Page 20 - Information_Security

Page 20 - Information_Security_Program

P. 20

NETWORK AND OPERATING SYSTEM SECURITY [DP250]
Back to Table of Contents

Scope: Enterprise
Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; IT Staff, Director of IT
Purpose: To restrict access to the organization’s network to authorized entities and to maintain a stable network.
External Regulation or Standard: PCI DSS 1.1, 4.2., 5.2, 6.1

Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
IT Staff DP250.1 The organization’s IT Staff will host its systems within trusted networks, which
maintain the measures in this policy.
IT Staff DP250.2 The organization’s IT Staff will clearly define and secure boundaries at all access
points to the network.
IT Staff with approvals DP250.3 All new extranet connections must pass a formal approval process overseen by the
Chief Financial Officer and reported to the Director of Information Technology,
Privacy and Data Security.
IT Staff, Director of DP250.4 The organization’s IT Staff will maintain firewalls on dedicated devices and report
Information status on a regular basis.
Technology, Privacy
and Data Security
IT Staff DP250.5 Establish firewall and router configuration standards that include the measures in
this section.
IT Staff DP250.6 Provide quarterly reports to Chief Financial Officer and on the status of firewall and
router rule sets.
IT Staff DP250.7 Build a firewall configuration that denies all traffic from “untrusted” networks and
hosts, except for protocols necessary for the restricted data environment.
IT Staff DP250.8 Implement tasteful inspection or dynamic packet filtering.
IT Staff DP250.9 Restrict inbound traffic to that which is necessary for business purposes, denying all
other inbound and outbound traffic not specifically allowed.
IT Staff DP250.10 Secure and synchronize router configuration files.
IT Staff DP250.11 Install perimeter firewalls between any wireless network and the restricted data
environment, configuring these firewalls to deny any traffic from the wireless
environment or from controlling any traffic.
IT Staff DP250.12 Prohibit direct public access between external networks and any system components
(such as databases, logs, and trace files) that store Privacy Restricted data.
IT Staff DP250.13 Restrict outbound traffic from Privacy Restricted applications to IP addresses.
IT Staff DP250.14 Deploy tools and configure in order to detect a compromise of network or boundary‐
device security.
IT Staff DP250.15 Monitor firewall capacity utilization every 15 minutes to protect against denial‐ of‐
service attacks.
IT Staff DP250.16 Maintain routers and implement routing rules.
IT Staff DP250.17 Document firewall‐rule set and router‐configuration rationale.
IT Staff DP250.18 Maintain a current network diagram with all connections to Privacy Restricted data,
including any wireless networks.
IT Staff DP250.19 Maintain a documented list of services and ports necessary for business purposes.
IT Staff DP250.20 Limit open ports.
IT Staff DP250.21 Disable services and protocols not directly needed to perform the devices’specified
function, and remove unnecessary scripts, drivers, features, subsystems, file systems,
and web servers.

17 | Page
GES CONFIDENTIAL

15 16 17 18 19 20 21 22 23 24 25