Door maintains a secure network infrastructure through the following enumerated policies in order to protect the integrity and confidentiality of client and company data and mitigate the risk of a security incident. The purpose of this policy is to establish the guidelines for IT security, and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support Door’s comprehensive set of security policies. This policy covers all IT systems and devices that comprise the company network or that are otherwise controlled by company staff or through third parties.
The creation and management of all accounts, including system and user accounts, must be authorized in advance by the IT Director in consultation with Head of Infrastructure.
Access and maintenance of applications systems, network components (including routers, firewalls etc.), operating systems, virtualization components, hypervisors, or other information objects is restricted to authorized staff only.
Access to and maintenance of applications, systems, network components (including routers, firewalls, etc.), operating systems, virtualization components, hypervisors, or other information objects shall be granted based upon job function.
Default system accounts (e.g., guest, administrator) will always be disabled or renamed upon initial system builds.
The following statements apply to the construction of passwords for network devices:
Repeated logon failures can indicate an attempt to ‘crack’ a password and surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, the Company will lock a user’s account after 5 unsuccessful logins. The locked account shall remain locked for a minimum duration of on hour or until the IT Department manually resets and unlocks the account via personal support request of the user.
In order to protect against account guessing, when logon failures occur the error message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as “the username and/or password you supplied were incorrect”.
User and privileged account (e.g., system or security administrator) passwords, with the exception of the AWS root account password and passwords, must be changed at least every 90 days by enforcement of group policies. In order to mitigate any security risk associated with the AWS root account, the following will be implemented:
The AWS root account password has been changed to a highly complex password and is combined with a physical 2FA (two factor authentication) device and is stored in a secure location to which only the IT Directors have access to.
All accounts (where available) have 2FA enabled, this can be software or hardware 2FA devices.
All users requiring privileged account (e.g., system or security administrator access) have been provided with separate administrative credentials.
Where feasible, any account used in conjunction with accessing remote hosts in private subnets have been denied the right to logon locally or through RDP (remote desktop protocol) or SSH (secure shell) through the implementation of security groups and NACLs (Network Access Control Lists).
Additionally, the following requirements apply to changing network device passwords:
If any network device password is suspected to have been compromised, all network device passwords must be changed promptly.
If a Company network or system administrator leaves the Company, all passwords to which the administrator could have had access must be changed promptly. This statement also applies to any consultant or contractor who has access to administrative passwords.
Where passwords are used, an application must be implemented that enforces the Companies password policies on construction, changes, re-use, lockout, etc.
As a rule, administrative (also known as “root”) access to systems should be limited to only those who have a legitimate business need for this type of access. This is particularly important for network devices, since administrative changes can have a major effect on the network, and, as such, network security. Additionally, administrative access to network devices should be logged.
The following sections detail the Companies requirements for logging and log review.
Logs from application servers are of interest since these servers often allow connections from a large number of internal and/or external sources. These devices are often integral to smooth business operations.
Logs from network devices are of interest since these devices control all network traffic, and can have a huge impact on the Companies security.
Critical devices are any systems that are critically important to business operations. These systems may also fall under other categories above. In any cases where this occurs, this section shall supersede.
Alerting should be placed on log streams for common/known scenarios. Logs should be reviewed when alerts are triggered and also pro-actively when analysing vulnerability bulletins.
Audit logs are locked down and backed up to ensure control and consistency. Alerting is placed on all audit logs.
Production system audit logs must be retained for a minimum of 6 months.
When referring to firewalls, this policy covers both on-premise firewall for local routing and also the public cloud Firewalls. Public cloud firewalls are software defined and apply at many layers. This policy generalises the term to cover all relevant infrastructure covering the scope of a firewall.
The following statements apply to Door’s implementation of firewall technology:
Firewalls must be configured to filter outbound connections from the network. Blocking outbound traffic prevents users from accessing unnecessary or dangerous services. By specifying exactly what outbound traffic to allow, all other outbound traffic is blocked. This type of filtering would block root kits, viruses, and other malicious tools if a host were to become compromised.
The following policy statements apply to the Companies implementation of networking hardware:
The Company recognizes that certain steps must be taken to prepare new hardware and software for deployment.
The following statements apply to the Companies network servers:
Door requires the use of either a network intrusion detection system (NIDS) or a network intrusion protection system (NIPS) on critical or high-risk network segments.
Door will install a network intruder detection system (NIDS) or a network intruder prevention system (NIPS) to monitor all external network connections.
The following sections detail the Companies requirements for security testing.
The Company conducts monthly vulnerability scans that encompasses all networks and hosts.
The findings from vulnerability scans will be tracked and rescans will be performed until no findings are identified.
Performance of internal security testing by members of Door’s IT team or contracted IT support Staff is required annually. Internal security testing is allowable only with permission of the Head of Infrastructure in consultation with Door’s contracted IT support Staff. Such testing must have no measurable negative impact on Door’s systems or network performance.
External security scans for known vulnerabilities and threats by a third-party entity will be conducted every 6 months.
Good network design is integral to network security. By implementing network compartmentalization, which is separating the network into different segments, Door will reduce its network-wide risk from an attack or virus outbreak. Further, security can be increased if traffic must traverse additional enforcement/inspection points.
Network documentation, specifically as it relates to security, is important for efficient and successful network management. Further, the process of regularly documenting the network ensures that the Companies IT Staff has a company understanding of the network architecture at any given time.
Network documentation should include:
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Further information and advice on this policy can be obtained from the Door Team, policies@doorfunds.com.