The purpose of this policy is to define standards to be met by all equipment owned and/or operated by eCuras located outside eCuras’s corporate Internet firewalls. These standards are designed to minimize the potential exposure to eCuras from the loss of sensitive or company confidential data, intellectual property, damage to public image, etc., which may follow from unauthorized use of eCuras resources.
Internet-facing devices and outside the eCuras firewall are considered part of the “demilitarized zone” (DMZ) and are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls.
The policy defines the following standards:
- Ownership responsibility
- Secure configuration requirements
- Operational requirements
- Change control requirement
All equipment or devices deployed in a DMZ owned and/or operated by eCuras (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by eCuras must follow this policy.
This policy also covers any host device outsourced or hosted at external/third-party service providers if that equipment resides in the “eCuras.com” domain or appears to be owned by eCuras.
All new equipment that falls under this policy’s scope must be configured according to the referenced configuration documents unless a waiver is obtained from Infosec. All existing and future equipment deployed on eCuras’s un-trusted networks must comply with this policy.
4.1 Ownership and Responsibilities
Equipment and applications within this policy’s scope must be administered by support groups approved by Infosec for DMZ system, application, and/or network management.
Support groups will be responsible for the following:
- Equipment must be documented in the corporate-wide enterprise management system. At a minimum, the following information is required:
- Host contacts and location.
- Hardware and operating system/version.
- Main functions and applications.
- Password groups for privileged passwords.
- Network interfaces must have the appropriate Domain Name Server (DNS) records (minimum of A and PTR records).
- Password groups must be maintained following the corporate-wide password management system/process.
- Immediate access to equipment and system logs must be granted to Infosec members upon demand.
- Changes to existing equipment and deployment of new equipment must follow and corporate governess or change management processes/procedures.
To verify compliance with this policy, Infosec will periodically audit DMZ equipment per the Audit Policy.
4.2 General Configuration Policy
All equipment must comply with the following configuration policy:
- Infosec must approve · Hardware, operating systems, services, and applications as part of the pre-deployment review phase.
- Operating system configuration must be done according to the secure host and router installation and configuration standards.
- All patches/hot-fixes recommended by the equipment vendor and Infosec must be installed. This applies to all services installed, even though those services may be temporarily or permanently disabled. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
- Services and applications not serving business requirements must be disabled.
- Trust relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by Infosec.
- Access control lists must restrict · Services and applications not for general access.
- Insecure services or protocols (as determined by Infosec) must be replaced with more secure equivalents whenever such exist.
- Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks. Where a methodology for secure channel connections is not available, one-time passwords must be used for all access levels.
- All host content updates must occur over secure channels.
- Security-related events must be logged, and audit trails saved to Infosec-approved logs. Security-related events include (but are not limited to) the following:
- User login failures.
- Failure to obtain privileged access.
- Access policy violations.
- Infosec will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.
4.3 New Installations and Change Management Procedures
All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:
- New installations must be done via the DMZ Equipment Deployment Process.
- Configuration changes must follow the Corporate Change Management (CM) Procedures.
- Infosec must be invited to perform system/application audits before the deployment of new services.
- Infosec must be engaged, either directly or via CM, to approve all new deployments and configuration changes.
4.4 Equipment Outsourced to External Service Providers
The responsibility for the security of the equipment deployed by external service providers must be clarified in the contract with the service provider and security contacts, and escalation procedures documented. Contracting departments are responsible for third party compliance with this policy.
5. Policy Compliance
5.1 Compliance Measurement
The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.
The Infosec team must approve any exception to the policy in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
External service providers found to have violated this policy may be subject to financial penalties, up to and including termination of the contract.
6. Related Standards, Policies, and Processes
Revised: March 14th, 2018
Table of Content
- Acceptable Encryption Policy
- Acceptable Use Policy
- Clean Desc Policy
- Data Breach Response Policy
- Disaster Recovery Plan Policy
- Digital Signature Acceptance Policy
- Email Policy
- Ethics Policy
- Pandemic Response Planning Policy
- Password Construction Guidelines
- Password Protection Policy
- Security Response Plan Policy
- End User Encryption Key Protection Policy
- Acquisition Assessment Policy
- Bluetooth Baseline Requirements Policy
- Remote Access Policy
- Remote Access Tools Policy
- Router and Switch Security Policy
- Wireless Communication Policy
- Wireless Communication Standard
- Database Credentials Policy
- Technology Equipment Disposal Policy
- Information Logging Standard
- Lab Security Policy
- Server Security Policy
- Software Installation Policy
- Workstation Security (For HIPAA) Policy
- Web Application Security Policy
- Analog/ISDN Line Security Policy
- Anti-Virus Guidelines
- Server Audit Policy
- Automatically Forwarded Email Policy
- Communications Equipment Policy
- Dial In Access Policy
- Extranet Policy
- Internet DMZ Equipment Policy
- Internet Usage Policy
- Mobile Device Encryption Policy
- Personal Communication Devices and Voicemail Policy
- Removable Media Policy
- Risk Assessment Policy
- Server Malware Protection Policy
- Social Engineering Awareness Policy
- DMZ Lab Security Policy
- Email Retention Policy
- Employee Internet Use Monitoring and Filtering Policy
- Lab Anti Virus Policy
- Mobile Employee Endpoint Responsibility Policy
- Remote Access Mobile Computing Storage
- Virtual Private Network Policy