Information Security Policies &

Procedures
1 INTERNET (FIREWALL & ROUTER) SECURITY
ADMINISTRATION POLICY
1.1 Overview
Firewalls are an essential component for information systems security infrastructure. All firewalls
are defined as security systems that control and restrict network connectivity between XXX and
other business entities. In addition to that firewalls used to restrict data flow within different
network segments of XXX IT infrastructure.

1.2 Purpose
The purpose of this policy is to define standards for provisioning security devices owned by XXX.
These standards are designed to minimize the potential exposure of XXX to the loss of sensitive
confidential data, intellectual property, damage to public image etc., which may follow from
unauthorized use of XXX resources.
This policy also establishes procedures for XXXs all firewall administration, determines the
technology standard used by the firewall hardware and software, assigns firewall administration
responsibilities and defines the filters applied to campus networks.

1.3 Scope
This policy applies to all firewalls on XXX networks, whether managed by own or by third parties.
Departures from this policy will be permitted only if approved in advance and in writing by the
IT Div., Infrastructure Services.

1.4 Content Policy

Where Electronic Equipment is used to capture, process or store data identified as XXX
Legally/Contractually Restricted and the Electronic Equipment is accessible via a direct or
indirect Internet connection, a network firewall appropriately installed, configured and
maintained is required.
All installations and implementations of and modifications to a firewall and its configuration and
rule set are the responsibility of the network administrator, with this exception: maintenance of
a network firewall rule set may be performed by other than network administrator where
permitted by head/Incharge of IT infrastructure.
All Network Firewalls installed and implemented must conform to the currently accepted
standards (CIS) as determined by XXX. Unauthorized or non-standard equipment is subject to
immediate removal, confiscation, and/or termination of network connectivity without notice.

1.5 Responsibilities:
The network administrator is primarily responsible for implementing and maintaining the XXXs
firewalls and is also responsible for activities relating to this policy. However one additional
personal must be in line with the primary administrator as contingency plan. Head of IT
infrastructure will be accountable for XXXs all firewall.

1.6 Firewall Standard:

XXX is committed to operate fully supported and maintained resilient enterprise class firewalls
with state full inspection capabilities enabled. In XXX, CIS standard is followed for Firewalls.

1.7 Firewall Change Control:

Request and document all changes to Network Firewall Rule sets where firewall administration
is performed by network administrator of XXX. All requests are subject to the approval of head
of IT infrastructure and review by its designate. Document all changes to network firewall rule

Page 2 of 10
sets where Firewall Administration is performed by other than XXX. Though approval is not
required, all requests are subject to review by XXX. All related documentation is to be retained
by the concern department for three (3) years and is subject to review by XXX and Audit and
Advisory Services.
XXX maintains Change Management Request and Change Control Tracking Form (see attached
examples)

1.8 Review of Firewall/Routers Rules:

Firewall rule sets and configurations require periodic review to ensure they afford the required
levels of protection:
a. XXX must review all firewall rule sets and configurations during the initial
implementation process.
b. Firewall Administrators must retain the results of Firewall reviews and supporting
documentation for a period of three (3) years; all results and documentation are
subject to review by XXX and Audit and Advisory Services.

1.9 Specific Requirements:

1.9.1 Default Deny
All Firewall implementations must adopt the position of "least privilege" and deny all inbound
traffic by default (the initial rule set should be set to logging or learning mode to prevent
service interruptions). The rule set should be opened incrementally to only allow permissible
traffic.

1.9.2 Regular Testing

Because firewalls provide such an important control measure for XXX networks, their strength
and proper configuration must be tested on a regular basis.
This testing process must include consideration of defined configuration parameters, enabled
services, permitted connectivity paths, current administrative practices, and adequacy of the
deployed security measures. These tests must include the regular execution of vulnerability
identification software and the regular performance of penetration tests. These tests must be
performed by technically proficient persons, either by inside peoples or working for a third-party
contractor. Those responsible for either the administration or management of the involved
firewalls must not perform these tests.

1.9.3 Firewall Logs

All changes to firewall configuration parameters, enabled services, and permitted connectivity
paths must be logged. All suspicious activity that might be an indication of either unauthorized
usage or an attempt to compromise security measures also must be logged. The integrity of
these logs must be protected with checksums, digital signatures, encryption, or similar
measures. These logs must be promptly removed from the recording systems and stored in a
physically protected container for at least six months after the time they were recorded. These
logs must be reviewed periodically to ensure that the firewalls are operating in a secure manner.

1.9.4 Firewall Access Mechanism

All firewalls must have unique passwords or other access control mechanisms. The same
password or access control code must not be used on more than one firewall. Whenever
supported by the involved firewall vendor, those who administer firewalls must have their
identity validated through extended user authentication mechanisms. Remote access for firewall
administration is prohibited. All firewall administration activities must take place in person and
on site. Console access and SSH access is only permitted.

1.9.5 Firewall Access Privileges

Privileges to modify the functionality, connectivity, and services supported by firewalls must be
restricted to a few technically-trained individuals with a business need for these same privileges.
Page 3 of 10
Unless permission from the Head of IT Infrastructure has been obtained, these privileges must
be granted only to individuals who are full-time permanent employees of XXX, and not to
temporaries, contractors, consultants, or outsourcing personnel. All firewalls must have at least
two staff members who are adequately trained to make changes, as circumstances require

1.9.6 Firewall Configuration Backup

Firewall rule sets and Configurations must be backed up frequently to alternate storage (not on
the same device). Multiple generations must be captured and retained in order to preserve the
integrity of the data, should restoration be required. Access to rule sets and configurations and
backup media must be restricted to those responsible for administration and review.

1.9.7 Firewall Configuration Synchronization

Firewall startup configuration must be keep synchronize with its running configuration. It will
ensure that after a planned or unplanned reboot the firewall can get the latest configuration to
run.

Page 4 of 10
2 WIRELESS ACCESS POLICY
2.1 Objective
With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost
a given at any organization. Insecure wireless configuration can provide an easy open door for
malicious threat actors.
The purpose of this policy is to secure and protect the information assets owned by XXX. XXX
provides computer devices, networks, and other electronic information systems to meet
missions, goals, and initiatives. XXX grants access to these resources as a privilege and must
manage them responsibly to maintain the confidentiality, integrity, and availability of all
information assets.

This policy specifies the conditions that wireless infrastructure devices must satisfy to connect
to XXXs network. Only those wireless infrastructure devices that meet the standards specified
in this policy or are granted an exception by the IT Security Department are approved for
connectivity to XXXs network.

2.2 Scope
All employees, vendors, consultants, visitors, temporary and other workers at XXX must adhere
to this policy. This policy applies to all wireless infrastructure devices that connect to XXXs
network or reside on XXX premises or IT facilities that provide wireless connectivity to endpoint
devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This
includes any form of wireless communication device capable of transmitting packet data.

2.3 Policy
2.3.1 General Requirements
All wireless infrastructure devices that reside at XXX sites and connect to XXXs network, or
provide access to information classified as XXXs Confidential, or above must:

Abide by the standards specified in the Wireless Communication Standard.

Be installed, supported, and maintained by an approved support team.
Use XXX approved authentication protocols and infrastructure.
Use XXX approved encryption protocols.
Maintain a hardware address (MAC address) that can be registered and tracked.
Not interfere with wireless access deployments maintained by other support
organizations.

2.4 Policy Compliance

2.4.1 Compliance Measurement
The IT Security team will verify compliance to this policy through various methods, including
but not limited to, periodic walk-throughs, business tool reports, internal and external audits,
and feedback to the policy owner.

2.4.2 Exceptions
Any exception to the policy must be approved by the IT Security team in advance.

2.4.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action.

Page 5 of 10
3 WIRELESS COMMUNICATION STANDARDS
3.1 Purpose
This standard specifies the technical requirements that wireless infrastructure devices must
satisfy to connect to XXXs network. Only those wireless infrastructure devices that meet the
requirements specified in this standard or are granted an exception by the IT Security Team are
approved for connectivity to XXXs network.

3.2 Scope
All employees, vendors, contractors, consultants, temporary and other workers at XXX and its
subsidiaries, including all personnel that maintain a wireless infrastructure device on behalf of
XXX, must comply with this standard. This standard applies to wireless devices that make a
connection to the network and all wireless infrastructure devices that provide wireless
connectivity to the network.

IT Security team must approve exceptions to this standard in advance.

3.3 Standard
3.3.1 General Requirements
All wireless infrastructure devices that connect to a XXX network or provide access to XXXs
Confidential, XXXs restricted information must:

Use Temporal Key Integrity Protocol (TKIP) or Advanced Encryption System (AES)
protocols with a minimum key length of 128 bits.
All Bluetooth devices must use Secure Simple Pairing with encryption enabled.

3.3.2 Isolated Wireless Device Requirements

All Meeting/Conference room/R&D device Service Set Identifier (SSID) must be different
from XXXs production device SSID.
Broadcast of All Meeting/Conference room/R&D device SSID must be disabled.

3.4 Policy Compliance

3.4.1 Compliance Measurement

The IT Security team will verify compliance to this policy through various methods, including
but not limited to, periodic walk-throughs, monitoring, business tool reports, internal and
external audits, and feedback to the policy owner.

3.4.2 Exceptions

Any exception to the policy must be approved by the IT Security Team in advance.

3.4.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action.

Page 6 of 10
4 EMAIL POLICY
4.1 Overview
Electronic email is pervasively used in almost all industry verticals and is often the primary
communication and awareness method within an organization. At the same time, misuse of
email can post many legal, privacy and security risks, thus its important for users to understand
the appropriate use of electronic communications.

4.2 Objective
The purpose of this email policy is to ensure the proper use of XXXs email system and make
users aware of what XXX deems as acceptable and unacceptable use of its email system. This
policy outlines the minimum requirements for use of email within XXX Network.

4.3 Scope
This policy covers appropriate use of any email sent from a XXXs email address or any of its
domains and applies to all employees, vendors, and agents operating on behalf of XXX.

4.4 Policy
All use of email must be consistent with XXXs policies and procedures of ethical conduct,
safety, compliance with applicable laws and proper business practices.
XXXs email account should be used primarily for XXXs business-related purposes;
personal communication is permitted on a limited basis, but non-XXX related commercial
uses are strictly prohibited.
All XXXs data contained within an email message or an attachment must be secured
according to this IT Policy.
Email should be retained only if it qualifies as XXXs business record. Email is XXXs
business record if there exists a legitimate and ongoing business reason to preserve the
information contained in the email.
Email that is identified as XXXs business record shall be retained according to this IT
Policy.
XXXs email system shall not to be used for the creation or distribution of any disruptive
or offensive messages, including offensive comments about race, gender, hair color,
disabilities, age, sexual orientation, pornography, religious beliefs and practice, political
beliefs, or national origin. Employees who receive any emails with this content from any
XXXs employee should report the matter to their supervisor immediately.
Users are prohibited from automatically forwarding XXXs email to a third-party email
system. Individual messages which are forwarded by the user must not contain XXXs
confidential or above information.
Users are prohibited from using third-party email systems and storage servers such as
Google, Yahoo, Hotmail etc. to conduct XXXs business, to create or memorialize any
binding transactions, or to store or retain email on behalf of XXX. Such communications
and transactions should be conducted through proper channels using XXX-approved
documentation.
Sending chain letters or joke emails from a XXXs email account is prohibited.
XXXs employees shall have no expectation of privacy in anything they store, send or
receive on the companys email system.
XXX may monitor messages without prior notice. XXX is not obliged to monitor email
messages.

Page 7 of 10
4.5 Policy Compliance
4.5.1 Compliance Measurement
The IT Security team may verify compliance to this policy through various methods, including
but not limited to, periodic walk-throughs, business tool reports, internal and external audits,
and feedback to the policy owner.

4.5.2 Exceptions
Any exception to the policy must be approved by the IT Security team in advance.

4.5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action.

Page 8 of 10
5 VPN POLICY
5.1 Objective
XXX operates VPN Tunnels to enable connectivity between XXXs Data Center / Disaster
Recovery Centre and Clients, third-parties or off site administrators and support staffs to secure
the path using standard encryption technologies. The purpose of this VPN Policy is to describe
when and how VPN will be used to allow access.

The VPN Policy is subordinate to XXXs IT Policy, as well as any governing laws or regulations.

5.2 Scope
This VPN Policy refers to the Routers and Firewalls used as VPN devices and the technologies
involved in VPN implementations. The role of VPN routers and firewalls are to secure the network
paths between XXX and clients or third parties where applicable in course of enabling services
for them and between XXX IT Infrastructure and administrators and support staffs to allow
remote administration, support and troubleshooting. The network path in scope refers to
connectivity over Internet and private data Networks. The firewall will (at minimum) perform
the following security services:
All employees of XXX are subject to this policy and required to abide by it.

5.3 Responsibilities
IT Division is responsible for implementing and maintaining VPN devices and tunnels, as well as
for enforcing and updating this policy. Logon access to the VPN devices will be restricted to a
primary VPN administrator and one designee. Password construction for VPN devices will be
consistent with the strong password creation practices outlined in XXXs Password Policy.

5.4 Policy
The approach adopted to deny any network connectivity unless a VPN tunnel is established to
secure the path with standard VPN technologies with the following guidelines at a minimum.

Industry Standard encryption methods are to be used.

Any secret key/password construction will be consistent with the strong password
creation practices outlined in XXXs Password Policy.
Any secret key/password configured will be consistent with encryption practices outlined
in XXXs Password Policy.
Split-tunnelling is NOT permitted.
All computers connected to XXX internal networks via VPN or must use the most up-to-
date anti-virus software that is the corporate standard; this includes personal computers.
Remote Access VPN users will be automatically disconnected from XXX's network after
thirty minutes of inactivity.

5.5 Operational Procedures

XXXs Clients or partners or third parties or employees may request to establish VPN
tunnels or to change in existing VPN tunnels. A completed VPN form, with full justification
and duly approved by the concerned Head of Department must be submitted to the IT
Division for final approval.
XXX employees may request access from the Internet/Intranet for accessing resources
located on the internal XXX network. A completed Remote Access VPN form, with full
justification and duly approved by the concerned Head of Department must be submitted
to the IT Division for final approval.

Page 9 of 10
 Upon final approval, IT Division will initiate implementation and will confirm relevant
parties.
VPN sessions will have an absolute timeout length of 86400 seconds. An inactivity
timeout will be set for 3600 seconds. At the end of these timeout periods, users must re-
authenticate to continue or re-establish their VPN connection.

5.6 Enforcement
Wherever possible, technological tools will be used to enforce this policy and mitigate security
risks. Any employee who is found to have violated this policy may be subject to disciplinary
action.

Page 10 of 10