MailTag Information Security Policy

The purpose of this policy is to establish the technical guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support the company’s comprehensive set of security policies. However, this policy also provides some latitude in implementation and management strategies to allow for agility and flexible where needed.

This policy covers all IT systems, devices, and other information resources devices that comprise the corporate network or that are otherwise controlled by Affinitive.

A compromised password on a network device could have devastating, network-wide consequences. Passwords that are used to secure these devices, such as routers, switches, and servers, must be held to higher standards than standard user-level or desktop system passwords.

• Passwords should be at least 8 characters
• Passwords should be comprised of a mix of letters, numbers and special characters(punctuation marks and symbols)
• Passwords should be comprised of a mix of upper and lower case characters
• Passwords should not be comprised of, or otherwise utilize, words that can be found in a dictionary
• Passwords should not be comprised of an obvious keyboard sequence (i.e., qwerty)
• Passwords should not include “guessable” data such as personal information like birthdays, addresses, phone numbers, locations, etc.

If possible, where passwords are used an application should be implemented that enforces the company’s password policies on construction, changes, re-use, lockout, etc.

As a general rule, administrative (also known as “root”) access to systems should be limited to only those who have a legitimate business need for this type of access. This is particularly important for network devices, since administrative changes can have a major effect on the network, and, as such, network security. Additionally, administrative access to network devices should be logged.

Repeated logon failures can indicate an attempt to ’crack’ a password and surreptitiously access a network account. The company should consider locking accounts after a certain number of failed logons. In order to protect against account guessing, when logon failures occur the error message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as “the username and/or password you supplied were incorrect.”

Passwords must be changed according to the company’s Password Policy. Additionally, the following requirements apply to changing network device passwords:

• If any network device password is suspected to have been compromised, all network device passwords must be changed immediately.
• If a company network or system administrator leaves the company, all passwords to which the administrator could have had access must be changed immediately. This statement also applies to any consultant or contractor who has access to administrative passwords.
• Vendor default passwords must be changed when new devices are put into service.

The logging of certain events is an important component of good network management practices. Logging needs vary depending on the type of network system, and the type of data the system holds. The following sections detail the company’s requirements for logging and log review.

Logs from application servers are of interest since these servers often allow connections from a large number of internal and/or external sources. These devices are often integral to smooth business operations. Examples: Web, email, database servers Requirement: Logging of at least errors, faults, and login failures is encouraged but not required. No passwords should be contained in logs

Logs from network devices are of interest since these devices control all network traffic, and can have a huge impact on the company’s security. Examples: Firewalls, network switches, routers Requirement: Logging of at least errors, faults, and login failures is encouraged but not required. No passwords should be contained in logs.

While logging is important to the company’s network security, log management can become burdensome if not implemented appropriately. As logs grow, so does the time required to review the logs. For this reason, the company recommends that a log management application be considered. Logs must be reviewed regularly and be retained in accordance with company needs or applicable regulation. Unless otherwise determined by the IT manager, logs should be considered operational data.

Using company-owned or company-provided computer systems to circumvent any security systems, authentication systems, user-based systems, or escalating privileges is expressly prohibited. Knowingly taking any actions to bypass or circumvent security is expressly prohibited.

Internet connections and other unsecured networks must be separated from the company network through the use of a firewall.

The following statements apply to the company’s implementation of firewall technology:

• Firewalls must provide secure administrative access (through the use of encryption) with management access limited, if possible, to only networks where management connections would be expected to originate.
• No unnecessary services or applications should be enabled on firewalls. The company should use ’hardened’ systems for firewall platforms, or appliances.
• For its own protection, the firewall rule set should include a “stealth rule,” which forbids connections to the firewall itself.

Firewalls are often configured to block only inbound connections from external sources; however, by filtering outbound connections from the network, security can be greatly improved. This practice is also referred to as “Egress Traffic Filtering.”

Blocking outbound traffic prevents users from accessing unnecessary, and many times, dangerous services. By specifying exactly what outbound traffic to allow, all other outbound traffic is blocked. This type of filtering would block root kits, viruses, and other malicious tools if a host were to become compromised. This will also prevent remote desktops from accessing the internal network. • Unused services and ports should be disabled on networking hardware. Access to administrative ports on networking hardware should be restricted to known management hosts and otherwise blocked with a firewall or access control list

Networking hardware, such as routers, switches, hubs, bridges, and access points, should be implemented in a consistent manner. The following statements apply to the company’s implementation of networking hardware:

• Networking hardware must provide secure administrative access (through the use of encryption) with management access limited, if possible, to only networks where management connections would be expected to originate.
• Clocks on all network hardware should be synchronized using NTP or another means. Among other benefits, this will aid in problem resolution and security incident investigation.
• If possible for the application, switches are preferred over hubs. When using switches, the company should use VLANs to separate networks if it is reasonable and possible to do so.
• Access control lists should be implemented on network devices that prohibit direct connections to the devices. Exceptions to this are management connections that can be limited to known sources.
• Unused services and ports should be disabled on networking hardware.
• Access to administrative ports on networking hardware should be restricted to known management hosts and otherwise blocked with a firewall or access control list.

Servers typically accept connections from a number of sources, both internal and external. As a general rule, the more sources that connect to a system, the more risk that is associated with that system, so it is particularly important to secure network servers. The following statements apply to the company’s use of network servers:

• Unnecessary files, services, and ports should be removed or blocked.
• If possible, Affinitive should follow a server hardening guide, which is available from the leading operating system manufacturers.
• Network servers, even those meant to accept public connections, must be protected by a firewall or access control list.
• If possible, a standard installation process should be developed for the company’s network servers. This will provide consistency across servers no matter what employee or contractor handles the installation.
• Clocks on network servers should be synchronized with the company’s other networking hardware using NTP or another means. Among other benefits, this will aid in problem resolution and security incident investigation.

When possible, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) technology should be used in network monitoring and security. The tools differ in that an IDS alerts to suspicious activity whereas an IPS blocks the activity. When tuned correctly, IDSs are useful but can generate a large amount of data that must be evaluated for the system to be of any use. IPSs automatically take action when they see suspicious events, which can be both good and bad, since legitimate network traffic can be blocked along with malicious traffic.

Security testing, also known as a vulnerability assessment, a security audit, or penetration testing, is an important part of maintaining the company’s network security. Some security testing can be provided by IT Staff members, but is often more effective when performed by a third party with no connection to the company’s day-to-day In- formation Technology activities. The following sections detail the company’s requirements for security testing.

Internal security testing does not necessarily refer to testing of the internal network, but rather testing performed by members of the company’s IT team. Internal testing should not replace external testing; however, when external testing is not practical for any reason, or as a supplement to external testing, internal testing can be helpful in assessing the security of the network.

Internal security testing is allowable, but only by employees whose job functions are to assess security, and only with permission of the IT Manager. Internal testing should have no measurable negative impact on the company’s systems or network performance

External security testing, which is testing by a third party entity, is an excellent way to audit the company’s security controls. The VP of Engineering must determine to what extent this testing should be performed, and what systems/applications it should cover.

External testing must not negatively affect network performance during business hours or network security at any time. If penetration testing is performed, it must not negatively impact company systems or data. External security testing should be conducted at regular intervals.

IT assets, such as network servers and routers, often contain sensitive data about the company’s network communications. When such assets are decommissioned, the following guidelines must be followed:

• Any asset tags or stickers that identify the company must be removed before disposal.
• Any configuration information must be removed by deletion or, if applicable, resetting the device to factory defaults.
• Physical destruction of the device’s data storage mechanism (such as its hard drive or solid state memory) is required. If physical destruction is not possible, the VP of Engineering must be notified.

Good network design is integral to network security. By implementing network compartmentalization, which is separating the network into different segments, the company will reduce its network-wide risk from an attack or virus outbreak. Further, security can be increased if traffic must traverse additional enforcement/inspection points.

Examples: Guest network, wireless network

Segmentation of higher risk networks from the company’s internal network is required, and must be enforced with a firewall or router that provides access controls.

Examples: Email servers, webservers

Segmentation of externally-accessible systems from the company’s internal network is required, and must be enforced with a firewall or router that provides access controls.

Examples: Sales, Finance, Human Resources

Segmentation of internal networks from one another should be done whenever possible, as it can improve security as well as reduce chances that a user will access data that he or she has no right to access.

Network documentation, specifically as it relates to security, is important for efficient and successful network management. Further, the process of regularly documenting the network ensures that Affinitive has a firm understanding of the network architecture at any given time.

Network documentation should include:

Network diagram(s), System configurations, Firewall ruleset, IP Addresses, Access Control Lists

Computer viruses and malware are pressing concerns in today’s threat landscape. If a machine or network is not properly protected, a virus outbreak can have devastating effects on the machine, the network, and the entire company. The company provides the following guidelines on the use of antivirus/anti-malware software:

• All company-provided user PCs must have antivirus/anti-malware software installed.
• All company-provided user Macs are encouraged to have antivirus/anti-malware software installed.
• Workstation software must maintain a current “subscription” to receive patches and virus signature/definition file updates.
• Patches, updates, and antivirus signature file updates must be installed in a timely manner, either automatically or manually.

Software applications can create risk in a number of ways, and thus certain aspects of software use must be covered by this policy. The company provides the following requirements for the use of software applications:

• Only legally licensed software may be used. Licenses for the company’s software must be stored in a secure location.
• Open source and/or public domain software can only be used with the permission of a Security Team Manager.
• Software should be kept reasonably up-to-date by installing new patches and releases from the manufacturer.
• Vulnerability alerts should be monitored for all software products that the company uses. Any patches that fix vulnerabilities or security holes must be installed expediently.

Certain tasks require that network devices be taken offline, either for a simple re-boot, an upgrade, or other maintenance. When this occurs, the Security must perform the tasks before and after normal business hours. Tasks that are deemed “emergency support,” as determined by the IT Manager, can be performed at any time

Documenting changes to network devices is a good management practice and can help speed resolution in the event of an incident. The IT Staff should make a reasonable effort to document hardware and/or configuration changes to network devices in a “change log.” If possible, network devices should bear a sticker or tag indicating essential information, such as the device name, IP address, Mac address, asset information, and any additional data that may be helpful, such as information about cabling. IT Staff should also refer to the company’s Change Management policy for guidance.

When a security incident is suspected that may impact a network device, the IT Staff should refer to the company’s Incident Response policy for guidance.

Redundancy can be implemented on many levels, from redundancy of individual components to full site redundancy. As a general rule, the more redundancy implemented, the higher the availability of the device or network, and the higher the associated cost. The company wishes to provide the IT Manager with latitude to determine the appropriate level of redundancy for critical systems and network devices. Redundancy should be implemented where it is needed, and should include some or all of the following:

• Hard drive redundancy, such as mirroring or Redundant Array of Inexpensive Disks (RAID)
• Server level redundancy, such as clustering or high availability
• Component level redundancy, such as redundant power supplies or redundant Network Interface Cards (NICs)
• Keeping hot or cold spares onsite

Outdated products can result in a serious security breach. When purchasing critical hardware or software, the company must purchase a maintenance plan, support agreement, or software subscription that will allow the company to receive updates to the software and/or firmware for a specified period of time. The plan must meet the following minimum requirements:

• Hardware: The arrangement must allow for repair/replacement of the device within an acceptable time period, as determined by the IT Manager, as well as firmware or embedded software updates.
• Software: The arrangement must allow for updates, upgrades, and hotfixes for a specified period of time.

It is the company’s intention to comply with this policy not just on paper but in its everyday processes as well. With that goal in mind the company requires the following:

A training program must be implemented that will detail the company’s information security program to all users and/or employees covered by the policy, as well as the importance of data security. Employees must sign off on the receipt of, and in agreement to, the user-oriented policies. Re-training should be performed at least annually.

The company’s security policies should be reviewed at least annually. Additionally, the policies should be reviewed when there is an information security incident or a material change to the company’s security policies. As part of this evaluation the company should review:

• Any applicable regulations for changes that would affect the company’s compliance or the effectiveness of any deployed security controls.
• Whether the company’s deployed security controls are still capable of performing their intended functions.
• Whether technology or other changes may have an effect on the company’s security strategy.
• Whether any changes need to be made to accommodate future IT security needs.

This document is part of the company’s cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

Violations of this policy may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

The Head of Engineering is responsible for enforcement of this policy. They will be responsible for the company’s compliance with this security policy and any applicable security regulations. While this person may designate other staff to assist in the monitoring and enforcement of this policy as needed, but this employee is ultimately responsible for the following:

• The initial implementation of the security policies
• Ensuring that the policies are disseminated to employees
• Training and retraining of employees on the company’s information security program
• Any ongoing testing or analysis of the company’s security in compliance with this policy
• Updating the policy as needed to adhere with applicable regulations and the changing information security landscape.