THIS IS A SAMPLE! Feel free to use or modify it for your own use! Want a Policies and Procedures Wiki like this? Sign up for a Staff.Wiki trial by clicking here.

Internet DMZ Equipment Policy

Purpose

The purpose of this policy is to define standards to be met by all equipment owned and/or operated by (^Company^) located outside (^Company^)'s corporate Internet firewalls. These standards are designed to minimize the potential exposure to (^Company^) from the loss of sensitive or company confidential data, intellectual property, damage to public image etc., which may follow from unauthorized use of (^Company^) resources. 

Devices that are Internet facing and outside the (^Company^) firewall are considered part of the "de-militarized zone" (DMZ) and are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls. 

The policy defines the following standards:

  • Ownership responsibility 
  • Secure configuration requirements 
  • Operational requirements 
  • Change control requirement 

Scope

All equipment or devices deployed in a DMZ owned and/or operated by (^Company^) (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by (^Company^), must follow this policy.

This policy also covers any host device outsourced or hosted at external/third-party service providers, if that equipment resides in the "(^Company^).com" domain or appears to be owned by (^Company^).

All new equipment which falls under the scope of this policy must be configured according to the referenced configuration documents, unless a waiver is obtained from Infosec. All existing and future equipment deployed on (^Company^)'s un-trusted networks must comply with this policy.

Policy

Ownership and Responsibilities

Equipment and applications within the scope of this policy must be administered by support groups approved by Infosec for DMZ system, application, and/or network management.

Support groups will be responsible for the following:

  • Equipment must be documented in the corporate wide enterprise management system. At a minimum, the following information is required:
    • Host contacts and location.
    • Hardware and operating system/version. 
    • Main functions and applications. 
    • Password groups for privileged passwords.

  • Network interfaces must have appropriate Domain Name Server (DNS) records (minimum of A and PTR records).
  • Password groups must be maintained in accordance with the corporate wide password management system/process.
  • Immediate access to equipment and system logs must be granted to members of Infosec upon demand, per the Audit Policy. 
  • Changes to existing equipment and deployment of new equipment must follow and corporate governess or change management processes/procedures.

To verify compliance with this policy, Infosec will periodically audit DMZ equipment per the Audit Policy.

General Configuration Policy

All equipment must comply with the following configuration policy:

  • Hardware, operating systems, services and applications must be approved by Infosec as part of the pre-deployment review phase.
  • Operating system configuration must be done according to the secure host and router installation and configuration standards [Insert a reference to any standards that you have]
  • All patches/hot-fixes recommended by the equipment vendor and Infosec must be installed. This applies to all services installed, even though those services may be temporarily or permanently disabled. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
  • Services and applications not serving business requirements must be disabled.
  • Trust relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by Infosec.
  • Services and applications not for general access must be restricted by access control lists.
  • Insecure services or protocols (as determined by Infosec) must be replaced with more secure equivalents whenever such exist.
  • Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks. Where a methodology for secure channel connections is not available, one-time passwords must be used for all access levels. 
  • All host content updates must occur over secure channels. 
  • Security-related events must be logged and audit trails saved to Infosec-approved logs.
  • Security-related events include (but are not limited to) the following:

    • User login failures.
    • Failure to obtain privileged access.
    • Access policy violations.

  • Infosec will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

New Installations and Change Management Procedures

All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:

  • New installations must be done via the DMZ Equipment Deployment Process.
  • Configuration changes must follow the Corporate Change Management (CM) Procedures. 
  • Infosec must be invited to perform system/application audits prior to the deployment of new services.
  • Infosec must be engaged, either directly or via CM, to approve all new deployments and configuration changes.

Equipment Outsourced to External Service Providers

The responsibility for the security of the equipment deployed by external service providers must be clarified in the contract with the service provider and security contacts, and escalation procedures documented. Contracting departments are responsible for third party compliance with this policy.

Policy Compliance

Compliance Measurement

The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exception to the policy must be approved by the Infosec team in advance.

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

External service providers found to have violated this policy may be subject to financial penalties, up to and including termination of contract.

Related Standards, Policies and Processes

  • DMZ Equipment Deployment Process
  • Audit Policy

Definitions and Terms

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

  • DMZ
  • Secured Channel
  • Untrusted Network

Want a Policies & Procedures Wiki like this? Sign up and try Staff.Wiki by clicking here.

Next Topic:
© Copyright 2024 WorkflowFirst Software LLC
v6.0.0.14094
Up Since 5/7/2024 10:53:17 PM