1 Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document highlights and identifies these responsibilities to help our customers operate in a defined and mutually understood environment. P a g e 0
2 1 Introduction 2 2 Document Disclaimer 2 3 Our Responsibilities Security of Data Centre s Hardware Maintenance Security Testing of Our Infrastructure Maintaining security best practices Confidentiality of Our Services and Infrastructure Integrity of Our Services and Infrastructure Availability of Our Services and Infrastructure Principal of Least Privilege Service Availability Secure Destruction of Data, Hardware, Removable Media Secure Data Communications on Our Networks Incident Management on Our Networks Internet Connections Change Management Notification of Planned Outages Denial of Service Attacks Managed Firewall and VPN Concentrator 5 4 Typical Infrastructure Management Responsibilities of Customers Software Installation and Build Firewall Between On-Premise and Off-Premise Networks Hardening of the Host Operating System Change Default System Settings, Usernames and Passwords Applying Service Packs, Security Patches and Software Updates Maintaining Infrastructure optimization Testing/Quality Assurance of Applications and Services Event Logging Anti-virus and Anti-Malware Protection Backup Remote Administration and Maintenance Application and License Management Change Management Compliance with License Agreements, Local Legal and Regulatory Bodies Managing User Accounts Managing Passwords Operating System Failure First Line Support Customer Initiated Penetration Testing Managed Firewalls and VPN Concentrator 9 P a g e 1
3 guidelines as examples and for indicative and understanding purposes only. Fasthosts is committed to building informationsecurity principles into everything it does and maintains or exceeds industry best practices. Fasthosts Dedicated and Virtual Servers are supplied on a Self-Managed basis. This document details the responsibilities of Fasthosts and its customers for infrastructure security within a Self-Managed service. It also offers recommendations on how customers can carry out these responsibilities. The customer using this document must be made aware that the contents of this document setting out the responsibilities of each party are shown as guidelines. This document is designed to demonstrate the typical and normal responsibilities of each party within an infrastructure-as-a-service (IaaS) or hosted environment to ensure there is a clear understanding of responsibilities. This document cannot cater for every eventuality so customers should use the Fasthosts wishes to ensure that the customer accepts and understands the variety and complexity of possible solutions and services that may be made available and that it is not feasible to provide comprehensive guidance for all circumstances and individual customer requirements. It is the customers responsibility to ensure that they seek clarity or additional advice before making any assumptions on the applicable responsibilities as each customers circumstances may be different. This may therefore necessitate a modified set of responsibility requirements to be specified depending on the technical and products / services proposed. Fasthosts shall accept no responsibility for reliance on the guidelines or misinterpretations and we recommend that the customer seeks prior clarification and advice from Fasthosts or an IaaS professional if they have queries or nontypical requirements or require clarification on any related responsibility concern. P a g e 2
4 Virtual Private Servers We are responsible for managing and protecting our Data Centres by: Conducting annual physical security reviews to ensure we adhere with policies and best practices Escorting visitors while they re in data centres and signing them in and out of facilities Restricting access to data centres with fences, gates, swipe-card-entry systems and role-based privileges Protecting facilities with out-of-hours security guards CCTV monitoring and a reception that s manned 24/7/365 Maintaining operations during short-term power fluctuations with reserve power supplies, backups (e.g. uninterrupted power supply) and redundant generators, which we test regularly. Maintaining optimum environmental conditions in our data centres with airconditioning systems, which we test regularly. Providing fire detection and suppression systems, which we test regularly. We are responsible for maintaining optimum system performance in our data centres. How we maintain this performance differs depending upon the type of server you are using: Dedicated Servers Providing hardware support and investigating issues at the request of customers Maintaining redundant hardware to transfer services to; in the unlikely event of an outage Monitoring business-critical hardware and resolving issues for customers We are responsible for testing the security of our infrastructure by: Conducting regular security tests on our infrastructure and managing the results of tests through incident/risk management processes to resolve issues quickly. We are responsible for maintaining security best practices by: Utilising an Information Security manager to manage and implement security standards and best practice. Regularly reviewing policy s and updating them to follow best practice Utilising an Information Security Steering committee to approve and govern changes to policy Clearly and comprehensively train all staff on current information policies. Maintain clear disciplinary policy s and procedures which it outlines during employee inductions. Identifying and replacing faulty hardware. We strive to protect, the confidentiality of customer data by preventing our employees P a g e 3
5 from accessing data unless customers provide them with root / admin access. We also use the following to ensure confidentiality: Reliable and interoperable security processes and network security mechanisms. Network security protocols Network authentication services Data encryption services Physical entry controls Additional hardening of internal operating systems depending upon their role, importance and location within our network. We ensure that only engineers who need access to servers, infrastructure and networks get it. Employees who don t have a business requirement to access these can t do so without authorized personnel. We strive to protect, the integrity of customer data by preventing our employees from accessing it and using the following to ensure integrity: Multiple level Firewall services and network segmentation. Access depends upon business requirements and the services being accessed. Communications security management We strive to maintain the availability of customer data by implementing redundant internet connections, power supplies, generators, network infrastructure and storage area network (SAN) disks. We will also use the following to ensure availability: Role Based Access Control (RBAC) Redundant disk systems and internet connections Acceptable logins and operating process performance We are responsible for maintaining 99.99% availability for virtual private servers and 99.99% availability for dedicated servers. We are responsible for securely destroying our data, hardware and removable media and use accredited partners to securely destroy hardware such as hard disk drives and backup media. Cleanse hard disks before reusing them and test samples to ensure data can t be recovered. The company does this with software that adheres to HMG CESG standards. We are responsible for maintaining secure communications in our private network by: Segmenting customers networks to prevent unauthorized access. Encrypting virtual private network (VPN) tunnels with IPsec to protect traffic to customers sites. (VPN Tunnelling and Managed firewalls only available via our sales department) P a g e 4
6 We are responsible for managing incidents on our network by: Note: We may give less notice for emergency maintenance needed to resolve high-risk security incidents that affect multiple customers. Following ITIL-based management processes to deal with incidents. Providing an on duty incident manager, who is on duty 24/7/365. We are responsible for maintaining internet connections for servers by using multiple 10Gb/s connections to the Internet and diverse routing to ensure that connectivity is not lost due to one failure. We are responsible for managing change associated with our infrastructure and minimising the impact to yourself wherever possible. We manage these changes by: Utilising a Change Manager who is responsible for change management processes We are responsible for mitigating denial of service attacks from the Internet by Reserving the right to remove service for the duration of an attack, or until we can deploy a compensating control, if an attack threatens our wider infrastructure. We are responsible for initially configuring VPN concentrators and managed firewalls for customers. Our network engineers will initially configure systems for customers. This will meet the requirements defined by customers. Once complete, We will transfer responsibility for these to customers. Following ITIL-based change management processes Utilizing a change management team to authorize change requests based upon role, location and importance in our network Note: Managed Firewalls and VPN connectors are only available though our Sales department and cannot be purchased through your control panel. We are responsible for notifying customers of planned outages and endeavour to provide at least 24 hours notice of planned outages. In the majority of cases, we will provide notice earlier than this. P a g e 5
7 You are responsible for configuring servers to suit your requirements, including security policies. You can reset your servers to base configuration at any time. We provide our services with some elements pre-configured to enable them to work within our environment. Quick tip: You can find hardening best practice guides at We recommend that you: Apply hardening templates. Restrict access over unused ports. We recommend that you consider the following questions when configuring your servers: Disable unused features. How do you secure data at rest and in motion? Who has access to data? What is available to the outside world? What should be implemented to protect data held in your systems? What controls are necessary to uphold your information security policies? You are responsible for changing default system settings or operating-system passwords. We recommend you: Implement different user profiles for people who access the server directly. Use RBAC so that users can only access the services they need to do their jobs. You are responsible for managing, implementing and adding firewalls between off-premise and on-premise networks. We recommend that you: implement ingress and egress firewall policies at on-premise tunnel endpoints. Configure firewalls to only allow in and out bound ports and IP addresses for the services in the off-premise environment. You are responsible for hardening your servers. Implement strong password controls, such as a minimum length of eight characters for passwords, which must include at least one upper case, lower case and numeric character. Rename default administrator accounts, such as domain admin or root, with a meaningless value. Add a complex password and store this in a safe location. Create different accounts and apply limited privileges to these accounts for other users. Create specific accounts for third parties (including Fasthosts) that expire after a short time. If a third party has a shared privileged account, change the password or disable the account immediately after the third party completes their work. P a g e 6
8 You are responsible for applying and configuring service packs, security patches and software updates to your servers. We recommend you: Disable unused services, Configure a method to apply updates and security patches to servers. You are responsible for implementing any Operating system configuration changes recommended by ourselves to optimise or secure your server on our infrastructure. Best Practice: You should update your server configuration in line with any revised best practices as recommended by ourselves and your own change management process. You are responsible for monitoring the logs of systems, applications and servers. We recommend you: Set up event logging to move logs onto a different server and analyses them for security-related events. This will help define the correct defences for their services. Retain logs for a reasonable length of time i.e. minimum of one month but preferably a year. You are responsible for deploying and managing anti-virus and anti-malware for your servers. We recommend you: Install anti-malware software and configure it to auto update or comply with your corporate antivirus policies. You are responsible for conducting functionality testing and quality assurance of applications and services on your servers. We recommend that you: Ensure you have a good backup or snapshot of servers before deploying updates or patches. You are responsible for arranging backup for your servers. It is also your responsibility to back up your data and test your backup systems. We recommend you: Back up data and implement a regime that allows you to recover their business in the event of a disaster. Test your backup systems. Ensure your services have sufficient capacity to cope with peak loads. Deploy patches and updates regularly to minimize the impact if something goes wrong and make it easier to identify causes. Test your applications after patches and updates to check they aren t affected. You are responsible for managing servers and firewalls provided by us via remote access VPN portal. We recommend you: Conduct remote administration and maintenance securely. We can provide a secure P a g e 7
9 remote access VPN to maintain servers and firewalls. (Only available via our Sales department) Do not expose management interfaces to the Internet or allow weak authentication controls. You are responsible for managing passwords in line with your procedures. We recommend you: implement strong password-management policies, for example: Password length is set between eight and 15 characters. You are responsible for maintaining applications to support their servers and for ensuring you have licenses for your applications. We recommend you: Ensure you have sufficient processes in place to maintain your applications. Force password change at first logon. Enforce password expiry. Enforce password history; preventing users from reusing their previous n passwords, where n is between 0 and 9. Enforce password expiry- suggested maximum age is 45 days. You are responsible for managing change associated with their servers. We recommend you: Implement a change-management process. This will make it easier to identify reasons for a failure and restore systems. You are responsible for maintaining your operating systems. We recommend you: Employ appropriately skilled engineers to manage your servers. You are responsible for managing all first-line support issues. We recommend you: You are responsible for ensuring compliance with license requirements and legal and regulatory bodies. We recommend you: Provide first-line support and build processes to authenticate users who contact your service desks requesting access to your systems. Pay attention to local regulations that may affect you. You are responsible for managing user accounts in line with your procedures. We recommend you: Create individual accounts for users who access their systems. You are responsible for penetration testing. These responsibilities include: Obtaining authorization from ourselves and any other customers involved in testing. Customers MUST submit a request to test at least five working days before penetration testing or vulnerability scanning activity. P a g e 8
10 Important: We will suspend services of customers who do not comply with this. Ensuring that only experienced employees or professional third-party consultancies conduct penetration tests and vulnerability scans. Outlining details of penetration tests or vulnerability scans to ourselves. This must include: will deploy mitigating controls and blocks to stop the attack. Best practice: Conduct penetration tests or vulnerability scanning once Rise has deployed their services. This is to ensure that partners configurations follow best practice and don t have any security weaknesses o o o Time frame for the test. Testing scope. IP addresses involved. You are responsible for configuring your end of a VPN tunnel. We recommend you: o Key contacts. Getting third-party testing organizations to complete a Fasthosts non-disclosure agreement before testing or scanning. Informing the Fasthosts Service Desk of test results that may adversely affect Fasthosts, such as denial of service. Reporting vulnerabilities identified in the Fasthosts infrastructure. Lock down firewall configurations and only allow the in and out bound ports and IP addresses the application requires. Note: Managed Firewalls and VPN connectors are only available though our Sales department and cannot be purchased through your control panel. Please note that if our support teams aren t aware that you are testing, it is likely that they P a g e 9
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
PCI DSS PCI Prioritized DSS Approach for for PCI DSS.0 The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 1 requirements
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
Data protection Protecting personal data in online services: learning from the mistakes of others May 2014 Contents Introduction... 2 What the DPA says... 4 Software security updates... 5 Software security
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
IT Security & Audit Policy Page 1 of 91 Prepared by: - Department Of IT, Govt. Of NCT Of Delhi Prakash Kumar - Special Secretary (IT) Sajeev Maheshwari - System Analyst CDAC, Noida Anuj Kumar Jain - Consultant
vshield Manager 5.0.1 vshield App 5.0.1 vshield Edge 5.0.1 vshield Endpoint 5.0.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
SAUNALAHTI S GENERAL TERMS AND CONDITIONS FOR CONSUMER AND CORPORATE CUSTOMERS 1.9.2013 SAUNALAHTI S GENERAL TERMS AND CONDITIONS FOR CONSUMER AND CORPORATE CUSTOMERS These terms and conditions represent
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
Getting Started Guide StarTeam Borland Software Corporation 100 Enterprise Way Scotts Valley, California 95066-3249 www.borland.com Borland Software Corporation may have patents and/or pending patent applications
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 2.0 May 2013 Document Changes Date Version Description February 11, 2010 1.0 May 2013 2.0 Approved Scanning
Wireless Local Area Network (LAN) Security Guideline Noor Aida Idris Mohamad Nizam Kassim Securing Our Cyberspace 2 To say a system is secure because no one is attacking it is very dangerous (Microsoft
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
Liquidware Labs Customer Support Policy Version 2.0 Introduction This guide has been authored by experts at Liquidware Labs in order to provide information and guidance concerning Liquidware Labs Customer
January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...
1 Unitrends, Inc. Software and Hardware Support Handbook Overview This Customer Support Handbook details support services, contact information and best practices for contacting Unitrends Support to ensure