2.
NETWORKING & HARDWARE
FIREWALL & NETWORK CONNECTIVITY
● All network endpoints are protected by a firewall that meets the
following criteria:
○ Performs Stateful Packet Inspection (“SPI”).
○ Supported VPN Encryption is 256-bit in strength.
○ Physical hardware and operating system maintain
support via the manufacturer or distributors.
● WiFi Access Points meet the following criteria:
○ Capable of segmentation with multiple SSIDs.
○ Publicly (non-employee / contractor) accessible Wifi is
segmented from the development network and is
bandwidth throttled.
○ WPA2 Encryption Standard is supported and appropriate
password is enforced.
○ WiFi Protected Setup (“WPS”) is disabled.
● When connecting to WiFi networks outside of the o ice all
network connections will be treated as “insecure by default”.
Care should be taken to only use encrypted channels to
transmit sensitive information.
○ When using a web browser, this is indicated by the HTTPS
prefix and, typically, a green or gold padlock icon.
○ Certificate warnings should be taken seriously, and when
present the underlying connection should be considered
insecure.
Information Security Policy for Via TRM 2
3.
PHYSICAL SYSTEMS DISPOSAL
● Electronic Data Disposal Policy
○ All computer systems, electronic devices and electronic
media is properly cleaned of sensitive data and so ware
before being transferred outside of Via TRM either as
surplus property or as trash.
○ Computer hard drives are sanitized by using so ware that
is compliant with Department of Defense standards.
○ Non-rewritable media, such as CDs or non-usable hard
drives, is physically destroyed. The primary responsibility
for sanitizing computer systems, electronic devices and
media rests with the units that purchase them.
REMOVABLE MEDIA POLICY
● Removable Media Policy
○ Inappropriate use of removable data storage media
results in malware infections and loss of sensitive
information. The purpose of this policy is to establish
standards of secure use for removable data storage
media, where sensitive data is involved and to protect the
campus network from malicious so ware.
○ This standard applies to all Via TRM system and network
users with regard to removable media including floppy
disks, USB drives, CDs, DVDs, and any other physical
media available, used to transport or store data.
○ Users will ensure that the removable data storage
medium is free from malicious so ware before using
them (Removable storage media needs to be scanned for
any malicious so ware using standard anti virus so ware
having latest updates before using it.)
Information Security Policy for Via TRM 3
4.
○ Users will refrain from storing confidential data in
removable storage medium whenever possible. In case it
is absolutely required for business purpose, information
needs to be stored in encrypted format.
○ Users will ensure that removable storage device is
physically secure
○ When removable media is no longer needed, proper
disposal techniques will be employed (see Electronic Data
Disposal Policy).
ENCRYPTION STANDARDS FOR COMPUTING SYSTEMS
● All devices used to process or store data utilize full-device
encryption.
○ Mac OS X: Filevault 2 must be enabled. The recovery key
must not be stored with Apple or in any electronic format.
It will be recorded on paper and stored in a secure
location (Bank Safety Deposit Box).
○ PC: The device must support FIPS 140-2 (Windows
Bitlocker is approved) and must require a passcode
during the boot process to decrypt the boot drive.
○ External devices: Encryption is used for all data. For this
reason, a secure cloud provider (see “Cloud / SAS
Providers & Data Confidentiality”) will be utilized for data
sharing instead of physical devices such as USB memory
sticks.
Information Security Policy for Via TRM 4
7.
EMAIL
● Email is not an acceptable means of transferring data to another
user or entity.
○ Acceptable alternates would include hightail.com and
fileshare.com.
○ Any third party interaction with the email system (Google
Apps Marketplace, plug-ins to Outlook, etc) must meet the
stated encryption and SSL requirements as specified for
storage and network connectivity.
○ De-identified (obfuscated) client data is not considered
sensitive and may be shared via email in an unencrypted
format.
○ In all cases the transfer connection is required to be
encrypted with modern cryptography (TLS 1.2).
○ Sensitive Personal Information or PHI Data may never be
sent via email.
ANTIVIRUS APPLICATIONS
● Antivirus products are used on all applicable systems.
○ Mac OS X: Webroot SecureAnywhere.
○ Windows: Microso Security Essentials, Webroot
SecureAnywhere.
MULTIFACTOR AUTHENTICATION
● Where possible, two-factor authentication will be used.
● This is not required, but provides an additional layer of
protection against unauthorized access.
Information Security Policy for Via TRM 7
8.
BACKUP & DISASTER RECOVERY
● All data is backed up where practical.
○ This is not required for short-term transient data, but all
data that is intended to be available for long-term
retrieval is stored in at least two places.
○ Most cloud providers provide utilities that retain a “local”
copy of cloud data, such as Google Drive Sync or Box
Sync. These are su icient to safeguard against device
failure, but care must still be taken to protect against
accidental deletion.
○ A separate, dedicated backup service (to provide
incremental checkpoints) is in place.
○ All backups of sensitive data must also be considered
sensitive data.
○ Local backups (from Time Machine or a local version of
Crashplan as examples) must also maintain the same
level of encryption as the host system.
○ See attached Disaster Recovery Plan for additional
information regarding Via TRM so ware.
SOFTWARE PATCHING & OPERATING SYSTEM VERSIONING
● All devices used must use a currently supported Operating
System, and must be patched.
● In general, Apple products are considered obsolete a er five
years, and Microso products are considered obsolete a er
seven years.
● Apple: Please consult the Apple vintage and obsolete product
list at http://support.apple.com/kb/HT1752.
● Microso : Please consult the Microso Products Support
Lifecycle Policy at http://support.microso .com/gp/lifeselect.
Information Security Policy for Via TRM 8
9.
● For all others, please consult your device manufacturer.
CLOUD / SAS PROVIDERS & DATA CONFIDENTIALITY
● Any cloud services used should have terms of service ensuring
data confidentiality and provide a business associate
agreement (“BAA”).
● Any cloud providers that require a license be granted to them
(for any purpose) or that claim ownership of uploaded content
are not acceptable, and must not be used.
● Many video and photo sharing services such as Vimeo, YouTube,
Instagram, &c. include compulsory licensing clauses and are not
acceptable.
DEVELOPMENT PRACTICES (VIA GITHUB)
● A branch is created with a descriptive name to test new code.
● Comments are added to the branch and tracked.
● A pull request is made and code is reviewed and edits are
pushed to the branch.
● Changes are deployed and merged with the master branch.
● Code must pass through Continuous Integration and automated
tests before deploying to staging, quality assurance, or
production.
Information Security Policy for Via TRM 9