1 Introduction 2. 2 Document Disclaimer 2



Similar documents
CONTENTS. PCI DSS Compliance Guide

Retention & Destruction

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Security Controls for the Autodesk 360 Managed Services

Supplier Information Security Addendum for GE Restricted Data

A Decision Maker s Guide to Securing an IT Infrastructure

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Security Whitepaper: ivvy Products

Supplier Security Assessment Questionnaire

System Security Plan University of Texas Health Science Center School of Public Health

IBX Business Network Platform Information Security Controls Document Classification [Public]

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

CHIS, Inc. Privacy General Guidelines

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Information Technology Security Procedures

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Vendor Questionnaire

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October Page 1 of 9

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

RL Solutions Hosting Service Level Agreement

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Guardian365. Managed IT Support Services Suite

Network Security Guidelines. e-governance

KeyLock Solutions Security and Privacy Protection Practices

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

SUPPLIER SECURITY STANDARD

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

CONTENTS. Security Policy

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

GE Measurement & Control. Cyber Security for NEI 08-09

IT Security Standard: Computing Devices

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Security Management. Keeping the IT Security Administrator Busy

Section 12 MUST BE COMPLETED BY: 4/22

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Data Access Request Service

New Systems and Services Security Guidance

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

DiamondStream Data Security Policy Summary

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Windows Remote Access

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

White Paper. BD Assurity Linc Software Security. Overview

Our Cloud Offers You a Brighter Future

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Payment Card Industry Self-Assessment Questionnaire

Autodesk PLM 360 Security Whitepaper

Projectplace: A Secure Project Collaboration Solution

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Security Policy JUNE 1, SalesNOW. Security Policy v v

Altus UC Security Overview

Securing the Service Desk in the Cloud

c) Password Management The assignment/use of passwords is controlled in accordance with the defined Password Policy.

Network and Security Controls

Security Best Practice

FileCloud Security FAQ

GiftWrap 4.0 Security FAQ

LogRhythm and NERC CIP Compliance

Central Agency for Information Technology

Chapter 1 The Principles of Auditing 1

vcloud Director User's Guide

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Client Security Risk Assessment Questionnaire

HIPAA Security Alert

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Setting Up Scan to SMB on TaskALFA series MFP s.

Windows Operating Systems. Basic Security

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

A practical guide to IT security

Music Recording Studio Security Program Security Assessment Version 1.1

Birst Security and Reliability

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Level I - Public. Technical Portfolio. Revised: July 2015

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

CYBER SECURITY POLICY For Managers of Drinking Water Systems

e-governance Password Management Guidelines Draft 0.1

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Transcription:

Important: We take great care to ensure that all parties understand and appreciate the respective responsibilities relating to an infrastructure-as-a-service or self-managed environment. This document highlights and identifies these responsibilities to help our customers operate in a defined and mutually understood environment. P a g e 0

1 Introduction 2 2 Document Disclaimer 2 3 Our Responsibilities 3 3.1 Security of Data Centre s 3 3.2 Hardware Maintenance 3 3.3 Security Testing of Our Infrastructure 3 3.4 Maintaining security best practices 3 3.5 Confidentiality of Our Services and Infrastructure 3 3.6 Integrity of Our Services and Infrastructure 4 3.7 Availability of Our Services and Infrastructure 4 3.8 Principal of Least Privilege 4 3.9 Service Availability 4 3.10 Secure Destruction of Data, Hardware, Removable Media 4 3.11 Secure Data Communications on Our Networks 4 3.12 Incident Management on Our Networks 5 3.13 Internet Connections 5 3.14 Change Management 5 3.15 Notification of Planned Outages 5 3.16 Denial of Service Attacks 5 3.17 Managed Firewall and VPN Concentrator 5 4 Typical Infrastructure Management Responsibilities of Customers 6 4.1 Software Installation and Build 6 4.2 Firewall Between On-Premise and Off-Premise Networks 6 4.3 Hardening of the Host Operating System 6 4.4 Change Default System Settings, Usernames and Passwords 6 4.5 Applying Service Packs, Security Patches and Software Updates 7 4.6 Maintaining Infrastructure optimization 7 4.7 Testing/Quality Assurance of Applications and Services 7 4.8 Event Logging 7 4.9 Anti-virus and Anti-Malware Protection 7 4.10 Backup 7 4.11 Remote Administration and Maintenance 7 4.12 Application and License Management 8 4.13 Change Management 8 4.14 Compliance with License Agreements, Local Legal and Regulatory Bodies 8 4.15 Managing User Accounts 8 4.16 Managing Passwords 8 4.17 Operating System Failure 8 4.18 First Line Support 8 4.19 Customer Initiated Penetration Testing 8 4.20 Managed Firewalls and VPN Concentrator 9 P a g e 1

guidelines as examples and for indicative and understanding purposes only. Fasthosts is committed to building informationsecurity principles into everything it does and maintains or exceeds industry best practices. Fasthosts Dedicated and Virtual Servers are supplied on a Self-Managed basis. This document details the responsibilities of Fasthosts and its customers for infrastructure security within a Self-Managed service. It also offers recommendations on how customers can carry out these responsibilities. The customer using this document must be made aware that the contents of this document setting out the responsibilities of each party are shown as guidelines. This document is designed to demonstrate the typical and normal responsibilities of each party within an infrastructure-as-a-service (IaaS) or hosted environment to ensure there is a clear understanding of responsibilities. This document cannot cater for every eventuality so customers should use the Fasthosts wishes to ensure that the customer accepts and understands the variety and complexity of possible solutions and services that may be made available and that it is not feasible to provide comprehensive guidance for all circumstances and individual customer requirements. It is the customers responsibility to ensure that they seek clarity or additional advice before making any assumptions on the applicable responsibilities as each customers circumstances may be different. This may therefore necessitate a modified set of responsibility requirements to be specified depending on the technical and products / services proposed. Fasthosts shall accept no responsibility for reliance on the guidelines or misinterpretations and we recommend that the customer seeks prior clarification and advice from Fasthosts or an IaaS professional if they have queries or nontypical requirements or require clarification on any related responsibility concern. P a g e 2

Virtual Private Servers We are responsible for managing and protecting our Data Centres by: Conducting annual physical security reviews to ensure we adhere with policies and best practices Escorting visitors while they re in data centres and signing them in and out of facilities Restricting access to data centres with fences, gates, swipe-card-entry systems and role-based privileges Protecting facilities with out-of-hours security guards CCTV monitoring and a reception that s manned 24/7/365 Maintaining operations during short-term power fluctuations with reserve power supplies, backups (e.g. uninterrupted power supply) and redundant generators, which we test regularly. Maintaining optimum environmental conditions in our data centres with airconditioning systems, which we test regularly. Providing fire detection and suppression systems, which we test regularly. We are responsible for maintaining optimum system performance in our data centres. How we maintain this performance differs depending upon the type of server you are using: Dedicated Servers Providing hardware support and investigating issues at the request of customers Maintaining redundant hardware to transfer services to; in the unlikely event of an outage Monitoring business-critical hardware and resolving issues for customers We are responsible for testing the security of our infrastructure by: Conducting regular security tests on our infrastructure and managing the results of tests through incident/risk management processes to resolve issues quickly. We are responsible for maintaining security best practices by: Utilising an Information Security manager to manage and implement security standards and best practice. Regularly reviewing policy s and updating them to follow best practice Utilising an Information Security Steering committee to approve and govern changes to policy Clearly and comprehensively train all staff on current information policies. Maintain clear disciplinary policy s and procedures which it outlines during employee inductions. Identifying and replacing faulty hardware. We strive to protect, the confidentiality of customer data by preventing our employees P a g e 3

from accessing data unless customers provide them with root / admin access. We also use the following to ensure confidentiality: Reliable and interoperable security processes and network security mechanisms. Network security protocols Network authentication services Data encryption services Physical entry controls Additional hardening of internal operating systems depending upon their role, importance and location within our network. We ensure that only engineers who need access to servers, infrastructure and networks get it. Employees who don t have a business requirement to access these can t do so without authorized personnel. We strive to protect, the integrity of customer data by preventing our employees from accessing it and using the following to ensure integrity: Multiple level Firewall services and network segmentation. Access depends upon business requirements and the services being accessed. Communications security management We strive to maintain the availability of customer data by implementing redundant internet connections, power supplies, generators, network infrastructure and storage area network (SAN) disks. We will also use the following to ensure availability: Role Based Access Control (RBAC) Redundant disk systems and internet connections Acceptable logins and operating process performance We are responsible for maintaining 99.99% availability for virtual private servers and 99.99% availability for dedicated servers. We are responsible for securely destroying our data, hardware and removable media and use accredited partners to securely destroy hardware such as hard disk drives and backup media. Cleanse hard disks before reusing them and test samples to ensure data can t be recovered. The company does this with software that adheres to HMG CESG standards. We are responsible for maintaining secure communications in our private network by: Segmenting customers networks to prevent unauthorized access. Encrypting virtual private network (VPN) tunnels with IPsec to protect traffic to customers sites. (VPN Tunnelling and Managed firewalls only available via our sales department) P a g e 4

We are responsible for managing incidents on our network by: Note: We may give less notice for emergency maintenance needed to resolve high-risk security incidents that affect multiple customers. Following ITIL-based management processes to deal with incidents. Providing an on duty incident manager, who is on duty 24/7/365. We are responsible for maintaining internet connections for servers by using multiple 10Gb/s connections to the Internet and diverse routing to ensure that connectivity is not lost due to one failure. We are responsible for managing change associated with our infrastructure and minimising the impact to yourself wherever possible. We manage these changes by: Utilising a Change Manager who is responsible for change management processes We are responsible for mitigating denial of service attacks from the Internet by Reserving the right to remove service for the duration of an attack, or until we can deploy a compensating control, if an attack threatens our wider infrastructure. We are responsible for initially configuring VPN concentrators and managed firewalls for customers. Our network engineers will initially configure systems for customers. This will meet the requirements defined by customers. Once complete, We will transfer responsibility for these to customers. Following ITIL-based change management processes Utilizing a change management team to authorize change requests based upon role, location and importance in our network Note: Managed Firewalls and VPN connectors are only available though our Sales department and cannot be purchased through your control panel. We are responsible for notifying customers of planned outages and endeavour to provide at least 24 hours notice of planned outages. In the majority of cases, we will provide notice earlier than this. P a g e 5

You are responsible for configuring servers to suit your requirements, including security policies. You can reset your servers to base configuration at any time. We provide our services with some elements pre-configured to enable them to work within our environment. Quick tip: You can find hardening best practice guides at http://www.sans.org. We recommend that you: Apply hardening templates. Restrict access over unused ports. We recommend that you consider the following questions when configuring your servers: Disable unused features. How do you secure data at rest and in motion? Who has access to data? What is available to the outside world? What should be implemented to protect data held in your systems? What controls are necessary to uphold your information security policies? You are responsible for changing default system settings or operating-system passwords. We recommend you: Implement different user profiles for people who access the server directly. Use RBAC so that users can only access the services they need to do their jobs. You are responsible for managing, implementing and adding firewalls between off-premise and on-premise networks. We recommend that you: implement ingress and egress firewall policies at on-premise tunnel endpoints. Configure firewalls to only allow in and out bound ports and IP addresses for the services in the off-premise environment. You are responsible for hardening your servers. Implement strong password controls, such as a minimum length of eight characters for passwords, which must include at least one upper case, lower case and numeric character. Rename default administrator accounts, such as domain admin or root, with a meaningless value. Add a complex password and store this in a safe location. Create different accounts and apply limited privileges to these accounts for other users. Create specific accounts for third parties (including Fasthosts) that expire after a short time. If a third party has a shared privileged account, change the password or disable the account immediately after the third party completes their work. P a g e 6

You are responsible for applying and configuring service packs, security patches and software updates to your servers. We recommend you: Disable unused services, Configure a method to apply updates and security patches to servers. You are responsible for implementing any Operating system configuration changes recommended by ourselves to optimise or secure your server on our infrastructure. Best Practice: You should update your server configuration in line with any revised best practices as recommended by ourselves and your own change management process. You are responsible for monitoring the logs of systems, applications and servers. We recommend you: Set up event logging to move logs onto a different server and analyses them for security-related events. This will help define the correct defences for their services. Retain logs for a reasonable length of time i.e. minimum of one month but preferably a year. You are responsible for deploying and managing anti-virus and anti-malware for your servers. We recommend you: Install anti-malware software and configure it to auto update or comply with your corporate antivirus policies. You are responsible for conducting functionality testing and quality assurance of applications and services on your servers. We recommend that you: Ensure you have a good backup or snapshot of servers before deploying updates or patches. You are responsible for arranging backup for your servers. It is also your responsibility to back up your data and test your backup systems. We recommend you: Back up data and implement a regime that allows you to recover their business in the event of a disaster. Test your backup systems. Ensure your services have sufficient capacity to cope with peak loads. Deploy patches and updates regularly to minimize the impact if something goes wrong and make it easier to identify causes. Test your applications after patches and updates to check they aren t affected. You are responsible for managing servers and firewalls provided by us via remote access VPN portal. We recommend you: Conduct remote administration and maintenance securely. We can provide a secure P a g e 7

remote access VPN to maintain servers and firewalls. (Only available via our Sales department) Do not expose management interfaces to the Internet or allow weak authentication controls. You are responsible for managing passwords in line with your procedures. We recommend you: implement strong password-management policies, for example: Password length is set between eight and 15 characters. You are responsible for maintaining applications to support their servers and for ensuring you have licenses for your applications. We recommend you: Ensure you have sufficient processes in place to maintain your applications. Force password change at first logon. Enforce password expiry. Enforce password history; preventing users from reusing their previous n passwords, where n is between 0 and 9. Enforce password expiry- suggested maximum age is 45 days. You are responsible for managing change associated with their servers. We recommend you: Implement a change-management process. This will make it easier to identify reasons for a failure and restore systems. You are responsible for maintaining your operating systems. We recommend you: Employ appropriately skilled engineers to manage your servers. You are responsible for managing all first-line support issues. We recommend you: You are responsible for ensuring compliance with license requirements and legal and regulatory bodies. We recommend you: Provide first-line support and build processes to authenticate users who contact your service desks requesting access to your systems. Pay attention to local regulations that may affect you. You are responsible for managing user accounts in line with your procedures. We recommend you: Create individual accounts for users who access their systems. You are responsible for penetration testing. These responsibilities include: Obtaining authorization from ourselves and any other customers involved in testing. Customers MUST submit a request to test at least five working days before penetration testing or vulnerability scanning activity. P a g e 8

Important: We will suspend services of customers who do not comply with this. Ensuring that only experienced employees or professional third-party consultancies conduct penetration tests and vulnerability scans. Outlining details of penetration tests or vulnerability scans to ourselves. This must include: will deploy mitigating controls and blocks to stop the attack. Best practice: Conduct penetration tests or vulnerability scanning once Rise has deployed their services. This is to ensure that partners configurations follow best practice and don t have any security weaknesses o o o Time frame for the test. Testing scope. IP addresses involved. You are responsible for configuring your end of a VPN tunnel. We recommend you: o Key contacts. Getting third-party testing organizations to complete a Fasthosts non-disclosure agreement before testing or scanning. Informing the Fasthosts Service Desk of test results that may adversely affect Fasthosts, such as denial of service. Reporting vulnerabilities identified in the Fasthosts infrastructure. Lock down firewall configurations and only allow the in and out bound ports and IP addresses the application requires. Note: Managed Firewalls and VPN connectors are only available though our Sales department and cannot be purchased through your control panel. Please note that if our support teams aren t aware that you are testing, it is likely that they P a g e 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information