Information Security Management System


Information Security Management System

NETWORK SECURITY PROCEDURE



Introduction

The purpose of this procedure is to prevent the unauthorized access to ETISAL International network.

Scope

                ETISAL INTERNATIONAL Network Security Procedure applies to all the end-users, business partners, third parties, who  have  access   to  ETISAL INTERNATIONAL  information,   information  processing  facilities,   IT  Assets residing on its network or have access to its network etc.

Use of Network Services

        Access to external network such as Internet shall be strictly based on the terms and conditions laid down in Internet Access Policy.

        Network  Monitoring   Software  may  be   deployed  for  the   servers  in  order   to  identify  any intrusions,   unauthorized   access    attempts,   performance,   etc    whenever   identified.   Any incidents  or   events  identified,  must   be  reported  as   per  the  terms   and  conditions  stated   in ETISAL INTERNATIONAL Incident Management Policy.

        Reports generated by Network Monitoring Software upon deployment on weekly / monthly basis shall be reviewed by Executive-Support and escalated to VP-Support and VP-Security Testing upon any deviation. Firewall ruleset reviews are completed twice per year.

        For  the   purpose  of  Vulnerability   Assessment,  Penetration  Testing,   and  Web  Application Assessment,  it   may  be  required   to  enable  privileged   network  access  to  the  consultant conducting  the   scan.  All  such   requests  need  approval   and  authorisation  from   Principal consultant prior to their execution. 

        Users  are   not  allowed  to   access  any  external   network  including  internet   using  the  source other   than  the  one   provided  by  ETISAL INTERNATIONAL.  Bypassing   Company's  network  security   by accessing the Internet directly by modem or other means such as PSTN, CDMA, GPRS, EDGE, and GSM etc. is strictly prohibited.

        Authorisation   to    access   information   /    data   contained   in    any   network   connected    to ETISAL INTERNATIONAL shall be strictly based upon the business requirement for access control.

        Network services and protocols identified as vulnerable and obsolete must not be configured on any system including servers, network devices, laptops and desktops. An alternate secure means shall be implemented instead after due authorization from VP-Security Testing or VP-Support, if at all required.

 

 User Authentication for External Connection

Authentication  of   remote  users  shall   be  achieved  using   strong  password  based   upon  the   password management policy identified and laid down by ETISAL INTERNATIONAL management.

 

Equipment Identification in Networks

        Equipment prior  to   connecting  to  ETISAL INTERNATIONAL  internal   network  must  be   authorised  by  VP-Support and / or VP-Security Testing as per the Asset Management Procedure laydown by ETISAL INTERNATIONAL management.

        Connecting  personal equipment such  as   laptops,  desktops,  mobile   devices,  Dial-up  media such as GPRS, EDGE, GSM, PSTN etc. for any kind of business / non-business purpose is strictly prohibited.  

        Media / Information classified as critical / sensitive must be scanned using authorised updated antivirus  scanner  prior   to  connecting  to   ETISAL INTERNATIONAL   internal  network.  Employee   must ensure that any equipment prior to connecting to ETISAL INTERNATIONAL network is duly authorised and scanned   for  any  malicious   code  or  programs   (if  it  contains   some  preloaded  information   / program). For the equipment such as network devices which cannot be scanned using an anti-virus scanner, respective Executive shall ensure that the device does not have any traffic rules that may allow unauthorised access / breach of information residing on ETISAL INTERNATIONAL network.

 

Remote Diagnostic and Configuration Port Protection

        Access  to   diagnostic  and  configuration   ports  is  strictly   controlled.  All  network   devices mounted  in  the   rack  will  be   protected  from  physical   intrusion  as  per   the  Physical  Access Control Policy.  Any  change   requiring  physical  or   logical  access  to equipment connected  to   ETISAL INTERNATIONAL network   is  subject to  strict   change  management and  control   as  per the  process   outlined  in Change Management Procedure.

        Respective  Executive will  ensure   that  proper  timeouts,   session  inactivity  intervals   are configured on configuration ports to defeat any dictionary / brute force-basedl ogin attack. If not in use, these configuration ports must be disabled.

        Strong password in line with ETISAL INTERNATIONAL password management policy must be configured by respective consultants to restrict the access to remote diagnostic and configuration ports.

 

Segregation in Network

 

        Segregation  between   systems  connected  to   ETISAL INTERNATIONAL   Internal  and  External   LAN  will  be achieved using a router. 

        Segregation between the external network such as internet and ETISAL INTERNATIONAL Network will be achieved  using  a   gateway  with  appropriate   filtering  rules  authorized by   VP-Support  or  VP-Infrastructure.

        Segregation between the DMZ hosting critical public facing servers such as ETISAL INTERNATIONAL email server, Web Server etc. will be achieved using Firewall with appropriate access control policies

and    filtering   rules   configured.    These   filtering   rules    will   be   configured    by    ExecutiveSupport/Infrastructure.

        VP-Security  Testing   will  ensure  that   regular  audits,  vulnerability   assessment  of  the   entry points into ETISAL INTERNATIONAL network is conducted and any issue / risk identified is mitigated inline with the respective policies designed.

 

     Network Connection Control

Network Access rights of the users connected to ETISAL INTERNATIONAL Internal or External LAN will be restricted  based on  the access  control policies  of   ETISAL INTERNATIONAL.  The  connection   capability  of users  will   be  restricted  through   network  gateways  to   filter  traffic  such   as  file  transfers, vulnerable / obsolete services etc

  Network Routing Control

 

        Network  routing   controls  will  be   implemented  by  Executive-Support/Infrastructure  at  the gateway level to ensure that connection from unauthorised and unidentified networks, links are restricted and filtered. The routing and access rules configured must be approved by VPSupport/Infrastructure.

        Traffic entering ETISAL INTERNATIONAL Network will be monitored using network monitoring software by  Executive  Infrastructure  and   any  alarm,  incident;   event  will  be   reported  as  per   Incident Management Procedure, whenever deemed necessary by VP-Support/ Infrastructure. 

        Network address translation will be configured to protect the internal IP addressing schema at the gateway level from being disclosed.

        Configuration  level   /  device  level   audits  will  be   conducted  quarterly  to   ensure  that  any persistent  or   poisoned  routes  are   not  present.  VP-Security   Testing  will  ensure   that  the security issues identified in Device Level audit are addressed and associated risk mitigated.

Monthly Newsletter

Subscribe to our newsletter for latest news and updates

Stay Connected

2003 © ETISAL. ALL Rights Reserved. About ETISAL | Privacy Policy | Terms of Service