Rules & Regulations
Shared Hosting Service
Irides Security PolicyThe following is a list of standard Irides security policies and procedures.
System Access Control
Minimum Password LengthThe length of passwords must always be checked automatically at the time that users construct or select them. All passwords must have at least eight (8) characters.
Passwords Require Change PeriodicallyUser-chosen passwords will require changing at least every 90 days. Several warnings will be presented to the user to make the required change at least 1 week before the 90 days are up. If the user fails to make the required change within the 90 days, the user account will be de-activated.
Difficult-To-Guess Passwords RequiredAll user-chosen passwords for computers and networks must be difficult to guess. Words in a dictionary, derivatives of user-IDs, and common character sequences such as "123456" should not be employed. Likewise, personal details such as spouse's name, automobile license plate, social security number, and birthday must not be used unless accompanied by additional unrelated characters. User-chosen passwords must also not be any part of speech. For example, proper names, geographical locations, common acronyms, and slang must not be employed.
Cyclical Passwords ProhibitedUsers are prohibited from constructing fixed passwords by combining a set of characters that do not change, with a set of characters that predictably change. In these prohibited passwords, characters which change are typically based on the month, a department, a project, or some other easily-guessed factor. For example, users must not employ passwords like "X34JAN" in January, "X34FEB" in February, etc.
User-Chosen Passwords Must Not Be ReusedUsers must not construct passwords that are identical or substantially similar to passwords that they had previously employed.
Passwords Never In Readable Form When Outside WorkstationsFixed passwords must never be in readable form outside a personal computer or workstation (e.g. sticky notes).
Password Guessing Lockout Requires Help Desk Password ResetEach user of the Irides computer systems that employ fixed passwords at log-on time will be given a limited number of attempts to enter a correct password. If a user has incorrectly entered a password three consecutive times, the linked user-ID will be deactivated until Irides staff authenticates the user's identity and then resets the password.
Prevention Of Password RetrievalComputer and communication systems must be designed, tested, and controlled so as to prevent both the retrieval of, and unauthorized use of stored passwords, whether the passwords appear in encrypted or unencrypted form.
Password Sharing ProhibitionRegardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorized user. To do so exposes the authorized user to responsibility for actions that the other party takes with the password. If a password is provided to a Irides IT support representative in order to help diagnose a specific user issue, that user should change their password immediately after the issue is resolved.
Users Responsible For All Activities Involving Personal User-IDsUsers are responsible for all activity performed with their personal user-IDs. User-IDs may not be utilized by anyone but the individuals to whom they have been issued. Users must not allow others to perform any activity with their user-IDs. Similarly, users are forbidden from performing any activity with IDs belonging to other users (excepting anonymous user-IDs like "guest").
Removal of User-ID for Termination or Job ChangeClients should notify Irides immediately upon termination or a job change of one of its users such that they will no longer require system's access. Upon receipt of notification, Irides will immediately deactivate and remove the User ID from the system.
Irides Password ManagementAll Irides controlled passwords (e.g. server root passwords, network device passwords, client access passwords) will be stored encrypted and not be produced in printed format. Passwords will never be shared between Irides employees and/or clients in clear text format. PGP is the general standard Irides uses to encrypt data and pass data securely between both employees and clients.
Desktop Lockout SettingsAll clients requiring desktop support services from Irides are requested to implement a desktop timeout feature (screen saver) with password control set to a minimum or 30 minutes. This policy is provided to reduce the possibility of authorized attempts made to the client's specific desktop and connected networked infrastructure.
Third Party Access To Irides SystemsBefore any third party is given access to Irides computer systems, written agreement to abide by Irides Rules and Regulations must have been signed by a responsible manager at the third party organization.
Support For Special Privileged Type Of UsersAll multi-user computer and network systems must support a special type of user-ID which has broadly-defined system privileges. This user-ID will in turn enable authorized individuals to change the security state of systems. The number of privileged user-IDs must be strictly limited to those individuals who absolutely must have such privileges for authorized business purposes.
Restriction Of Special System PrivilegesSpecial system privileges, such as the ability to examine the files of other users, must be restricted to those directly responsible for system management and/or security. File access control permissions for all Irides computer systems must be set to a default which blocks access by unauthorized users. Beyond that which they need to do their jobs, computer operations, hardware and systems support staff must not be given access to--nor permitted to modify--production data, production programs, or the operating system.
Unbecoming Conduct And The Revocation Of Access PrivilegesIrides reserves the right to revoke the privileges of any user at any time. Conduct that interferes with the normal and proper operation of Irides information systems, which adversely affects the ability of others to use these information systems, or which is harmful or offensive to others will not be permitted.
Termination Of User Processes Or Sessions And Removal Of User FilesIrides systems administration staff may alter the priority of, or terminate the execution of, any user process which it believes is consuming excessive system resources, significantly degrading system response time, or if this usage is deemed to be in violation of security policies.
Maintenance Of Master User-ID And Privilege DatabaseSo that their privileges may be expediently revoked on short notice, records reflecting all the computer systems on which users have user-IDs must be kept up-to-date.
Monitoring and Logging
Inclusion Of Security Relevant Events In System LogsComputer systems handling sensitive, valuable, or critical information should securely log all significant security relevant events. Examples of security relevant events include but are not limited to: password guessing attempts, attempts to use privileges that have not been authorized, modifications to production application software, and modifications to system software.
Computer System Logs Must Support AuditsLogs of computer security relevant events must provide sufficient data to support comprehensive audits of the effectiveness of, and compliance with security measures.
Intellectual Property Rights
Information As An Important Irides AssetAccurate, timely, relevant, and properly protected information is absolutely essential to Irides and its clients. To ensure that information is properly handled, all accesses to, uses of, and processing of Irides internal or client information must be consistent with Irides information systems related policies and standards.
Tools Used To Break Systems Security ProhibitedUnless specifically authorized by Irides no person shall use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include but are not limited to those that defeat software copy protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files.
Valid Client Software LicensesIrides staff are not permitted to install client software without valid software licensing provided by the client.
Data Privacy and Confidentiality
Notification Of Suspected Loss Or Disclosure Of Sensitive InformationIf sensitive information is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, its owner and Irides Management should be notified immediately.
Right To Remove (Offensive) Material Without WarningIrides Management retains the right to remove from its information systems any material it views as (offensive) or potentially illegal.
No Responsibility For Monitoring Content Of Information SystemsIrides Management reserves the right to remove any message, file, database, graphic, or other material from its information systems. At the same time, Irides Management has no obligation to monitor the information content resident on or flowing through its information systems.
Establishment Of Access Paths And Systems
Security Requirements For Network-Connected Third Party SystemsAs a condition of gaining access to the Irides computer network, every third party must secure its own connected systems in a manner consistent with Irides requirements. Irides reserves the right to audit the security measures in effect on these connected systems. Irides also reserves the right to immediately terminate network connections with any third party systems not meeting such requirements.
Standards Of Common Carriers Do Not ApplyThe networking services provided by Irides are provided on a contractual carrier basis, not those of a common carrier. As the operator of a private network, Irides has a right to make policies regarding the use of its network systems without being held to the standards of common carriers.
Standard Encryption Algorithm & ImplementationIf encryption is used, government-approved standard algorithms (such as the Data Encryption Standard or DES) and standard implementations (such as cipher-block chaining) must be employed.
Disclosure Of Encryption Keys Requires Special ApprovalEncryption keys are a most sensitive type of information, and access to such keys must be strictly limited to those who have a need-to-know. Unless the approval of Irides is obtained, encryption keys must not be revealed to consultants, contractors, or other third parties.
Time Period For Protection Of Encryption Keys Used For ConfidentialityThe secrecy of any encryption key used for confidentiality purposes (e.g., for data encryption or as a seed to an access control system) must be maintained until all of the protected information is no longer considered confidential. Never Automatically Backup Private Key Used For Digital Certificates.
Users must not allow automatic backup systems to make a copy of the readable version of their private key used for digital signatures and digital certificates. Automatic backups could allow unauthorized transactions to be generated in the involved users' names. These backups are prevented by keeping private keys in smart cards or otherwise in encrypted form.
Prevention Of Unauthorized Disclosure Of Encryption KeysEncryption keys must be prevented from unauthorized disclosure via technical controls such as encryption under a separate key and use of tamper-resistant hardware.
Explicit Assignment Of Encryption Key Management FunctionsWhenever encryption is used to protect sensitive data, the relevant owner(s) of the data must explicitly assign responsibility for encryption key management.
Internet and Remote Dial Up Connections
Digital Certificate For All Irides Internet Web And Commerce SitesA current digital certificate is recommended for both Irides and client Internet servers handling confidential information.
Required Reporting of Information Security IncidentsAll suspected Information Security incidents must be reported immediately to Irides Management.
Centralized Reporting Of Information Security ProblemsInformation Security is the inability of unauthorized third parties to access any documents, data or other information stored or otherwise normally available to authorized parties on Irides network or any Irides infrastructure components. All known vulnerabilities - in addition to all suspected or known violations - must be communicated in an expeditious and confidential manner to Irides Management. Unauthorized disclosures of Irides information must additionally be reported to the involved information owners. Reporting security violations, problems, or vulnerabilities to any party outside Irides (except external auditors) without the prior written approval of the Irides Legal Department is strictly prohibited. No external reporting of any Information Security violation or problem may occur without consent of Irides Management.
Required Investigation Following Computer CrimesWhenever evidence clearly shows that Irides has been victimized by a computer or communications crime, a thorough investigation must be performed. This investigation must provide sufficient information so that Irides Management can take steps to ensure that: (1) such incidents will not be likely to take place again, and (2) effective security measures have been reestablished.
Information Ownership And Management's ResponsibilitiesAll production information possessed by or used by a particular client must have a designated owner. Owners must determine appropriate sensitivity classifications as well as criticality ratings. Owners must also make decisions about who will be permitted to access the information, and the uses to which this information will be put. Owners must additionally take steps to ensure that appropriate controls are utilized in the storage, handling, distribution, and regular usage of information. Designated owner lists are to be provided to Irides Management and reviewed on a no less than annual basis.
Outsourcing and Third Party Contracts
Agreements With Third Parties Which Handle Irides InformationAll agreements dealing with the handling of Irides information by third parties where the third party has direct access to Irides information must include a special clause. This clause must allow Irides to audit the controls used for these information-handling activities, and to specify the ways in which Irides information will be protected.
Termination Of Outsourcing Contracts For Security ViolationsAll information-systems-related outsourcing contracts must be reviewed and approved by Irides Management. It is Irides Management's responsibility to make sure that these contracts sufficiently define information security responsibilities, as well as how to respond to a variety of potential security problems. It is also Irides Management's responsibility to make sure that all such contracts allow Irides Management to terminate the contract for cause if it can be shown that the outsourcing firm does not abide by the information security terms of the contract.