U06 IT Infrastructure Policy



Similar documents
Payment Card Industry Self-Assessment Questionnaire

SonicWALL PCI 1.1 Implementation Guide

74% 96 Action Items. Compliance

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Using Skybox Solutions to Achieve PCI Compliance

Security Technology: Firewalls and VPNs

U09 Remote Access Policy

Client Security Risk Assessment Questionnaire

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Achieving PCI-Compliance through Cyberoam

Payment Card Industry Data Security Standard

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

H.I.P.A.A. Compliance Made Easy Products and Services

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Information and Communication Technology. Firewall Policy

Automate PCI Compliance Monitoring, Investigation & Reporting

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

How To Protect Your Data From Being Stolen

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI DSS Requirements - Security Controls and Processes

Guideline on Auditing and Log Management

A Rackspace White Paper Spring 2010

Firewall and Router Policy

Reducing the Cyber Risk in 10 Critical Areas

CMPT 471 Networking II

Standard Information Communications Technology. Multifunction Device. January 2013 Version 2.2. Department of Corporate and Information Services

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

CONTENTS. PCI DSS Compliance Guide

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Cyber Essentials Scheme

Chapter 9 Firewalls and Intrusion Prevention Systems

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

IT Security Standard: Network Device Configuration and Management

Networking for Caribbean Development

IBX Business Network Platform Information Security Controls Document Classification [Public]

A Decision Maker s Guide to Securing an IT Infrastructure

Computer Security: Principles and Practice

Firewall Environments. Name

PCI Requirements Coverage Summary Table

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Consensus Policy Resource Community. Lab Security Policy

Computer Security DD2395

How To Protect Your School From A Breach Of Security

ADM:49 DPS POLICY MANUAL Page 1 of 5

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

March

1B1 SECURITY RESPONSIBILITY

University of Sunderland Business Assurance PCI Security Policy

Introduction of Intrusion Detection Systems

LogRhythm and PCI Compliance

Guidance Regarding Skype and Other P2P VoIP Solutions

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Network Security Policy

Policy Document. Communications and Operation Management Policy

Network Security Guidelines. e-governance

Did you know your security solution can help with PCI compliance too?

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Enterprise Broadband Customer Service Description

PCI Requirements Coverage Summary Table

GFI White Paper PCI-DSS compliance and GFI Software products

INTRODUCTION TO FIREWALL SECURITY

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Compliance. Management Guidelines

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Transcription:

Dartmoor National Park Authority U06 IT Infrastructure Policy June 2010 This document is copyright to Dartmoor National Park Authority and should not be used or adapted for any purpose without the agreement of the Authority. Target Audience: ICT

Contents Document Control 2 Document Amendment History 2 1 Purpose 3 2 Scope 3 3 Governance factors 3 4 Operational Rules 3 5 Back Up rules 4 6 Protection of Electronic resources 4 7 Firewall Configuration 5 8 Wireless networks 6 9 Transaction recording 6 10 Change Control 7 11 Breach procedures 7 12 Review and Revision 7 Document Control Organisation Title Creator Source Approvals Distribution Filename Owner Subject Protective Marking Review date Dartmoor National Park Authority IT Infrastructure Policy John Finch (Devon Information Security Partnership) 4-U06-DNPA IT Infrastructure Policy.docx Head of ICT Service Information Security None Document Amendment History Revision Originator of Date of Change Description No. change change 0.1 John Finch 1/10/2007 Initial release for comment to ISD Team Leaders 1.0 Ali Bright June 2010 Adapted for use at DNPA Only current as an electronic version on Parknet Page 2 of 7

1 Purpose 1.1 Dartmoor National Park Authority provides access to facilities and computer resources to help you to do your job more efficiently and effectively. To ensure that the availability, confidentiality and integrity of the computer systems and information processed on them is not compromised, this sub-policy has been developed. 2 Scope 2.1 This policy applies to all Members, Employees of the Authority, Partners, contractual third parties and agents of the Authority. 2.2 The target audience of this policy are the IT staff responsible for configuring and implementing the IT infrastructure. 3 Governance factors 3.1 Controls on the ICT infrastructure configuration arise from the rules predefined in the Codes of Connections required to allow the Authority to use secure networks, either to which existing connections have been made, or to others which we might potentially connect to in the future. 3.2 Examples of secure networks include, but are not limited to: 3.2.1 Government Connect 3.2.2 Payment Card Industry Data Security Standard (PCI DSS) 4 Operational Rules 4.1 All servers must be assigned static IP addresses 4.2 All servers must be configured to withhold technical details 4.3 All open ports on servers must be defined and recorded in a centralised spreadsheet available only to authorised staff. 4.4 The internal IP address block schema must comply with RFC1918. 4.5 A proxy is not used for SMTP services 4.6 A proxy must be used for access to all HTTP services. 4.7 All hosts must be authenticated by a proxy. 4.8 All users must be authenticated by a proxy. 4.9 Protocol checking is not performed by a proxy. 4.10 The network will be scanned for vulnerabilities quarterly. 4.11 All vulnerability scanning will be hosted on an Independent Computer. Only current as an electronic version on Parknet Page 3 of 7

4.12 Vulnerability scanning will be undertaken using a tool to be determined. 4.13 All vulnerability scanning tools must have their signatures updated monthly. 4.14 Emails headers are not obfuscated at gateway. 4.15 All malware scanning information must be removed from email headers. 4.16 The mail transport agent must be capable of SMTP. 4.17 All mail transfers must be initiated by the internal mail server. 4.18 Countermeasures should be deployed to ensure spoofed mail is not received. 4.19 Before any implementation of Voice over IP due regard must be given to the security of the connection. 5 Back Up rules 5.1 The scheme used for the organisation s backups is Grandfather Father Son. 5.2 All tape backups must be stored offsite. 5.3 Backups of the organisation s data will take place daily. 5.4 Backups of the organisation s server files will take place daily. 5.5 The organisation s Desktop computers will not be backed up. 5.6 A routine test of a backup recovery will take place monthly. 5.7 Before every major change, a backup of the affected system must be taken. 5.8 A full system recovery routine will be tested on an ad-hoc basis. 6 Protection of Electronic resources 6.1 The organisation has not implemented an Intrusion detection or prevention system. 6.2 The organisation does not monitor any Intrusion detection or prevention system alerts. 6.3 The organisation does not currently apply any updates to an Intrusion detection or prevention system. 6.4 Any future implementation of an Intrusion detection or prevention system will be connected to one network point. 6.5 Any future implementation of an Intrusion detection or prevention system management station will be accessed by Authorised users only 6.6 All unused services and protocols should be removed from all servers and desktops. Only current as an electronic version on Parknet Page 4 of 7

6.7 All Internet applications are to be developed to standards, which secures them from scripting attacks. 6.8 It is the responsibility of ICT Service to install all network devices. 6.9 Where-ever possible, all Network devices should be owned by Dartmoor National Park Authority. 6.10 All standard Infrastructure equipment must be secured to CESG recommendations 6.11 All public facing systems and web facing applications must be penetration tested annually. 6.12 All default security settings on all network connected devices must be changed to a value unique to the organisation. 6.13 All default accounts on all network connected devices must be disabled, wherever possible. 7 Firewall Configuration 7.1 All of the organisation s infrastructure must be protected from external networks by a firewall. 7.2 The firewall used by the organisation will use Stateful Inspection filtering. 7.3 The firewall rule set will be reviewed quarterly. 7.4 Each connection to the internet must be protected by the firewall. 7.5 The firewall will use NAT to obscufation all internal addresses from external networks. 7.6 All services and ports that are allowed must be documented within the configuration of the firewall. 7.7 The requirement for enabling a protocol within the firewall is a justified and documented business case 7.8 The default settings for the firewall must be to deny access to untrusted networks. Access to untrusted networks can only be allowed if there is a justified and documented business case. 7.9 The primary location of the firewall database must be on the Internal network 7.10 The default configuration for the firewall must be to deny inbound and outbound traffic, unless there is a justified and documented business case to allow a particular route. 7.11 The firewall must be subject to formalised change management. Only current as an electronic version on Parknet Page 5 of 7

7.12 All firewall activity must be logged in a secured log book. 7.13 A personal firewall is implemented on the organisation s laptop computers with a VPN connection installed. 7.14 A personal firewall is not implemented on the organisation s desktop computers. 7.15 Installations of personal firewall are set to deny by default. 7.16 Changes to the settings of personal firewalls can only be made by authorised Network Administrators. 8 Wireless networks 8.1 Access to all Wireless routers must be restricted only to authorised Network Administrators. 8.2 The default vendor settings on all wireless routers must be changed. 8.3 Each access to the organisation s private wireless networks must require authorisation. 8.4 The SSL Encryption level used on wireless networks must be a minimum of 128Bit 8.5 The minimum level of wireless encryption protocol used must be WPA2, except on public wireless access. 8.6 The encryption keys will not be rotated on a regular basis. 8.7 All wireless networks must be separated from the internal network by the Firewall. 8.8 An audit to identify all wireless devices owned by the organisation will be undertaken annually. 9 Transaction recording 9.1 Each successful login to the organisation s network must be logged electronically. 9.2 Each failure to login to the organisation s network must be logged electronically. 9.3 Each failed access to PRIVATE files or folders stored on the corporate network must be logged for all accounts. 9.4 Each access to the Internet from the organisation s network must be logged electronically for all accounts. 9.5 Each access to files stored on the corporate network must be logged for administrator accounts only. 9.6 External connections and activities must be logged electronically. 9.7 All logs will be retained for a minimum period of 93 days. Only current as an electronic version on Parknet Page 6 of 7

9.8 All logs will be protected by being stored in a secure folder. 9.9 All the organisation s ICT infrastructure will synchronise with a single time source. 9.10 All log files must be date and time stamped. 9.11 All clocks must be synchronised. 9.12 All relevant logs files must be made available to investigators as part of any investigations being undertaken. 10 Change Control 10.1 Formal change management procedures must be used on all business critical live systems. 10.2 All changes within the organisation are approved by the appropriate data or system owner. 10.3 All changes must be logged. 10.4 The risk and impact of every change must be documented. 10.5 Operational functionality must be tested before any change is implemented 10.6 Back-out procedures must be developed before the implementation of any change. 11 Breach procedures 11.1 Users who do not adhere to this policy will be dealt with through the Authority s disciplinary process. 11.2 For Members, the Monitoring Officer in association with the Chief Executive will ensure appropriate action is taken. 11.3 Where external service providers, agents or contractors breach the policy, this should be addressed through contract arrangements. 11.4 Where the public have access to the Dartmoor National Park Authority system, that access will be withdrawn if there is an actual or likely breach of information security, until adequate controls are in place. 12 Review and Revision 12.1 This policy will be reviewed annually by the Head of ICT and revised according to developments in legislation, guidance, accepted good practice and operational use. Only current as an electronic version on Parknet Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information