DFF - Spacer Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
Diving For Fun with William Fidler
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Spacer Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
Diving For Fun with William Fidler
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Spacer Image
DFF - Spacer Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
DFF - Left Page Border Image
Diving For Fun - Life Ring Image
DFF - Right Page Border Image
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Spacer Image
DFF - Spacer Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
MENU
Diving For Fun - Dive Travel & Trips
Diving For Fun - Photo Galleries
Diving For Fun - Video Galleries
Diving For Fun - Dive Forms
Diving For Fun - Dive Articles
Diving For Fun - Driving Directions
Diving For Fun - About Us
Diving For Fun - Website News
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
Diving For Fun - Download Website Font
Diving For Fun - Bookmark This Site!
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
Unique Visitors
www.reliablecounter.com
Free Hit Counter
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Spacer Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
 SECURITY POLICY
Notice on Cyber Attacks and Online Theft

Diving For Fun takes cyber attacks and online theft seriously. If you are reported and verified as a cyber attacker or online theft, all relevant details will be reported to the Internet Crime Complaint Center (IC3) and all applicable authorities. The IC3 shares information with the FBI and other agencies for the purpose of investigating all aspects of cyber crimes. Punishment can be up to 5, 15, 20, or 30 years in federal prison, plus fines. In addition, punishments for the unlawful use of "means of identification" were strengthened in 1028A ("Aggravated Identity Theft"), allowing for consecutive sentences under specific enumerated felony violations.

 INTRODUCTION

Diving For Fun is committed to protecting the privacy and security of customers on our website. This Security Policy will advise you about our guidelines concerning the use of your personal information, including, without limitation, the reasonable efforts we make to protect your personal information in accord with these guidelines, and about what choices you have concerning our use of such information.

Please read this policy carefully. We may need to change this policy from time to time in order to address new issues and reflect changes on our website. We will post those changes here so that you will always know our policies regarding what information we gather, how we might use that information, and whether we will disclose that information to anyone. Please refer back to this policy regularly. If you have any questions or concerns about our Security Policy, please send an email to .

This Security Policy applies to your use of the website and services owned or operated by Diving For Fun (collectively "we, " "us, " or "our"), including www.DivingForFun.com, Diving For Fun and any other retail or website we may own or operate currently or in the future (collectively, the "Site" or "Sites"). Unless we say otherwise, all references to the Sites in this policy include all such sites. This policy does not apply to your use of sites to which any of the Sites link too. This policy covers only information collected on the Sites and does not cover any information collected offline by us.

 INTENT

The intent of this Security Policy is to ensure that all systems installed on the Diving For Fun network are maintained at appropriate levels of security while at the same time not impeding the ability of Diving For Fun users and support staff to perform their work. The purpose is:
  • to define where equipment is to be placed on the network;
  • to define who may access network equipment;
  • to define how access to this equipment is to be controlled; and,
  • to define how data traveling over the network is to be protected.
 APPLICABILITY

This policy applies to:
  • any IP networks (existing and future) to which Diving For Fun network equipment is connected;
  • all equipment connected to the networks mentioned above
  • any IP networks across which Diving For Fun data travels;
  • data in transit over any of the above-mentioned networks;
  • network administrators managing the equipment;
  • project leaders requiring new equipment to be connected to the network; and,
  • all users utilizing equipment that is connected to the network.
This includes but is not limited to:
  • the User LAN
  • the SERVER LAN
  • the Backup SERVER LAN
  • remote sites.
This policy will also apply to all equipment connected to the networks mentioned above, and all Diving For Fun employees using any of this equipment.

 POSITION

The security policy is based on the principles and guidelines described in the Diving For Fun Information Security Framework document. All Diving For Fun network equipment (routers, servers, workstations etc) shall be classified according to the standard Diving For Fun classification scheme and placed in a network segment appropriate to its level of classification. Access to these segments must be controlled in an appropriate manner. Whenever data travels over a network segmentation of a lower security classification then the data shall be protected in manner appropriate to its classification level.

 CLASSIFICATION

In accordance with the Diving For Fun Information Security Framework document, all users, hosts and data must be classified as security level 1 (unclassified), 2 (shared), 3 (company only) or 4 (confidential). All physical network segments, IP subnets and other IP traffic carriers must be classified in the same way. All data travelling on an IP network must be classified, and all users using network equipment or requesting data over the network must be assigned a level of clearance according to the same system.

It is the function of the person designated as the equipment owner to have all equipment under his or her control classified. The owner is defined as the head of division installing the equipment. Classification is done in consultation between the owner (or an assigned representative) and the Security Officer, but the final decision shall lie with the Security Officer.

For a description of the Diving For Fun system of security level classification, the concept of ownership and the role of the Security Manager, refer to the Diving For Fun Information Security Framework document.

 NETWORK SEGMENTATION
  1. Unless otherwise stated in the security policy or in the Information Security Policy Framework document all network segments are classified Level 1 - Unclassified.
  2. The classification of network segments is given in the section of this article entitled Discussion of Classifications, which follows.
  3. A network segment can only be classified as another security level with approval of the Diving For Fun Security Officer. Its new level of classification must be recorded in this document and all divisional heads must be notified.
  4. Wherever a network segment connects to another network segment with a different security level, then the connection between the two networks must be controlled by an approved trusted point. A trusted point is equipment capable of regulating the flow of traffic between two network segments in a manner appropriate to the classification of the networks. Trusted points are covered in detail in the section that follows.
  5. No network equipment may be connected to a network segment that is not of the same security level as the equipment itself.
  6. The Diving For Fun Security Officer may also choose to segment two networks of the same security level.
 TRUSTED POINTS
  1. The trusted point used to segment two networks shall be appropriate for the network with the highest security level.
  2. The default behavior of a trusted point must be to deny all IP traffic between the network segments it protects.
  3. At the discretion of the Diving For Fun Security Officer, the default behavior of the trusted point may be to allow all traffic out from the network with the higher security level whilst denying all traffic in.
  4. At the discretion of the Diving For Fun Security Officer, the trusted point may be configured to allow specific into the network with the higher security level
  5. All trusted points must be completely under the control of the Security Officer. Access to any trusted point shall only be granted with the explicit permission of the Security Manager and under his or her close supervision.
  6. There are a number of technologies that can act as trusted points. They are divided into the following categories:
    • Network Level Control: TCP wrappers, host lists, filter routers, network-level firewalls, V-LAN switches etc.;
    • User Level Control: application proxies, user-level firewalls etc.; and,
    • Strong User-Level Control: token-based user authentication systems, certificates etc.
  7. Whenever there is a connection that skips over one security level the strong user level control must be used. Even if strong user control is used, a connection may never skip more than one security level.
 DATA IN TRANSIT
  1. Data moving on the network between any two network-components is considered to be "data in transit". This also includes all control and management sessions.
  2. All network technologies are regarded as either "safe" or "unsafe" in their native state (i.e. without any encryption). The only networks regarded as safe by Diving For Fun are Frame-Relay PVCs (as used on the Diving For Fun backbone) and switched Ethernet LANs. All other network types are regarded unsafe.
  3. All data in transit over an unsafe network segment that has a classification lower than the classification of the data must be protected by data encryption. Data in transit over a safe network segment may be encrypted at the discretion of the Security Officer.
  4. Encryption of data in transit may take any of the following forms:
    • network encryption, in which data is encrypted at the IP layer (for example, with IPSec);
    • session encryption, in which data is encrypted at a TCP layer (for example, with SSL);
    • message encryption, in which blocks of data are encrypted before they are sent (for example, with SMIME); and,
    • data encryption, in which the entire data package is encrypted before it is transmitted (for example, with file encryption).
  5. Encryption systems used must offer strong encryption (more then 100 bit encryption keys) and use internationally recognized encryption algorithms. The choice of the crypto-algorithm is the responsibility of the Security Officer.
 CLASSIFICATION OF USERS
  1. Every user is designated as unclassified until his or her classification is explicitly changed with the written approval of the Security Officer.
  2. When a new employee joins Diving For Fun, a request is made by the employee's manager to the Security Officer for a new level of clearance. It is the responsibility of the manager to justify the requested level of clearance.
  3. Unless there is strong justification, all new employees shall be cleared for the level Diving For Fun Only, but only after they have signed an employment contract including acceptance of this policy and non-disclosure forms.
  4. The Security Officer is responsible for managing and controlling the record of clearance levels for all personnel.
  5. It is the responsibility of all system owners and system administrators to determine the security level of a given user before granting that user access to any system.
  6. It is the responsibility of the user to know his or her own clearance level and to understand the rights and limitations associated with that clearance.
 CLASSIFICATION OF EQUIPMENT
  1. All computing equipment must be given a classification by the Security Officer.
  2. Classifications for existing and future equipment are as follows:
    • all user workstations, file-servers, print-servers etc should be classified as Company Only;
    • all LAN servers and other hosts used in the management of the Diving For Fun backbone infrastructure or Diving For Fun internal network infrastructure will be classified as Confidential;
    • all backbone equipment (including switches, remote access servers, ADSL chassis etc) that are not located on Diving For Fun premises will be classified as Shared; and,
    • all equipment used in the transfer of data to and from the Internet will be classified as Shared.
  3. The Security Officer must maintain a complete list of the classifications of all computing equipment in the Diving For Fun network and in the Diving For Fun backbone.
 CLASSIFICATION OF NETWORKS

The Diving For Fun Security Officer must classify every network segment that constitutes part of the Diving For Fun infrastructure. A complete list of the classifications of all network segments in the Diving For Fun network and in the Diving For Fun backbone is maintained by the Security Officer. Classifications for existing Diving For Fun network segments are as follows:
  • The Diving For Fun User LAN located is classified as Company Only.
  • The SERVER LAN & backup SERVER LAN are classified as Confidential.
  • The Diving For Fun Frame-Relay Backbone is classified as Shared.
  • The Remote sites are classified as Shared.
  • The SERVER LAN and the Portal Segment are classified as Shared.
 CLASSIFICATION OF DATA

Any Diving For Fun user with legitimate access to Diving For Fun data may, with sufficient justification, change the classification of the data. The user may only change the classification of data if there is sufficient, justifiable reason to do so. Users will be held strictly responsible for these decisions.

All newly created data must be classified Company Only until it is reclassified by a user, who does so on his or her own prerogative. Users are held solely responsible for any data whose classification they change. Classifications for existing Diving For Fun data are given below:
  • Diving For Fun business information (memos, financial documents, planning documents etc) should be classified as Company Only;
  • Diving For Fun customer data (contact details, contracts, billing information etc) should be classified as Company Only;
  • network management data (IP addresses, passwords, configuration files, etc.) should be classified as Confidential;
  • human resources information (employment contracts, salary information, etc.) should be classified Confidential;
  • Published information (pamphlets, performance reports, marketing material, etc.) should be classified Shared;
  • E-mail between Diving For Fun employees should be classified Company Only; and,
  • E-mail between Diving For Fun employees and non-Diving For Fun employees should be regarded as Unclassified.
 CLASSIFICATIONS: ROLES AND RESPONSIBILITIES
  1. It is the responsibility of the user to:
    • know his or her own clearance level and to understand the rights and limitations associated with that clearance;
    • ensure all the data he or she works with is correctly classified;
    • ensure that he or she understands the restrictions associated with the data he or she is working with; and,
    • ensure all the data he or she works with is housed and protected appropriately.
  2. It is the responsibility of all system owners and system administrators to:
    • determine the security level of a given user before granting that user access to any system;
    • verify the classification of the equipment they manage; and,
    • verify that the equipment is installed and protected in accordance with its classification.
  3. It is the responsibility of each divisional manager to:
    • obtain clearance for employees in his or her divisions;
    • clarify the classification of data on systems under his or her control;
    • clarify the classification of equipment under his or her control and to ensure that those systems are correctly installed; and,
    • ensure all employees in that division understand and implement this policy.
  4. It is the responsibility of the Security Officer to:
    • approve all classifications;
    • maintain a list of all classifications;
    • control and manage all trusted points; and,
    • determine the type of cryptographic protection to be used for data in transit.
 COMPLIANCE
  1. Any user accessing a data, equipment or a physical location with insufficient clearance can face disciplinary action, dismissal and criminal or civil prosecution.
  2. Any user allowing access to a system that he or she controls for someone with insufficient clearance can face disciplinary action, dismissal and criminal or civil prosecution.
  3. Any person connecting equipment that is not classified to the network or connecting equipment to an inappropriate part of the network or in an inappropriate location can face disciplinary action, dismissal and criminal or civil prosecution.
  4. Any person transmitting data over any network without the appropriate cryptographic protection for that data can face disciplinary action, dismissal and criminal or civil prosecution.
  5. Any person changing the classification of data in a way that is reckless, irresponsible or in any damaging to Diving For Fun, their share holders or any of their clients can face disciplinary action, dismissal and criminal or civil prosecution.
 POINTS OF CONTACT AND SUPPLEMENTARY INFORMATION

For a description of the Diving For Fun system of security level classification, users should refer to the Diving For Fun Information Security Framework document. For enquiries regarding the classification of data, equipment, network segments or physical locations or the clearance level of users, interested parties should be directed to contact the Diving For Fun Security Officer.

Last Updated:  April 1, 2017


Diving For Fun - Life Ring Image  For more information, please call us at 972-467-8314 or
email us at or click here to request
additional information or to sign-up online for a class or dive trip.
Diving For Fun - Life Ring Image

DFF - Back Page Button Home Top
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Spacer Image
DFF - Spacer Image
DFF - Upper Left Page Border Image DFF - Upper Right Page Border Image
Diving For Fun - Angel Fish Copyright © 2004-2017
All Rights Reserved
Diving For Fun - Star Fish
Phone: (972) 467-8314 Orlando & Tampa, FL 
Contact Us | Terms | Privacy | Security | Sitemap | Hosting | Web Design
Diving For Fun - Fish Image
DFF - Lower Left Page Border Image DFF - Lower Right Page Border Image
DFF - Spacer Image