A.6 ABC Inc. InfoSec De-Militarized Zone (DMZ) Policy

Previous page
Table of content
Next page

A.6 ABC Inc. InfoSec De-Militarized Zone (DMZ) Policy

Policy No. 5

Effective date Month / Day / Year

Implement by Month / Day / Year

1.0 Purpose

This policy establishes information security requirements for all networks and equipment deployed and located in the ABC Inc. "De-Militarized Zone" (DMZ) as well as screened subnets. Adherence to these requirements will minimize the potential risk to ABC Inc. from the damage to public image caused by unauthorized use of ABC Inc. resources, and the loss of sensitive/company confidential data and intellectual property.

2.0 Scope

ABC Inc. networks and devices (including but not limited to routers, switches, hosts , etc.) that are Internet facing and located outside ABC Inc. corporate Internet firewalls are considered part of the DMZ and are subject to this policy. This includes DMZ in primary Internet Service Provider (ISP) locations and remote locations. All existing and future equipment, which falls under the scope of this policy, must be configured according to the referenced documents. This policy does not apply to information systems and components which reside inside ABC Inc.'s corporate Internet firewalls. Standards for these are defined in the Internal Network Security Policy <Link>.

3.0 Policy

3.1. Ownership and Responsibilities

  1. All new DMZs must present a business justification with sign-off at the business unit Vice President level. InfoSec must keep the business justifications on file.

  2. DMZ system owning organizations are responsible for assigning managers, point of contact (POC), and back up POC, for each system. The DMZ owners must maintain up to date POC information with InfoSec and the corporate enterprise management system, if one exists. DMZ system managers or their backup must be available around-the-clock for emergencies.

  3. Changes to the connectivity and/or purpose of existing DMZ system/application and establishment of new DMZ system/applications must be requested through an ABC Inc. Network Support Organization and approved by InfoSec.

  4. All ISP connections must be maintained by an ABC Inc. Network Support Organization.

  5. A Network Support Organization must maintain a firewall device between the DMZ and the Internet.

  6. The Network Support Organization and InfoSec reserve the right to interrupt connections if a security concern exists.

  7. The Network Support Organization will provide and maintain network devices deployed in the DMZ up to the Network Support Organization point of demarcation .

  8. The Network Support Organization must record all DMZ address spaces and current contact information must be stored in a secure location.

  9. The Network Support Organization is ultimately responsible for their DMZ complying with this policy.

  10. Immediate access to equipment and system logs must be granted to members of InfoSec and the Network Support Organization upon request, in accordance with the Audit Policy

  11. Individual accounts must be deleted within three days when access is no longer authorized. Group account passwords must comply with the Password Policy and must be changed within three days from a change in the group membership.

  12. InfoSec will address non-compliance waiver requests on a case-by-case basis through the submission of a Policy Exception Form.

3.2. General Configuration Requirements

  1. Internal production resources must not depend upon resources on the DMZ networks.

  2. DMZs must be connected through a firewall to access ABC Inc.'s corporate internal networks. Any form of cross-connection which bypasses the firewall device is strictly prohibited .

  3. DMZs should be in a physically separate room from any internal networks. If this is not possible, the equipment must be in a locked rack or cage with limited access. In addition, the DMZ Manager must maintain a list of who has access to the equipment.

  4. DMZ Managers are responsible for complying with the following related policies:

    1. Password Policy

    2. Wireless Communications Policy

    3. Anti-Virus Policy

  5. The Network Support Organization maintained firewall devices must be configured in accordance with least-access principles and the DMZ business needs. All firewall filters will be maintained by InfoSec.

  6. Original firewall configurations and any changes must be reviewed and approved through proper IT Operations change control processes (including both general configurations and rule sets). InfoSec may require additional security measures as needed.

  7. Traffic from DMZ to the ABC Inc. internal network, including VPN access, falls under the Remote Access Policy

  8. All routers and switches not used for testing and/or training must conform to the DMZ Router and Switch standardization documents.

  9. Operating systems of all hosts internal to the DMZ running Internet Services must be configured to the secure host installation and configuration standards. [Add URL link to internal configuration standards].

  10. Current applicable security patches/hot-fixes for any applications that are Internet services must be applied. Administrative owner groups must have processes in place to stay current on appropriate patches/hot-fixes at the first available opportunity.

  11. All applicable security patches/hot-fixes recommended by the vendor must be installed. Administrative owner groups must have processes in place to stay current on appropriate patches/hot-fixes at the first available opportunity.

  12. Services and applications not serving business requirements must be disabled.

  13. 13. ABC Inc. confidential information is prohibited on equipment in DMZs where non-ABC Inc. personnel have physical access.

  14. 14. Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.

5.0 Definitions

Access Control List (ACL): Lists kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).

DMZ (de-militarized zone): Networking that exists outside of ABC Inc. primary corporate firewalls, but is still under ABC Inc. administrative control.

Network Support Organization: Any InfoSec-approved support organization that manages the networking of non-lab networks.

Least Access Principle: Access to services, hosts, and networks is restricted unless otherwise permitted.

Internet Services: Services running on devices that are reachable from other devices across a network. Major Internet services include DNS, FTP, HTTP, etc.

Point of Demarcation: The point at which the networking responsibility transfers from a Network Support Organization to the DMZ. Usually a router or firewall.

Screened Subnet: Screened subnets, or perimeter networks, are networks separated from the internal network by a screening router.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________



Previous page
Table of content
Next page
Wireless Operational Security
Wireless Operational Security
ISBN: 1555583172
EAN: 2147483647
Year: 2004
Pages: 153
Authors: John Rittinghouse PhD CISM, James F. Ransome PhD CISM CISSP
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
High-Speed Signal Propagation[c] Advanced Black Magic
Managing Enterprise Systems with the Windows Script Host
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy