A.8 ABC Inc. InfoSec Extranet Policy

3.1 Prerequisites

The following conditions (prerequisites) must be satisfied before extranet usage is granted:

• Security Review

• Third Party Connection Agreement

• Business Case

• Point of Contact

3.1.1 Security Review

All new extranet connectivity will go through a security review with the InfoSec department. The reviews are to ensure that all access matches the business requirements in the best possible way, and that the principle of least access is followed.

3.1.2 Third Party Connection Agreement

All new connection requests between third parties and ABC Inc. require that the third party and ABC Inc. representatives agree to and sign the Third Party Agreement. This agreement must be signed by the Vice President of the Sponsoring Organization as well as a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on file with the relevant extranet group . Documents pertaining to connections into ABC Inc. DMZs are to be kept on file with the IT Operations Department.

3.1.3 Business Case

All production extranet connections must be accompanied by a valid business justification, in writing, that is approved by a project sponser. DMZ connections must be approved by the InfoSec Department. Typically this function is handled as part of the Third Party Agreement.

3.1.4 Point Of Contact

The Sponsoring Organization must designate a person to be the Point of Contact (POC) for the extranet connection. The POC acts on behalf of the Sponsoring Organization, and is responsible for those portions of this policy and the Third Party Agreement that pertain to it. In the event that the POC changes, the relevant extranet organization must be informed promptly. A POC must also be identified for the external party to the extranet connection.

3.2 Establishing Connectivity

Sponsoring Organizations within ABC Inc. that wish to establish connectivity to a third party are to file a new site request <Check for correct terminology> with the IT Operation group. The extranet group will engage InfoSec to address security issues inherent in the project. If the proposed connection is to terminate within a DMZ at ABC Inc., the Sponsoring Organization must engage the InfoSec department. The Sponsoring Organization must provide full and complete information as to the nature of the proposed access to the extranet group and InfoSec department, as requested . All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will ABC Inc. rely upon the third party to protect ABC Inc.'s network or resources.

3.3 Modifying or Changing Connectivity and Access

All changes in access must be accompanied by a valid business justification, and are subject to security review. Changes are to be implemented via corporate change management process. The Sponsoring Organization is responsible for notifying the IT Operations group and/or InfoSec when there is a material change in their originally provided information so that security and connectivity evolve accordingly .

3.4 Terminating Access

When access is no longer required, the Sponsoring Organization within ABC Inc. must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. The IT Operations group must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are found to be depreciated, and/or are no longer being used to conduct ABC Inc. business, will be terminated immediately. Should a security incident or a finding that a circuit has been depreciated and is no longer being used to conduct ABC Inc. business necessitate a modification of existing permissions, or termination of connectivity, InfoSec and/or the IT Operations group will notify the POC or the Sponsoring Organization of the change prior to taking any action.