Network Security Policy
Uprise maintains a secure network infrastructure through the following enumerated policies in order to protect the integrity and confidentiality of client and Company data and mitigate the risk of a security incident. The purpose of this policy is to establish the guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support Uprise's comprehensive set of security policies. This policy covers all IT systems and devices that comprise Uprise network or that are otherwise controlled by Firm personnel directly or through third parties.
The creation and management of all accounts, including system and user accounts, must be authorized in advance in writing by the Systems Manager in consultation with Uprise’s contracted IT support personnel.
Access and maintenance of applications systems, network components (including routers, firewalls, voice communications servers, voice recording servers, etc.), operating systems, virtualization components, hypervisors, or other information objects is restricted to authorized personnel only.
Access to and maintenance of applications, systems, network components (including routers, firewalls, voice communications servers, voice recording servers, etc.), operating systems, virtualization components, hypervisors, or other information objects shall be granted based upon job function.
Approval of the Network Manager is required prior to creating all user and privileged accounts (e.g., system or security administrator).
Privileged accounts (e.g., system or security administrator) must be logged and reviewed on at least a quarterly basis.
Inactive user and privileged accounts (e.g., system administrator or security administrator) will be disabled or locked after 90 days or less.
Network Device Passwords
Default system accounts (e.g., guest, administrator) will always be disabled or renamed upon initial system builds.
The following statements apply to the construction of passwords for network devices:
· Passwords must be at least twelve characters.
· Passwords must be comprised of a mix of letters, numbers and special characters (punctuation marks and symbols), including a mix of upper and lowercase characters.
· Passwords must not be comprised of an obvious keyboard sequence (i.e., QWERTY).
· Passwords must not include "guessable" data such as personal information like birthdays, addresses, firm public information, phone numbers, locations, etc.
Repeated logon failures can indicate an attempt to 'crack' a password and surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, Uprise will lock a user's account after 5 unsuccessful logins. The locked account shall remain locked for a minimum duration of an hour or until the IT Department manually resets and unlocks the account via personal support request of the user.
In order to protect against account guessing, when logon failures occur the error message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as "the username and/or password you supplied were incorrect."
User and privileged account (e.g., system or security administrator) passwords, with the exception of the Domain Administrator password and passwords used in conjunction with Windows services, must be changed at least every 90 days by enforcement of group policies. In order to mitigate any security risk associated with the Domain Administrator account and any accounts used for Windows services, the following will be implemented:
The Domain Administrator password has been changed to a highly complex password and is stored in a locked cabinet to which only Uprise Partners have access to.
All users requiring privileged account (e.g., system or security administrator access) have been provided with separate administrative credentials.
Where feasible, any account used in conjunction with a Windows service has been denied the right to logon locally or through Terminal Services through the implementation of Group Policies.
Additionally, the following requirements apply to changing network device passwords:
If any network device password is suspected to have been compromised, all network device passwords must be changed promptly.
If a Firm network or system administrator leaves Uprise, all passwords to which the administrator could have had access must be changed promptly. This statement also applies to any consultant or contractor who has access to administrative passwords.
Password Policy Enforcement
Where passwords are used, an application must be implemented that enforces Uprise's password policies on construction, changes, re-use, lockout, etc.
Administrative Password Guidelines
As a rule, administrative (also known as "root") access to systems should be limited to only those who have a legitimate business need for this type of access. This is particularly important for network devices, since administrative changes can have a major effect on the network, and, as such, network security. Additionally, administrative access to network devices should be logged.
The following sections detail Uprise's requirements for logging and log review.
Logs from application servers are of interest since these servers often allow connections from a large number of internal and/or external sources. These devices are often integral to smooth business operations.
Examples: Web, email, database servers.
Requirement: Errors, faults, and login failures will be logged. No passwords should be contained in logs.
Logs from network devices are of interest since these devices control all network traffic, and can have a huge impact on Uprise's security.
Examples: Firewalls, network switches, routers
Requirement: Errors, faults, and login failures will be logged. No passwords should be contained in logs.
Critical devices are any systems that are critically important to business operations. These systems may also fall under other categories above. In any cases where this occurs, this section shall supersede.
Examples: File servers, lab or manufacturing machines, systems storing intellectual property
Requirements: Errors, faults, and login failures will be logged. No passwords should be contained in logs.
The Systems Manager and/or Uprise’s contracted IT support personnel, as appropriate, will review the logs at least once per month.
Audit logs may be modified or deleted only upon the approval of Uprise’s Systems Manager. Production system audit logs must be retained for a minimum of 6 months.
Firewalls are one of the most important components of Uprise’s security strategy. Internet connections and other unsecured networks must be separated from Uprise network through the use of a firewall.
The following statements apply to Uprise's implementation of firewall technology:
· Firewalls must provide secure administrative access (through the use of encryption) with management access limited, if possible, to only networks where management connections would be expected to originate.
· No unnecessary services or applications should be enabled on firewalls. Uprise should use 'hardened' systems for firewall platforms, or appliances.
· Clocks on firewalls should be synchronized with Uprise's other networking hardware using NTP or another means. Among other benefits, this will aid in problem resolution and security incident investigation.
· All firewall rules must be reviewed annually and approved by the Systems Manager in concert with Uprise’s contracted IT support personnel.
· All firewall and router rules must be reviewed at least annually. Audits must cover each rule, what it is for, if it is still necessary, and if it can be improved.
· Changes to firewall rules must be logged and the logs must identify the administrator performing the change and when the change occurred.
· For its own protection, the firewall rule set must include a "stealth rule," which forbids connections to the firewall itself.
· The firewall must log dropped or rejected packets.
Outbound Traffic Filtering
Firewalls must be configured to filter outbound connections from the network. Blocking outbound traffic prevents users from accessing unnecessary or dangerous services. By specifying exactly what outbound traffic to allow, all other outbound traffic is blocked. This type of filtering would block root kits, viruses, and other malicious tools if a host were to become compromised.
Uprise requires that permitted outbound traffic be limited to only known "good" services, which are the following ports: 21, 25, 53, 80, 110, 443, and 995. All other outbound traffic must be blocked at the firewall unless an exception is granted from the Systems Manager.
All outbound connections (e.g., HTTP, HTTPS, FTP, and Telnet) must be authenticated by a proxy device.
Network Security Manager approval is required for the establishment of encrypted protocol communications that cannot be authenticated by a proxy device.
Data Leakage Controls
Data leakage controls (e.g., logging access to files and folders designated at confidential on shared drives, disabling the ability to use removable drives, disabling of unapproved CD/DVD burners and hard drives) will be established to ensure that confidential Firm or client data can’t be physically or electronically removed without management authorization.
The following policy statements apply to Uprise's implementation of networking hardware:
Uprise recognizes that certain steps must be taken to prepare new hardware and software for deployment.
Platform hardening should be benchmarked against industry/vendor standards and best practices (e.g., SANS, VISA, NSA, etc.)
Current security updates, patches and anti-virus definitions will be applied.
Unused protocols and services must be disabled prior to deployment into production.
Unneeded user accounts must be disabled and default accounts (e.g. Administrator, Guest etc.) should be renamed.
Sample programs and scripts must be deleted.
Password parameters must be reconfigured to comply with Firm standards set forth in this policy.
Logging and audit trails must be activated.
Networking hardware must provide secure administrative access (through the use of encryption) with management access limited, if possible, to only networks where management connections would be expected to originate.
Clocks on all network hardware should be synchronized using NTP or another means. This requirement will aid in problem resolution and security incident investigation.
Uprise will restrict access to the administrative ports of networking hardware with a firewall or access control list.
The following statements apply to Uprise's network servers:
Unnecessary files, services, and ports will be removed or blocked.
Network servers, even those meant to accept public connections, must be protected by a firewall or access control list.
A standard installation process will be developed for Uprise's network servers.
Clocks on network servers should be synchronized with Uprise's other networking hardware using NTP or another means. This will aid in problem resolution and security incident investigation.
Intrusion Detection/Intrusion Prevention
Uprise requires the use of either a network intrusion detection system (NIDS) or a network intrusion protection system (NIPS) on critical or high-risk network segments.
Uprise will install a network intruder detection system (NIDS) or a network intruder prevention system (NIPS) to monitor all external network connections.
The network intruder detection systems (NIDS) or network intruder prevention systems (NIPS) will also monitor the internal network.
Data Loss Prevention Technologies.
<FIRM> services clients who may provide personal or private information that requires extra care and protections against accidental disclosure or misuse. As a result of this, Uprise has deployed technologies that will help protect sensitive information, (such as date of birth, social security number, etc…). These systems will generate alerts that will be monitored in real time to members of Uprise appointed by firm administration. Every alert should be reviewed for accuracy and responded to accordingly,
The following sections detail Uprise's requirements for security testing.
Uprise will conduct an annual internal and external vulnerability scan that encompasses all networks and hosts.
The findings from vulnerability scans will be tracked and rescans will be performed until no findings are identified.
Internal Security Testing
Performance of internal security testing by members of Uprise's IT team or contracted IT support personnel is required annually. Internal security testing is allowable only with permission of the Systems Manager in consultation with Uprises contracted IT support personnel. Such testing must have no measurable negative impact on Uprise's systems or network performance.
External Security Testing
External security scans for known vulnerabilities and threats by a third party entity will be conducted quarterly.
Disposal of Information Technology Assets
IT assets, such as network servers and routers, often contain sensitive data about Uprise's network communications. When such assets are decommissioned, the following guidelines must be followed:
Any asset tags or stickers that identify Uprise must be removed before disposal.
Electronic media (e.g., tapes, disk drives, multifunction devices, copiers, etc.) will be destroyed by physical destruction.
Destruction will be recorded in logs.
Network Compartmentalization & Reduced Exposure
Good network design is integral to network security. By implementing network compartmentalization, which is separating the network into different segments, Uprise will reduce its network-wide risk from an attack or virus outbreak. Further, security can be increased if traffic must traverse additional enforcement/inspection points.
Following a network best practice, all VOIP networks should be separated either physical or logically, by the use of vLANs, from the data network.
In order reduce the exposure of the network and possibly have unauthorized devices connect while being undetected, all physical data ports in the office space or conference rooms are to unplugged as to prohibit access. VOIP phones that have a data port are to be configured to have the data port disabled or the data ports configured for a non-usable configuration such as a “Blackhole vLAN”.
Network documentation, specifically as it relates to security, is important for efficient and successful network management. Further, the process of regularly documenting the network ensures that Uprise's IT Staff has a firm understanding of the network architecture at any given time.
Network documentation should include:
Firewall rule set
Access Control Lists
Network devices must bear a sticker or tag indicating essential information, such as the device name, IP address, Mac address, asset information, and any additional data that may be helpful, such as information about cabling.
Only authorized individual of Uprise shall have access to any network diagrams. Therefore all network diagrams and related documentation must be secured at all times. Unauthorized access to any firm network documentation may result in disciplinary actions up to and including termination of employment