Notice on Cyber Attacks and Online Theft
Diving For Fun takes cyber attacks and online theft seriously. If you are reported and
verified as a cyber attacker or online theft, all relevant details will be reported to the
Internet Crime Complaint Center (IC3) and all applicable authorities.
The IC3 shares information with the FBI and other agencies for the purpose of investigating all aspects of cyber crimes. Punishment can be
up to 5, 15, 20, or 30 years in federal prison, plus fines. In addition, punishments for the unlawful use of "means of identification"
were strengthened in § 1028A ("Aggravated Identity Theft"), allowing for consecutive sentences under specific enumerated felony violations.
Diving For Fun is committed to protecting the privacy and security of customers on our website.
This Security Policy will advise you about our guidelines concerning the use of your personal information, including, without limitation,
the reasonable efforts we make to protect your personal information in accord with these guidelines, and about what choices you have concerning
our use of such information.
Please read this policy carefully. We may need to change this policy from time to time in order to address new issues and reflect changes on
our website. We will post those changes here so that you will always know our policies regarding what information we gather, how we might use
that information, and whether we will disclose that information to anyone. Please refer back to this policy regularly. If you have any questions
or concerns about our Security Policy, please send an email to .
This Security Policy applies to your use of the website and services owned or operated by Diving For Fun
(collectively "we, " "us, " or "our"), including www.DivingForFun.com, Diving For Fun and any other retail or
website we may own or operate currently or in the future (collectively, the "Site" or "Sites"). Unless we say otherwise, all references to the Sites
in this policy include all such sites. This policy does not apply to your use of sites to which any of the Sites link too. This policy covers only
information collected on the Sites and does not cover any information collected offline by us.
The intent of this Security Policy is to ensure that all systems installed on the Diving For Fun network
are maintained at appropriate levels of security while at the same time not impeding the ability of Diving For Fun
users and support staff to perform their work. The purpose is:
- to define where equipment is to be placed on the network;
- to define who may access network equipment;
- to define how access to this equipment is to be controlled; and,
- to define how data traveling over the network is to be protected.
This policy applies to:
This includes but is not limited to:
- any IP networks (existing and future) to which Diving For Fun network equipment is connected;
- all equipment connected to the networks mentioned above
- any IP networks across which Diving For Fun data travels;
- data in transit over any of the above-mentioned networks;
- network administrators managing the equipment;
- project leaders requiring new equipment to be connected to the network; and,
- all users utilizing equipment that is connected to the network.
This policy will also apply to all equipment connected to the networks mentioned above, and all Diving For Fun employees using any of this equipment.
- the User LAN
- the SERVER LAN
- the Backup SERVER LAN
- remote sites.
The security policy is based on the principles and guidelines described in the Diving For Fun Information Security Framework document.
All Diving For Fun network equipment (routers, servers, workstations etc) shall be classified according to the standard Diving For Fun classification
scheme and placed in a network segment appropriate to its level of classification. Access to these segments must be controlled in an appropriate manner.
Whenever data travels over a network segmentation of a lower security classification then the data shall be protected in manner appropriate to its
In accordance with the Diving For Fun Information Security Framework document, all users, hosts and data must be classified as security level 1
(unclassified), 2 (shared), 3 (company only) or 4 (confidential). All physical network segments, IP subnets and other IP traffic carriers must be classified
in the same way. All data travelling on an IP network must be classified, and all users using network equipment or requesting data over the network must
be assigned a level of clearance according to the same system.
It is the function of the person designated as the equipment owner to have all equipment under his or her control classified. The owner is defined as
the head of division installing the equipment. Classification is done in consultation between the owner (or an assigned representative) and the Security
Officer, but the final decision shall lie with the Security Officer.
For a description of the Diving For Fun system of security level classification, the concept of ownership and the role of the Security Manager, refer to
the Diving For Fun Information Security Framework document.
- Unless otherwise stated in the security policy or in the Information Security Policy Framework document all network segments are classified Level 1 - Unclassified.
- The classification of network segments is given in the section of this article entitled Discussion of Classifications, which follows.
- A network segment can only be classified as another security level with approval of the Diving For Fun Security Officer. Its new level of classification must be recorded in this document and all divisional heads must be notified.
- Wherever a network segment connects to another network segment with a different security level, then the connection between the two networks must be controlled by an approved trusted point. A trusted point is equipment capable of regulating the flow of traffic between two network segments in a manner appropriate to the classification of the networks. Trusted points are covered in detail in the section that follows.
- No network equipment may be connected to a network segment that is not of the same security level as the equipment itself.
- The Diving For Fun Security Officer may also choose to segment two networks of the same security level.
- The trusted point used to segment two networks shall be appropriate for the network with the highest security level.
- The default behavior of a trusted point must be to deny all IP traffic between the network segments it protects.
- At the discretion of the Diving For Fun Security Officer, the default behavior of the trusted point may be to allow all traffic out from the network with the higher security level whilst denying all traffic in.
- At the discretion of the Diving For Fun Security Officer, the trusted point may be configured to allow specific into the network with the higher security level
- All trusted points must be completely under the control of the Security Officer. Access to any trusted point shall only be granted with the explicit permission of the Security Manager and under his or her close supervision.
- There are a number of technologies that can act as trusted points. They are divided into the following categories:
- Network Level Control: TCP wrappers, host lists, filter routers, network-level firewalls, V-LAN switches etc.;
- User Level Control: application proxies, user-level firewalls etc.; and,
- Strong User-Level Control: token-based user authentication systems, certificates etc.
- Whenever there is a connection that skips over one security level the strong user level control must be used. Even if strong user control is used, a connection may never skip more than one security level.
- Data moving on the network between any two network-components is considered to be "data in transit". This also includes all control and management sessions.
- All network technologies are regarded as either "safe" or "unsafe" in their native state (i.e. without any encryption). The only networks regarded as safe by Diving For Fun are Frame-Relay PVCs (as used on the Diving For Fun backbone) and switched Ethernet LANs. All other network types are regarded unsafe.
- All data in transit over an unsafe network segment that has a classification lower than the classification of the data must be protected by data encryption. Data in transit over a safe network segment may be encrypted at the discretion of the Security Officer.
- Encryption of data in transit may take any of the following forms:
- network encryption, in which data is encrypted at the IP layer (for example, with IPSec);
- session encryption, in which data is encrypted at a TCP layer (for example, with SSL);
- message encryption, in which blocks of data are encrypted before they are sent (for example, with SMIME); and,
- data encryption, in which the entire data package is encrypted before it is transmitted (for example, with file encryption).
- Encryption systems used must offer strong encryption (more then 100 bit encryption keys) and use internationally recognized encryption algorithms. The choice of the crypto-algorithm is the responsibility of the Security Officer.
- Every user is designated as unclassified until his or her classification is explicitly changed with the written approval of the Security Officer.
- When a new employee joins Diving For Fun, a request is made by the employee's manager to the Security Officer for a new level of clearance. It is the responsibility of the manager to justify the requested level of clearance.
- Unless there is strong justification, all new employees shall be cleared for the level Diving For Fun Only, but only after they have signed an employment contract including acceptance of this policy and non-disclosure forms.
- The Security Officer is responsible for managing and controlling the record of clearance levels for all personnel.
- It is the responsibility of all system owners and system administrators to determine the security level of a given user before granting that user access to any system.
- It is the responsibility of the user to know his or her own clearance level and to understand the rights and limitations associated with that clearance.
| CLASSIFICATION OF EQUIPMENT
- All computing equipment must be given a classification by the Security Officer.
- Classifications for existing and future equipment are as follows:
- all user workstations, file-servers, print-servers etc should be classified as Company Only;
- all LAN servers and other hosts used in the management of the Diving For Fun backbone infrastructure or Diving For Fun internal network infrastructure will be classified as Confidential;
- all backbone equipment (including switches, remote access servers, ADSL chassis etc) that are not located on Diving For Fun premises will be classified as Shared; and,
- all equipment used in the transfer of data to and from the Internet will be classified as Shared.
- The Security Officer must maintain a complete list of the classifications of all computing equipment in the Diving For Fun network and in the Diving For Fun backbone.
| CLASSIFICATION OF NETWORKS
The Diving For Fun Security Officer must classify every network segment that constitutes part of the Diving For Fun infrastructure. A complete list of the
classifications of all network segments in the Diving For Fun network and in the Diving For Fun backbone is maintained by the Security Officer. Classifications
for existing Diving For Fun network segments are as follows:
- The Diving For Fun User LAN located is classified as Company Only.
- The SERVER LAN & backup SERVER LAN are classified as Confidential.
- The Diving For Fun Frame-Relay Backbone is classified as Shared.
- The Remote sites are classified as Shared.
- The SERVER LAN and the Portal Segment are classified as Shared.
Any Diving For Fun user with legitimate access to Diving For Fun data may, with sufficient justification, change the classification of the data. The user may
only change the classification of data if there is sufficient, justifiable reason to do so. Users will be held strictly responsible for these decisions.
All newly created data must be classified Company Only until it is reclassified by a user, who does so on his or her own prerogative. Users are held
solely responsible for any data whose classification they change. Classifications for existing Diving For Fun data are given below:
- Diving For Fun business information (memos, financial documents, planning documents etc) should be classified as Company Only;
- Diving For Fun customer data (contact details, contracts, billing information etc) should be classified as Company Only;
- network management data (IP addresses, passwords, configuration files, etc.) should be classified as Confidential;
- human resources information (employment contracts, salary information, etc.) should be classified Confidential;
- Published information (pamphlets, performance reports, marketing material, etc.) should be classified Shared;
- E-mail between Diving For Fun employees should be classified Company Only; and,
- E-mail between Diving For Fun employees and non-Diving For Fun employees should be regarded as Unclassified.
| CLASSIFICATIONS: ROLES AND RESPONSIBILITIES
- It is the responsibility of the user to:
- know his or her own clearance level and to understand the rights and limitations associated with that clearance;
- ensure all the data he or she works with is correctly classified;
- ensure that he or she understands the restrictions associated with the data he or she is working with; and,
- ensure all the data he or she works with is housed and protected appropriately.
- It is the responsibility of all system owners and system administrators to:
- determine the security level of a given user before granting that user access to any system;
- verify the classification of the equipment they manage; and,
- verify that the equipment is installed and protected in accordance with its classification.
- It is the responsibility of each divisional manager to:
- obtain clearance for employees in his or her divisions;
- clarify the classification of data on systems under his or her control;
- clarify the classification of equipment under his or her control and to ensure that those systems are correctly installed; and,
- ensure all employees in that division understand and implement this policy.
- It is the responsibility of the Security Officer to:
- approve all classifications;
- maintain a list of all classifications;
- control and manage all trusted points; and,
- determine the type of cryptographic protection to be used for data in transit.
- Any user accessing a data, equipment or a physical location with insufficient clearance can face disciplinary action, dismissal and criminal or civil prosecution.
- Any user allowing access to a system that he or she controls for someone with insufficient clearance can face disciplinary action, dismissal and criminal or civil prosecution.
- Any person connecting equipment that is not classified to the network or connecting equipment to an inappropriate part of the network or in an inappropriate location can face disciplinary action, dismissal and criminal or civil prosecution.
- Any person transmitting data over any network without the appropriate cryptographic protection for that data can face disciplinary action, dismissal and criminal or civil prosecution.
- Any person changing the classification of data in a way that is reckless, irresponsible or in any damaging to Diving For Fun, their share holders or any of their clients can face disciplinary action, dismissal and criminal or civil prosecution.
| POINTS OF CONTACT AND SUPPLEMENTARY INFORMATION
For a description of the Diving For Fun system of security level classification, users should refer to the Diving For Fun Information Security Framework
document. For enquiries regarding the classification of data, equipment, network segments or physical locations or the clearance level of users, interested parties
should be directed to contact the Diving For Fun Security Officer.
Last Updated: April 1, 2017