Workstation Configuration Security Policy
Revised: 06/30/2009
1. Purpose.
The purpose of this policy is to establish standards for the base configuration of workstations that are owned or operated by TCCC-RYSS. Effective implementation of this policy will minimize unauthorized access to the TCCC-RYSS Information Technology Network and other Proprietary Information and technology.
2. Scope.
This policy applies to all TCCC-RYSS Information Technology Network workstation equipment owned or operated by TCCC-RYSS, and to workstations registered under any TCCC-RYSS-owned internal Network domain.
3. Policy.
Ownership and Responsibilities
All TCCC-RYSS Information Technology Network workstations at TCCC-RYSS must be the responsibility of an operational group that is responsible for system administration. Approved workstation configuration standards must be established and maintained by each operational group, based on business needs. Operational groups must monitor configuration compliance and request special approval for any noted exceptions. Each operational group must establish a process for changing the configuration standards, which includes review and approval by appropriate Information Security personnel.
1. Workstations must be registered within the TCCC-RYSS Security Management System. At a minimum, the following information is required to positively identify the point of contact:
a. Workstation contact(s) and location, and a backup contact
b. Hardware and Operating System (OS) version numbers
c. Main functions and applications, if applicable
2. Information in the TCCC-RYSS Security Management System must be kept current.
3. Configuration changes for workstations must comply with the Change Management Policy documentation.
31
General Configuration Standards
1. OS configuration must comply with approved Information Security Standards.
2. Services and applications that are unused must be disabled where practical. Exceptions must be noted and approved by authorized Information Security personnel.
3. Access to Services must be protected through authorized access-control methods (e.g. TCP wrappers), if possible.
4. The most recent Security Patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
5. Trust Relationships between systems constitute a Security risk, and their use should be avoided and should not be used when another method of communication will suffice.
6. The standard Security principle of Least Required Access must be utilized when performing a function.
7. If a methodology for Secure Channel connection is available (i.e. technically feasible), privileged access must be performed over Secure Channels (e.g. encrypted Network connections using IPSec or Secure Shell).
Monitoring
Security-related events must be reported to appropriate Information Security personnel, who review Logs and report incidents to management-level personnel in the Information Technology Services department. Corrective measures are prescribed as needed. Security-related events include (but are not limited to):
1. Port scan attacks
2. Evidence of unauthorized access to privileged accounts or data
3. Anomalous occurrences that are not related to specific applications on the Host
Compliance
1. Audits are performed on a regular basis by authorized parties within TCCC-RYSS.
2. Audits are managed by the TCCC-RYSS’s internal audit group or appropriate Information Security personnel, in accordance with the Audit Policy documentation. Findings not related to a specific operational group are filtered by Information Security personnel, and then presented to the appropriate support staff for remediation or justification.
3. Reasonable efforts are made to prevent audits from causing operational failures or disruptions.
32
4. Enforcement.
Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.
