Extranet Policy

1.     Purpose

This document describes the policy under which third party organizations connect to eCuras networks to transact business related to eCuras.

2.     Scope

Connections between third parties that require access to non-public eCuras resources fall under this policy, regardless of whether a telco circuit (such as frame relay or ISDN) or VPN technology is used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for eCuras or to the Public Switched Telephone Network does NOT fall under this policy.

3.     Policy

3.1  Prerequisites

3.1.1        Security Review

All new extranet connectivity will go through a security review with the Information Security department (InfoSec). The reviews ensure that all access matches the business requirements in the best possible way and that the least access principle is followed.

3.1.2 Third-Party Connection Agreement

All new connection requests between third parties and eCuras require that the third party and eCuras representatives agree to sign the Third Party Agreement. This agreement must be signed by the Vice President of the Sponsoring Organization and a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on file with the relevant extranet group.

3.1.3        Business Case

All production extranet connections must be accompanied by a valid business justification, in writing approved by a project manager in the extranet group. Typically this function is handled as part of the Third Party Agreement.

3.1.4        Point Of Contact

The Sponsoring Organization must designate a person to be the Point of Contact (POC) for the Extranet connection. The POC acts on behalf of the Sponsoring Organization and is responsible for those portions of this policy and the Third Party Agreement pertaining to it. If the point of contact changes, the relevant extranet Organization must be informed promptly.

3.2  Establishing Connectivity

Sponsoring Organizations within eCuras that wish to establish connectivity to a third party will file a new site request with the proper extranet group. The extranet group will engage InfoSec to address the security issues inherent in the project. The Sponsoring Organization must provide full and complete information about the nature of the proposed access to the extranet group and InfoSec, as requested.

All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will eCuras rely upon the third party to protect eCuras’s network or resources.

3.3  Modifying or Changing Connectivity and Access

All changes in access must be accompanied by a valid business justification and are subject to security review. Changes are to be implemented via the corporate change management process. The Sponsoring Organization is responsible for notifying the extranet management group and/or InfoSec when there is a material change in their originally provided information so that security and connectivity evolve accordingly.

3.4  Terminating Access

When access is no longer required, the Sponsoring Organization within eCuras must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. The extranet and lab security teams must audit their respective connections annually to ensure that all existing connections are still needed and that the access provided meets the connection’s needs. Connections that are found to be depreciated and/or are no longer being used to conduct eCuras business will be terminated immediately. Should a security incident or a finding that a circuit has been deprecated and is no longer being used to conduct eCuras business necessitate a modification of existing permissions or termination of connectivity, InfoSec and/or the extranet team will notify the POC or the Sponsoring Organization of the change before taking any.

4.     Policy Compliance

4.1  Compliance Measurement

The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.

4.2  Exceptions

The Infosec team must approve any exception to the policy in advance.

4.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Revised: March 14th, 2018

Table of Content

  1. Acceptable Encryption Policy
  2. Acceptable Use Policy
  3. Clean Desc Policy
  4. Data Breach Response Policy
  5. Disaster Recovery Plan Policy
  6. Digital Signature Acceptance Policy
  7. Email Policy
  8. Ethics Policy
  9. Pandemic Response Planning Policy
  10. Password Construction Guidelines
  11. Password Protection Policy
  12. Security Response Plan Policy
  13. End User Encryption Key Protection Policy
  14. Acquisition Assessment Policy
  15. Bluetooth Baseline Requirements Policy
  16. Remote Access Policy
  17. Remote Access Tools Policy
  18. Router and Switch Security Policy
  19. Wireless Communication Policy
  20. Wireless Communication Standard
  21. Database Credentials Policy
  22. Technology Equipment Disposal Policy
  23. Information Logging Standard
  24. Lab Security Policy
  25. Server Security Policy 
  26. Software Installation Policy
  27. Workstation Security (For HIPAA) Policy
  28. Web Application Security Policy
  29.  Analog/ISDN Line Security Policy
  30. Anti-Virus Guidelines
  31. Server Audit Policy
  32. Automatically Forwarded Email Policy
  33. Communications Equipment Policy
  34. Dial In Access Policy
  35. Extranet Policy
  36. Internet DMZ Equipment Policy
  37. Internet Usage Policy
  38. Mobile Device Encryption Policy
  39. Personal Communication Devices and Voicemail Policy
  40. Removable Media Policy
  41. Risk Assessment Policy
  42. Server Malware Protection Policy
  43. Social Engineering Awareness Policy
  44. DMZ Lab Security Policy
  45. Email Retention Policy
  46. Employee Internet Use Monitoring and Filtering Policy
  47. Lab Anti Virus Policy
  48. Mobile Employee Endpoint Responsibility Policy
  49. Remote Access Mobile Computing Storage
  50. Virtual Private Network Policy