DMZ Lab Security Policy

1. Overview

See Purpose.

2. Purpose

This policy establishes information security requirements for all networks and equipment deployed in eCuras labs located on the “Demilitarized Zone” (DMZ). Adherence to these requirements will minimize the potential risk to eCuras from the damage to the public image caused by unauthorized use of eCuras resources and the loss of sensitive/company confidential data and intellectual property.

3. Scope

eCuras Lab networks and devices (including but not limited to routers, switches, hosts, etc.) that are Internet-facing and located outside eCuras corporate Internet firewalls are considered part of the DMZ Labs and are subject to this policy. This includes DMZ Labs in primary Internet Service Provider (ISP) locations and remote locations. All existing and future equipment, which falls under this policy’s scope, must be configured according to the referenced documents. This policy does not apply to labs residing inside eCuras’s corporate Internet firewalls. Standards for these labs are defined in the Internal Lab Security Policy.

4. Policy

3.1. Ownership and Responsibilities

  1. All new DMZ Labs must present a business justification with sign-off at the business unit Vice President level. The Infosec Team must keep the business justifications on file.
  2. Lab owning organizations are responsible for assigning lab managers, point of contact (POC), and back up POC for each lab. The lab owners must maintain up to date POC information with the Infosec Team. Lab managers or their backup must be available around-the-clock for emergencies.
  3. Changes to the connectivity and/or purpose of existing DMZ Labs and establishment of new DMZ Labs must be requested through a eCuras Network Support Organization and approved by the Infosec Team.
  4. All ISP connections must be maintained by a eCuras Network Support Organization.
  5. A Network Support Organization must maintain a firewall device between the DMZ Lab(s) and the Internet.
  6. The Network Support Organization and The Infosec Team reserve the right to interrupt lab connections if a security concern exists.
  7. The DMZ Lab will provide and maintain network devices deployed in the DMZ Lab up to the Network Support Organization point of demarcation.
  8. The Network Support Organization must record all DMZ Lab address spaces and current contact information.
  9. The DMZ Lab Managers are ultimately responsible for their DMZ Labs complying with this policy.
  10. Immediate access to equipment and system logs must be granted to members of  the Infosec Team and the Network Support Organization upon request, in accordance with the Audit Policy.
  11. Individual lab accounts must be deleted within three (3) days when access is no longer authorized. Group account passwords must comply with the Password Policy and must be changed within three (3) days from a group membership change.
  12. The Infosec Team will address non-compliance waiver requests on a case-by-case basis.

3.2. General Configuration Requirements

  1. Production resources must not depend upon resources on the DMZ Lab networks.
  2. DMZ Labs must not be connected to eCuras’s corporate internal networks, either directly or via a wireless connection.
  3. DMZ Labs should be in a physically separate room from any internal network. If this is not possible, the equipment must be in a locked rack with limited access. Additionally, the Lab Manager must maintain a list of who has access to the equipment.
  4. Lab Managers are responsible for complying with the following related policies:
  1. The Network Support Organization maintained firewall devices must be configured following the least-access principles and the DMZ Lab business needs. All firewall filters will be maintained by the Infosec Team.
  2. The firewall device must be the only access point between the DMZ Lab and the rest of eCuras’s networks and/or the Internet. Any form of cross-connection which bypasses the firewall device is strictly prohibited.
  3. Original firewall configurations and any changes to it must be reviewed and approved by the Infosec Team (including both general configurations and rule sets). The Infosec Team may require additional security measures as needed.
  4. Traffic from DMZ Labs to the eCuras internal network, including VPN access, falls under the Remote Access Policy.
  5. All routers and switches not used for testing and/or training must conform to the DMZ Router and Switch standardization documents.
  6. Operating systems of all hosts internal to the DMZ Lab running Internet Services must be configured to the secure host installation and configuration standards. 
  7. Current applicable security patches/hot-fixes for any applications that are Internet services must be applied. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
  8. All applicable security patches/hot-fixes recommended by the vendor must be installed. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
  9. Services and applications not serving business requirements must be disabled.
  10. eCuras Confidential information is prohibited on equipment in labs where non-eCuras personnel have physical access (e.g., training labs), following the Data Classification and Protection Policy.
  11. Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks.

5. Policy Compliance

5.1  Compliance Measurement

The Infosec Team will verify compliance to this policy through various methods, including but not limited to periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

The Infosec Team must approve any exception to the policy in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6. Related Standards, Policies, and Processes

Revised: March 14th, 2018

Table of Content

  1. Acceptable Encryption Policy
  2. Acceptable Use Policy
  3. Clean Desc Policy
  4. Data Breach Response Policy
  5. Disaster Recovery Plan Policy
  6. Digital Signature Acceptance Policy
  7. Email Policy
  8. Ethics Policy
  9. Pandemic Response Planning Policy
  10. Password Construction Guidelines
  11. Password Protection Policy
  12. Security Response Plan Policy
  13. End User Encryption Key Protection Policy
  14. Acquisition Assessment Policy
  15. Bluetooth Baseline Requirements Policy
  16. Remote Access Policy
  17. Remote Access Tools Policy
  18. Router and Switch Security Policy
  19. Wireless Communication Policy
  20. Wireless Communication Standard
  21. Database Credentials Policy
  22. Technology Equipment Disposal Policy
  23. Information Logging Standard
  24. Lab Security Policy
  25. Server Security Policy 
  26. Software Installation Policy
  27. Workstation Security (For HIPAA) Policy
  28. Web Application Security Policy
  29.  Analog/ISDN Line Security Policy
  30. Anti-Virus Guidelines
  31. Server Audit Policy
  32. Automatically Forwarded Email Policy
  33. Communications Equipment Policy
  34. Dial In Access Policy
  35. Extranet Policy
  36. Internet DMZ Equipment Policy
  37. Internet Usage Policy
  38. Mobile Device Encryption Policy
  39. Personal Communication Devices and Voicemail Policy
  40. Removable Media Policy
  41. Risk Assessment Policy
  42. Server Malware Protection Policy
  43. Social Engineering Awareness Policy
  44. DMZ Lab Security Policy
  45. Email Retention Policy
  46. Employee Internet Use Monitoring and Filtering Policy
  47. Lab Anti Virus Policy
  48. Mobile Employee Endpoint Responsibility Policy
  49. Remote Access Mobile Computing Storage
  50. Virtual Private Network Policy