“De-Militarized Zone” Network Equipment Policy
Revised: 06/30/2009
1. Purpose.
TCCC-RYSS information technology resources that connect directly to the Internet are considered part of a "De-Militarized zone" (DMZ) on the TCCC-RYSS Information Technology Network. These resources are particularly vulnerable to attack since they are directly accessible from the Internet.
The purpose of this policy is to articulate standards that govern the use of all TCCC-RYSS Information Technology Network information technology resources, which are located within a TCCC-RYSS DMZ Network. These standards are designed to minimize the exposure of TCCC-RYSS from the loss of sensitive or confidential data, Intellectual Property, damage to the TCCC-RYSS’s public image, etc., which may result from Unauthorized Use of TCCC-RYSS Information Technology Network information technology resources.
The policy defines the following standards:
• Operational Group responsibility
• Secure configuration requirements
• Operational requirements
• Change control requirements
2. Scope.
All TCCC-RYSS Information Technology Network information technology resources deployed in a DMZ owned or operated by TCCC-RYSS, including but not limited to servers, Routers, or switches, must be operated in accord with this policy. Additionally, all information technology resources registered in any Domain Name System (DNS) domain owned by TCCC-RYSS are subject to this policy. Any devices outsourced or hosted at third-party service providers, if said information technology resources reside in the "park.edu" domain or appear to be owned by TCCC-RYSS, are also subject to this policy.
All new TCCC-RYSS Information Technology Network equipment that is subject to this policy must be configured according to the applicable configuration documents, unless a waiver is obtained from TCCC-RYSS Information Security personnel. All existing and future TCCC-RYSS Information Technology Network equipment deployed on a TCCC-RYSS DMZ Network must comply with this policy.
3. Policy.
Ownership and Responsibilities
TCCC-RYSS Information Technology Network equipment and applications within the scope of this policy must be administered by the Information Technology Services department, and be approved by authorized Information Security personnel for DMZ-level management of the relevant system, application, or Network access.
The Information Technology Services department is responsible for the following:
1. Documenting equipment in the TCCC-RYSS Security Management System, recording at least the following information:
a. Host contacts and location
b. Hardware and Operating System version numbers
c. Main functions and applications
d. Password groups for privileged passwords
2. Assuring that TCCC-RYSS Information Technology Network interfaces have appropriate DNS records (minimum of A and PTR records).
3. Assuring that password groups are maintained in accordance with the TCCC-RYSS Password Management System and the Password Policy.
4. Assuring that immediate access to TCCC-RYSS Information Technology Network equipment and system Logs is granted to Information Security personnel upon demand, in accordance with the Audit Policy.
5. Assuring that changes to TCCC-RYSS Information Technology Network existing equipment and deployment of new equipment comply with the TCCC-RYSS Change Management System and comply with the Change Management Policy.
To verify compliance with this policy, TCCC-RYSS Information Security personnel periodically perform an audit on DMZ equipment as set forth in the Audit Policy.
General Configuration Policy
All TCCC-RYSS Information Technology Network equipment must comply with the following configuration policy:
1. Hardware, Operating Systems, Services and applications must be approved by TCCC-RYSS Information Security personnel, as part of the pre-deployment review phase.
2. Operating System configuration must be done in accord with the secure server and Router installation and configuration standards, as defined in the Server Configuration and Workstation Configuration policy.
3. All Patches and updates recommended by the equipment vendor and Information Security personnel must be installed. This applies to all Services installed, even though those Services may be temporarily or permanently disabled. Operational Groups must have processes in place to stay current on appropriate Patches and updates.
4. Services and applications not serving business requirements must be disabled.
5. Trust Relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by TCCC-RYSS Information Security personnel.
6. Services and applications not for general access must be restricted by Access Control Lists.
7. Insecure Services or Protocols (as determined by TCCC-RYSS Information Security personnel) must be replaced with more secure equivalents whenever such exist.
8. Remote administration must be performed over Secure Channels (e.g. encrypted Network connections using Secure Shell) or Console Access independent from a DMZ Network.
9. All server content updates must occur over Secure Channels.
10. Security-related events must be logged and audit trails saved to Logs approved by TCCC-RYSS Information Security personnel. Security-related events include, but are not limited to, the following:
a. User login failures
b. Failure to obtain privileged access
c. Access policy violations
New TCCC-RYSS Information Technology Network Installations and Change Management Procedures
All new installations and changes to the configuration of existing TCCC-RYSS Information Technology Network equipment and applications must comply with the following standards:
1. New installations must be done in compliance with the DMZ Equipment Deployment Process.
2. Configuration changes must comply with the TCCC-RYSS Change Management Policy.
3. Information Security personnel must be notified to perform system or application audits prior to the deployment of new Services.
4. Information Security personnel must be engaged, directly or in accordance with the TCCC-RYSS Change Management System, to approve all new deployments and configuration changes.
TCCC-RYSS Information Technology Network Equipment Outsourced to External Service Providers
The responsibility for the Security of TCCC-RYSS Information Technology Network information technology resources deployed by external service providers must be articulated in the contract with the service provider and must include Security contacts. Escalation procedures must also be documented. Contracting TCCC-RYSS departments are responsible for the third-party organization’s compliance with this policy.
4. Enforcement.
Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.
