A.5 ABC Inc. InfoSec Network Policy

Network Operations is responsible for the security of the networks and the network's impact on the corporation. Network managers are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined , network managers must do their best to safeguard ABC Inc. from security vulnerabilities.

Network Operations is responsible for the network's compliance with all ABC Inc. security policies. The following are particularly important:

• ABC Inc. Anti-Virus Policy

• ABC Inc. Dial-in Policy

• ABC Inc. Extranet Policy

• ABC Inc. Password Policy

• ABC Inc. Password Protection Policy

• ABC Inc. Remote Access Policy

• ABC Inc. Router Security Policy

• ABC Inc. Server Security Policy

• ABC Inc. VPN Security Policy

• ABC Inc. Wireless Communications Policy

• ABC Inc. Physical Security Policy

Network Operations is responsible for controlling network access. Access to any given network will only be granted by Network Operations to those individuals with an immediate business need within the network, either short- term or as defined by their ongoing job function. This includes continually monitoring the access list to ensure that those who no longer require access to the network have their access terminated .

Network Operations and/or InfoSec reserve the right to interrupt network connections that impact the corporate production network negatively or pose a security risk.

Network Operations must manage all network IP addresses, which are routed within ABC Inc. networks.

Any network that wants to add an external connection must provide a diagram and documentation to InfoSec with business justification, the equipment, and the IP address space information. InfoSec will review for security concerns and must approve before such connections are implemented. Access to the ABC Inc. network from a third party must use ABC Inc.'s managed firewall.

All user passwords must comply with Password Policy. In addition, individual user accounts on any network device must be deleted when no longer authorized within three days. Group account passwords on network computers (Unix, windows , etc.) must be changed quarterly (once every 3 months). Groups accounts must be approved by the IT Network Operations group. For any network device that contains ABC Inc. proprietary information, group account passwords must be changed within three days following a change in group membership.

InfoSec will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified through the completion of the Policy Exception Form.

All external network IP traffic must go through a Network Operations maintained firewall.

Original firewall configurations and any changes must be reviewed and approved through the proper IT Operations Change Control process. InfoSec may require security improvements as needed.

Networks are prohibited from engaging in port scanning, network auto-discovery , traffic spamming /flooding, and other similar activities that negatively impact the corporate network and/or non-ABC Inc. networks.

InfoSec reserves the right to audit all network- related data and administration processes at any time, including but not limited to, inbound and outbound packets, firewalls, and network peripherals.

Network gateway devices are required to comply with all ABC Inc. product security advisories and must authenticate against the Corporate Authentication servers.

The password for all network gateway devices must be different from all other equipment passwords in the network. The password must be in accordance with Password Policy. The password will only be provided to those who are authorized to administer the network. There will be no group accounts, and anyone accessing these devices will have an individual account.

In networks where non-ABC Inc. personnel have physical access (e.g., training networks), direct connectivity to the corporate production network is not allowed. Additionally, no ABC Inc. confidential information can reside on any computer equipment in these networks. Connectivity for authorized personnel from these networks can be allowed to the corporate production network only if authenticated against the Corporate Authentication servers, temporary access lists (lock and key), SSH, client VPNs, or similar technology approved by InfoSec.

All network external connection requests must be reviewed and approved by InfoSec. Analog or ISDN lines must be configured to only accept trusted call numbers . Strong passwords must be used for authentication.

All networks with external connections must not be connected to ABC Inc. corporate production network or any other internal network directly or via a wireless connection, or via any other form of computing equipment. A waiver from InfoSec is required where air-gapping is not possible (e.g., Partner Connections to third party networks).