Course Project Milestone 1

Contents Acceptable Use Policy 1. Overview .................................................................................................................................. 5 2. Purpose ..................................................................................................................................... 5 3. Scope ........................................................................................................................................ 5 4. Policy ........................................................................................................................................ 6 4.1 General Use and Ownership ............................................................................................. 6 4.1.1 Coastal Veterinary Clinic proprietary information stored on electronic and computing devices, whether owned or leased by Coastal Veterinary Clinic, the employee, or a third party, remains the sole property of Coastal Veterinary Clinic. You must ensure that the Data Protection Standard protects proprietary information through legal or technical means . ........... 6 4.1.2 You are responsible for promptly reporting the theft, loss, or unauthorized disclosure of Coastal Veterinary Clinic proprietary information .................................................................. 6 4.1.3 You may access, use, or share Coastal Veterinary Clinic proprietary information only to the extent authorized and necessary to fulfill your assigned job duties .................................. 6 4.1.4 Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager ........................................... 6 4.1.5 For security and network maintenance purposes, authorized individuals within Infosec may monitor equipment, systems, and network traffic at any time, per Infosec's Audit Policy . 6 4.1.6 Infosec reserves the right to audit networks and systems periodically to ensure compliance with this policy ......................................................................................................... 6 5. Policy Compliance ................................................................................................................. 10 5.2 Exceptions ........................................................................................................................... 10 5.3 Non-Compliance ................................................................................................................. 10 Coastal Veterinary Clinic 2023 – All Rights Reserved Page 1 Coastal Veterinary Clinic

Disaster Recovery Plan Policy 1. Overview ................................................................................................................................ 11 2. Purpose ................................................................................................................................... 11 3. Scope ...................................................................................................................................... 11 4. Policy ...................................................................................................................................... 11 5. Policy Compliance ................................................................................................................. 12 5.2 Exceptions ........................................................................................................................... 12 5.3 Non-Compliance ................................................................................................................. 12 Password Protection Policy 1. Overview ................................................................................................................................ 13 2. Purpose ................................................................................................................................... 13 3. Scope ...................................................................................................................................... 13 4. Policy ...................................................................................................................................... 13 4.1 Password Creation .............................................................................................................. 13 4.1.1 All user-level and system-level passwords must conform to the Password Construction Guidelines ...................................................................................................................................... 13 4.1.2 Users must use a separate, unique password for their work-related accounts. Users may not use any job-related passwords for their own personal accounts .............................................. 13 4.1.3 User accounts with system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges. In addition, it is highly recommended that some form of multi- factor authentication is used for any privileged accounts .............................................................. 13 4.2 Password Change ................................................................................................................ 14 4.2.1 Passwords must be changed every 30 days. You may not use any of your previous 12 passwords ....................................................................................................................................... 14 4.2.2 Password cracking or guessing may be performed periodically or randomly by the Infosec Team or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to comply with the Password Construction Guidelines ........... 14 4.3 Password Protection ............................................................................................................ 14 Coastal Veterinary Clinic 2023 – All Rights Reserved Page 2 Coastal Veterinary Clinic

4.3.1 Passwords must not be shared with anyone, including Coastal Veterinary Clinic information. Corporate Information Security recognizes that legacy applications do not support proxy systems in place. Please refer to the technical reference for additional details ................... 14 4.3.2 Passwords must not be inserted into email messages, Alliance cases, or other forms of electronic communication, nor revealed over the phone to anyone .............................................. 14 4.3.3 Passwords may be stored only in “password managers” authorized by the organization. 14 4.3.4 Do not use applications' "Remember Password" feature (for example, web browsers).14 4.3.5 Any user suspecting their password may have been compromised must report the incident and change all passwords ................................................................................................. 14 4.4 Application Development ................................................................................................... 14 4.5 Multi-Factor Authentication ............................................................................................... 14 4.5.1 Multi-factor authentication is highly encouraged and should be used whenever possible, not only for work-related and personal accounts ........................................................................... 15 5. Policy Compliance ................................................................................................................. 15 5.5 Exceptions ........................................................................................................................... 15 5.6 Non-Compliance ................................................................................................................. 15 6 Related Standards, Policies, and Processes ............................................................................ 15 Password Construction Guidelines 1. Overview ................................................................................................................................ 16 2. Purpose ................................................................................................................................... 16 3. Scope ...................................................................................................................................... 16 4. Statement of Guidelines ......................................................................................................... 16 5. Policy Compliance ................................................................................................................. 17 6.2 Exceptions ........................................................................................................................... 17 6.3 Non-Compliance ................................................................................................................. 17 Digital Signature Acceptance Policy 1. Overview ................................................................................................................................ 18 2. Purpose ................................................................................................................................... 18 Coastal Veterinary Clinic 2023 – All Rights Reserved Page 3 Coastal Veterinary Clinic

3. Scope ...................................................................................................................................... 18 4. Policy ...................................................................................................................................... 18 5. Policy Compliance ................................................................................................................. 19 6.5 Exceptions ........................................................................................................................... 19 6.6 Non-Compliance ................................................................................................................. 19 Coastal Veterinary Clinic 2023 – All Rights Reserved Page 4 Coastal Veterinary Clinic

Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or updated version of this policy, please send an email to policy-resources@sans.org . Last Update Status: Updated October 2023 1. Overview Infosec’s intentions for publishing an Acceptable Use Policy are not to impose restrictions contrary to Coastal Veterinary Clinic’s established culture of openness, trust, and integrity. Infosec is committed to protecting Coastal Veterinary Clinic's employees, partners, and the company from illegal or damaging actions by individuals, knowingly or unknowingly. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Coastal Veterinary Clinic. These systems are to be used for business purposes in serving the interests of the company and our clients and customers during normal operations. Please review Human Resources policies for further details. Effective security is a team effort involving the participation and support of every Coastal Veterinary Clinic employee and affiliate who deals with information or information systems. It is the responsibility of every computer user to know these guidelines and to conduct their activities accordingly. 2. Purpose This policy aims to outline the acceptable use of computer equipment at Coastal Veterinary Clinic. These rules are in place to protect the employee and Coastal Veterinary Clinic. Inappropriate use exposes Coastal Veterinary Clinic to risks, including virus attacks, compromise of network systems and services, and legal issues. 3. Scope This policy applies to using information, electronic and computing devices, and network resources to conduct Coastal Veterinary Clinic business or interact with internal networks and business systems, whether owned or leased by Coastal Veterinary Clinic, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at Coastal Veterinary Clinic and its subsidiaries are responsible for exercising good judgment regarding the appropriate use of information, electronic devices, and network resources in accordance with Coastal Veterinary Clinic 2023 – All Rights Reserved Page 5 Coastal Veterinary Clinic