought others could use as a template for their own. Anyway, hope this is helpful.
Title of Policy: Network Scanning of Computing Systems
Purpose of Policy: To prohibit the use of the University's computers, electronic communications, or other information technology resources to perform network-based scans on any computing system without the written permission of the system owner or system administrator.
Person(s) with Primary Responsibilities: Primary responsibility belongs to the Chief Information Officer. The Director of IT Security will coordinate technical investigations of network scanning incidents.
General Statement: It is the policy of YOUR NAME HERE that no computer system procured or managed by the ENTITY or connected to the UENTITY's network shall be used to perform network scans on any computer system, except under the following conditions:
A system may be scanned by the owner or the system administrator of that system.
A person may scan a system on behalf of another only after receiving written permission signed and dated by the owner or system administrator of that system. This document shall include a specific time period during which the scan(s) may be performed. Any additional scanning shall require separate written approval.
The ENTITY network and system staff may perform network scans in an effort to resolve a service problem, as a part of normal system operations and maintenance, or to enhance the security of the systems that they manage.
The ENTITY IT security staff and internal auditing staff may perform network scans to monitor compliance with ENTITY policy, to perform security assessments, or to investigate security incidents.
Network Port: A numeric identifier used to distinguish between different network services (i.e., HTTP, Telnet, FTP) on the same computing system. Although port numbers range from 0 to 65536, many well known services have reserved port numbers between 0 and 1024 (i.e., HTTP uses port 80, Telnet uses port 23, and FTP uses ports 20 and 21.) To establish a session with a host, a network request must be sent to the appropriate port number on the host. That is, to establish an HTTP session with a web server, your workstation software will send a request to port 80 of the web server.
Network Port Scanning: The process of sending data packets over the network to selected service port numbers (HTTP-80, Telnet-23, etc.) of a computing system with the purpose of identifying available network services on that system. This process is helpful for troubleshooting system problems or tightening system security. Network port scanning is an information gathering process, and when performed by unknown individuals it is considered a prelude to attack.
Vulnerability Scanning: The process of identifying known vulnerabilities of computing systems on the network. This process goes a step beyond identifying the available network services of a system as performed by a network port scan. The vulnerability scan will identify specific weaknesses in the operating system or application software, which can be used to compromise or crash the system. Vulnerability scanning is intrusive and should be performed with care, as some scans can cause systems to crash or to behave erratically. The vulnerability scan is also an information gathering process, and when performed by unknown individuals it is considered a prelude to attack.
Network Scanning: The use of a computer network for gathering information on computing systems, which may be used for system maintenance, security assessment and investigation, and for attack. This includes network port scanning and vulnerability scanning.
Threats to ENTITY's Information and Information Resources
Network scanning-if used properly--is a formidable tool for protecting our information and information resources. On the other hand, unauthorized network scans pose a serious threat to the availability, integrity, and confidentiality of our electronic information and our information resources.
Unauthorized network scans can result in:
Disclosure of Sensitive Data: Network scans yield a tremendous amount of information about our networked computing systems. This information is crucial to attackers in their efforts to compromise computer systems. If a critical system is compromised, an attacker may have unlimited access to confidential data.
Loss of Service: Network attacks vary greatly in nature. The goal of the attack may be to gain control of a computing system or to simply make the system unavailable to others. Even the process of vulnerability scanning can cause a system to crash or behave erratically.
Loss of Network and System Performance: Network scanning can involve hundreds or even thousands of computing systems. The sheer volume of network traffic requests can place an incredible strain on the resources of our computing systems and the ENTITY network, resulting in less than optimal performance for University users.
Loss of Reputation: As a member of the global Internet village our actions directly affect the safety of information and information resources around the world. By allowing the University's computing resources to be used to compromise systems belonging to our global neighbors, our reputation as a responsible member of Internet will be tarnished.
Violations of this policy will be addressed as violations of the "ENTITY Computer Use Policy" and the "ENTITY Employee Computer Use Policy."
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden