Internet DMZ Equipment Policy

1. Overview

See Purpose.

2. Purpose

The purpose of this policy is to define standards to be met by all equipment owned and/or operated by eCuras located outside eCuras’s corporate Internet firewalls. These standards are designed to minimize the potential exposure to eCuras from the loss of sensitive or company confidential data, intellectual property, damage to public image, etc., which may follow from unauthorized use of eCuras resources.

Internet-facing devices and outside the eCuras firewall are considered part of the “demilitarized zone” (DMZ) and are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls.

The policy defines the following standards:

3. Scope

All equipment or devices deployed in a DMZ owned and/or operated by eCuras (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by eCuras must follow this policy.

This policy also covers any host device outsourced or hosted at external/third-party service providers if that equipment resides in the “eCuras.com” domain or appears to be owned by eCuras.

All new equipment that falls under this policy’s scope must be configured according to the referenced configuration documents unless a waiver is obtained from Infosec. All existing and future equipment deployed on eCuras’s un-trusted networks must comply with this policy.

4. Policy

4.1  Ownership and Responsibilities

Equipment and applications within this policy’s scope must be administered by support groups approved by Infosec for DMZ system, application, and/or network management.

Support groups will be responsible for the following:

To verify compliance with this policy, Infosec will periodically audit DMZ equipment per the Audit Policy.

4.2  General Configuration Policy

All equipment must comply with the following configuration policy:

4.3  New Installations and Change Management Procedures

All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:

4.4  Equipment Outsourced to External Service Providers

The responsibility for the security of the equipment deployed by external service providers must be clarified in the contract with the service provider and security contacts, and escalation procedures documented. Contracting departments are responsible for third party compliance with this policy.

5. Policy Compliance

5.1  Compliance Measurement

The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

The Infosec team must approve any exception to the policy in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

External service providers found to have violated this policy may be subject to financial penalties, up to and including termination of the contract.

6. Related Standards, Policies, and Processes

Revised: March 14th, 2018

Table of Content

  1. Acceptable Encryption Policy
  2. Acceptable Use Policy
  3. Clean Desc Policy
  4. Data Breach Response Policy
  5. Disaster Recovery Plan Policy
  6. Digital Signature Acceptance Policy
  7. Email Policy
  8. Ethics Policy
  9. Pandemic Response Planning Policy
  10. Password Construction Guidelines
  11. Password Protection Policy
  12. Security Response Plan Policy
  13. End User Encryption Key Protection Policy
  14. Acquisition Assessment Policy
  15. Bluetooth Baseline Requirements Policy
  16. Remote Access Policy
  17. Remote Access Tools Policy
  18. Router and Switch Security Policy
  19. Wireless Communication Policy
  20. Wireless Communication Standard
  21. Database Credentials Policy
  22. Technology Equipment Disposal Policy
  23. Information Logging Standard
  24. Lab Security Policy
  25. Server Security Policy 
  26. Software Installation Policy
  27. Workstation Security (For HIPAA) Policy
  28. Web Application Security Policy
  29.  Analog/ISDN Line Security Policy
  30. Anti-Virus Guidelines
  31. Server Audit Policy
  32. Automatically Forwarded Email Policy
  33. Communications Equipment Policy
  34. Dial In Access Policy
  35. Extranet Policy
  36. Internet DMZ Equipment Policy
  37. Internet Usage Policy
  38. Mobile Device Encryption Policy
  39. Personal Communication Devices and Voicemail Policy
  40. Removable Media Policy
  41. Risk Assessment Policy
  42. Server Malware Protection Policy
  43. Social Engineering Awareness Policy
  44. DMZ Lab Security Policy
  45. Email Retention Policy
  46. Employee Internet Use Monitoring and Filtering Policy
  47. Lab Anti Virus Policy
  48. Mobile Employee Endpoint Responsibility Policy
  49. Remote Access Mobile Computing Storage
  50. Virtual Private Network Policy