Internet DMZ Equipment Policy

1. Overview

See Purpose.

2. Purpose

The purpose of this policy is to define standards to be met by all equipment owned and/or operated by eCuras located outside eCuras’s corporate Internet firewalls. These standards are designed to minimize the potential exposure to eCuras from the loss of sensitive or company confidential data, intellectual property, damage to public image, etc., which may follow from unauthorized use of eCuras resources.

Internet-facing devices and outside the eCuras firewall are considered part of the “demilitarized zone” (DMZ) and are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls.

The policy defines the following standards:

• Ownership responsibility
• Secure configuration requirements
• Operational requirements
• Change control requirement

3. Scope

All equipment or devices deployed in a DMZ owned and/or operated by eCuras (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by eCuras must follow this policy.

This policy also covers any host device outsourced or hosted at external/third-party service providers if that equipment resides in the “eCuras.com” domain or appears to be owned by eCuras.

All new equipment that falls under this policy’s scope must be configured according to the referenced configuration documents unless a waiver is obtained from Infosec. All existing and future equipment deployed on eCuras’s un-trusted networks must comply with this policy.

4. Policy

4.1  Ownership and Responsibilities

Equipment and applications within this policy’s scope must be administered by support groups approved by Infosec for DMZ system, application, and/or network management.

Support groups will be responsible for the following:

• Equipment must be documented in the corporate-wide enterprise management system. At a minimum, the following information is required:
  • Host contacts and location.
  • Hardware and operating system/version.
  • Main functions and applications.
  • Password groups for privileged passwords.
• Network interfaces must have the appropriate Domain Name Server (DNS) records (minimum of A and PTR records).
• Password groups must be maintained following the corporate-wide password management system/process.
• Immediate access to equipment and system logs must be granted to Infosec members upon demand.
• Changes to existing equipment and deployment of new equipment must follow and corporate governess or change management processes/procedures.

To verify compliance with this policy, Infosec will periodically audit DMZ equipment per the Audit Policy.

4.2  General Configuration Policy

All equipment must comply with the following configuration policy:

• Infosec must approve · Hardware, operating systems, services, and applications as part of the pre-deployment review phase.
• Operating system configuration must be done according to the secure host and router installation and configuration standards.
• All patches/hot-fixes recommended by the equipment vendor and Infosec must be installed. This applies to all services installed, even though those services may be temporarily or permanently disabled. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
• Services and applications not serving business requirements must be disabled.
• Trust relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by Infosec.
• Access control lists must restrict · Services and applications not for general access.
• Insecure services or protocols (as determined by Infosec) must be replaced with more secure equivalents whenever such exist.
• Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks. Where a methodology for secure channel connections is not available, one-time passwords must be used for all access levels.
• All host content updates must occur over secure channels.
• Security-related events must be logged, and audit trails saved to Infosec-approved logs. Security-related events include (but are not limited to) the following:
  • User login failures.
  • Failure to obtain privileged access.
  • Access policy violations.
• Infosec will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

4.3  New Installations and Change Management Procedures

All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:

• New installations must be done via the DMZ Equipment Deployment Process.
• Configuration changes must follow the Corporate Change Management (CM) Procedures.
• Infosec must be invited to perform system/application audits before the deployment of new services.
• Infosec must be engaged, either directly or via CM, to approve all new deployments and configuration changes.

4.4  Equipment Outsourced to External Service Providers

The responsibility for the security of the equipment deployed by external service providers must be clarified in the contract with the service provider and security contacts, and escalation procedures documented. Contracting departments are responsible for third party compliance with this policy.

5. Policy Compliance

5.1  Compliance Measurement

The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

The Infosec team must approve any exception to the policy in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

External service providers found to have violated this policy may be subject to financial penalties, up to and including termination of the contract.

6. Related Standards, Policies, and Processes

• 36. Internet DMZ Equipment Policy

Revised: March 14th, 2018

Table of Content

1. Acceptable Encryption Policy
2. Acceptable Use Policy
3. Clean Desc Policy
4. Data Breach Response Policy
5. Disaster Recovery Plan Policy
6. Digital Signature Acceptance Policy
7. Email Policy
8. Ethics Policy
9. Pandemic Response Planning Policy
10. Password Construction Guidelines
11. Password Protection Policy
12. Security Response Plan Policy
13. End User Encryption Key Protection Policy
14. Acquisition Assessment Policy
15. Bluetooth Baseline Requirements Policy
16. Remote Access Policy
17. Remote Access Tools Policy
18. Router and Switch Security Policy
19. Wireless Communication Policy
20. Wireless Communication Standard
21. Database Credentials Policy
22. Technology Equipment Disposal Policy
23. Information Logging Standard
24. Lab Security Policy
25. Server Security Policy 
26. Software Installation Policy
27. Workstation Security (For HIPAA) Policy
28. Web Application Security Policy
29.  Analog/ISDN Line Security Policy
30. Anti-Virus Guidelines
31. Server Audit Policy
32. Automatically Forwarded Email Policy
33. Communications Equipment Policy
34. Dial In Access Policy
35. Extranet Policy
36. Internet DMZ Equipment Policy
37. Internet Usage Policy
38. Mobile Device Encryption Policy
39. Personal Communication Devices and Voicemail Policy
40. Removable Media Policy
41. Risk Assessment Policy
42. Server Malware Protection Policy
43. Social Engineering Awareness Policy
44. DMZ Lab Security Policy
45. Email Retention Policy
46. Employee Internet Use Monitoring and Filtering Policy
47. Lab Anti Virus Policy
48. Mobile Employee Endpoint Responsibility Policy
49. Remote Access Mobile Computing Storage
50. Virtual Private Network Policy