Ref. No.: CPP-IT-0302_V2_Network Security.doc 

Prepared	W. Cundangan		04/27/2017
Approved	R. Eldridge		05/01/2017

1.1 This policy is aimed to ensure the protection of information in networks and relevant supporting network services. 

2.1 This policy applies to all network infrastructures and services owned and operated by the organization. 

3.1 Management 

3.1.1 The company's IT network services must be administered only by Infinit-O IT personnel only or its 3rd party vendors. 

3.1.2 Any changes by 3rd party vendors must be monitored and under the supervision of Infinit-O IT 

3.1.3 Major Changes to the network system/services must pass appropriate change management procedures. 

3.1.4 Minor changes shall be logged and handled through the ticketing desk system.

3.2 Security 

3.2.1 Security devices or technologies must be implemented to control the flow of information in and out the company's network infrastructure and to protect network services whenever applicable. This may include but is not limited to proxy servers, firewalls and intrusion prevention systems and authentication methods. 

3.2.1.1 Security Logs and/or monitoring systems are to be implemented when available and must be maintained and reviewed regularly. 

3.2.1.2 Segregation of Network domains must be implemented when available. 

3.2.2 All incoming ports and protocols shall be explicitly denied unless authorized. Authorization should include purpose and use. 

3.2.3 Connections from outside the network and into the company systems must be established via VPN. 

3.2.4 Connections from outside the network and into the company systems must be limited only to the necessary ports or protocols and servers. 

3.2.5 Clients are required to provide secure channels of connection to their information processing systems when available.

3.3 Network services and servers

3.3.1 Network services and applications should be hosted on dedicated computer systems or servers. 

3.3.2 All servers are to be situated inside the server room when applicable. 

3.3.3 Access to server rooms and servers must be limited only to the IT Team. None IT team members and visitors shall be logged for recording purposes.

3.4 Session time out 

3.4.1 Inactive sessions must be shutdown or disconnected when available. 

3.4.2 Session timeout must be configured to all capable systems, services and devices.

3.5 Limitation of connection time 

3.5.1 Systems, services or application that is capable of limiting connection time (Day/Hour/Minute) must be configured if capable.

3.6 Utility Programs 

3.6.1 Only IT personnel may use system utility programs for workstation and server administration. 

3.6.2 Utility programs includes but is not limited to 

3.6.2.1 SSH 

3.6.2.2 Remote Desktop 

3.6.2.3 WinSCP

3.6.3 Utility programs using non secure channels must be provisioned with additional layers of control or changed to a more secure protocol with the following samples: 

3.6.3.1 Telnet -> Replace with SSH or use VPN/SSH tunnels 

3.6.3.2 FTP -> Use via VPN/ SSH tunnels or replace with SFTP 

3.7 Mobile Codes 

3.7.1 Only the IT Head or the Managing Director/CIO can authorize use of mobile codes 

3.7.2 Mobile codes must be tested prior to deployment. 

3.7.3 Mobile code consists of small pieces of software automatically downloaded into the user's workstation and executed without the user's initiation or knowledge

3.8 Software updates 

3.8.1 Team members are encouraging to proceed with application software updates if prompted by the system. Team members may also coordinate with the IT team on installation and removal of software updates. 

3.8.2 Only IT team members are allowed to conduct OS level updates. 

3.8.3 Software updates include but is not limited to 

3.8.3.1 Security Patches 

3.8.3.2 Application update Patches 

3.8.3.3 OS Version upgrade 

3.9 Encryption 

3.9.1.1 Please refer to IT Encryption and Cryptographic Control Policy

3.10 Disposal of Media 

3.10.1 Any IT media containing information must be securely deleted prior to disposal. 

3.10.2 Please see IT Asset Disposal

3.11 Teleworking 

3.11.1.1 Please refer to Teleworking and Mobile Device Policy

3.12 System Hardening 

3.12.1 Systems prior to deployment are to be processed under the following security hardening guideline at minimum. 

3.12.2 Routers 

3.12.2.1 Change default passwords 

3.12.2.2 Enable SSH administration 

3.12.2.3 Disable Telnet administration 

3.12.2.4 Remove HTTP administration

3.12.3 Switches 

3.12.3.1 Change default passwords 

3.12.3.2 Enable SSH administration 

3.12.3.3 Disable Telnet administration 

3.12.3.4 Remove HTTP administration

3.12.4 Firewalls 

3.12.4.1 Change default passwords 

3.12.4.2 Enable SSH administration 

3.12.4.3 Disable Telnet administration 

3.12.4.4 Remove HTTP administration 

3.12.4.5 Servers

3.12.5 Linux Servers/Computers 

3.12.5.1 Change default root passwords 

3.12.5.2 Disable unneeded services 

3.12.5.3 Enable SSH Administration 

3.12.5.4 Disable Telnet Administration

3.12.6 Windows Servers 

3.12.6.1 Change default passwords 

3.12.6.2 Disable unneeded services 

3.12.6.3 Disable Guest accounts 

3.12.6.4 Enable Network Level Authentication for RDP

3.12.7 Windows Desktop Computers 

3.12.7.1 Change default passwords 

3.12.7.2 Disable guests 

3.12.7.3 Remove unneeded software 

3.12.7.4 Enable Network Level Authentication for RDP

3.12.8 Windows Laptops 

3.12.8.1 Change default passwords 

3.12.8.2 Disable guests 

3.12.8.3 Remove unneeded software 

3.12.8.4 Enable Network Level Authentication for RDP 

3.12.8.5 Deploy full disk encryption

3.12.9 Other OS if applicable 

3.12.9.1 Refer to Recommended system hardening guides by the vendor

3.13 Breach of Policy 

3.13.1 Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to company assets, or an event which is in breach of the company’s security procedures and policies. All company employees, partner agencies, Third Parties and vendors have a responsibility to report security incidents and breaches of this policy immediately through the company’s QISMS reporting system (third parties, partners or vendors may relay the report to their direct contact. This obligation also extends to any external organization contracted to support or access the Information Systems of the Company. 

3.13.2 The Company will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines will be dealt with under the disciplinary procedures.

4.1 Vice presidents and Directors are responsible for ensuring that all staff and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure staff have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of systems and inherent information, need to ensure that staff have been made aware of their responsibilities toward security. Designated owners of systems and information need to ensure they uphold the security policies and procedures.

5.1 Team members 

5.2 Team Leaders/Managers/Directors 

5.3 Execom