Sample Critical Infrastructure Protection Policy

Introduction

Protecting the network, physical and information systems infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across the XYZ organization. Network infrastructure contains of interconnected devices planned to transport communications essential for data, applications, services, and multi-media. Physical infrastructure contains how to preserve all the devices, servers, physical files.

Scope

This policy applies to all employees of XYZ organization as well as any other users of the network infrastructure, including independent contractors or others who may be given access on a temporary basis to organization’s systems. Information transferred or stored on XYZ organization’s resources is the property of the organization unless it is specifically identified as the property of other parties.

Policy

  • Organization reserves the right to remove any unauthorized cables, connections, and hardware.
  • Decide whether new payment products and emerging technologies pose increased risk due to the lack of maturity of the respective control environments.
  • To verify that the physical security procedures have been implemented and are working properly the organization should use third parties.
  • AII Network Infrastructure equipment within the organization network shall be owned and maintained by the organization.
  • Unencrypted remote admin protocols which are used to manage network infrastructure should be disabled.
  • Control the entrance and exit of employees from areas such as office buildings, data centers or rooms containing local area network servers.
  • Unnecessary services like discovery protocols, source routing, HTTP, SNMP, BOOTP should be disabled. 
  • Console, auxiliary, and VTY line access should be secured.
  • IT equipment and the servers, workstations that allow staff access to the applications must be secure and protected from unexpected damage or loss. Some physical controls should lock in rooms with restricted access.
  • Private Virtual LANs should be used to isolate a user from the rest of the broadcast domains.
  • Virtual Routing and Forwarding (VRF) technology must be used to segment network traffic over multiple routing tables concurrently on a solo router.
  • WLAN equipment should only can access by authorized persons.
  • Physically security controls such processes as fingerprint scanner, access controls should be protected.
  • Strong password policies should be used in all network devices.
  • Organization must develop or adopt a disaster recovery and emergency response plan covering its critical network infrastructure.
  • No unauthorized staff are allowed to access any Company systems in any location.
  • All present and new clients are instructed their security duties.
  • Access to communications infrastructure must be limited to suitable and accepted personnel. Where reasonable, communications equipment should be kept in devoted enclosures.
  • XYZ Organization must launch and continue a program to control its Internet Protocol (IP) network address space including both dynamic and static addressing.
  • Robust disaster recovery and business continuity procedures are in place.
  • Employees agree to never disclose their passwords to anyone, particularly to family members if business work is conducted from home
  • To correctly deal with risks such as failure, natural threats the hardware must be installed in an environment which agrees the organization.
  • Electronic filing systems and documentation are well maintained for all critical job functions to ensure continuity.
  • Physical access to information assets and roles by users should be limited.
  • Remote users using non Company network infrastructure to gain access to Company resources, must employ for their devices and related infrastructure a company approved personal firewall, VPN, and any other security measure deemed necessary by the IT Department
  • Named individuals are given authority to administrate specific computer systems according to their job function and role following the principle of least privilege.
  • It is the obligation of any representative who is interfacing with the organizational system to ensure that all components of his association stay as secure as his system access inside the workplace.

Comments

Popular posts from this blog

Introduction to Encryption

How to do a Phishing attack on Facebook?

RESTful API