Consistent Server installation policies, ownership and configuration management are all about doing the basics well.
This policy establishes the information security requirements to help manage and safeguard the resources and Numeraxial networks by minimizing the exposure of critical infrastructure and information assets to threats that may result from unprotected hosts and unauthorized access
Establish standards for the base configuration of internal server equipment that is owned and/or operated by Numeraxial. Effective implementation of this policy will minimize unauthorized access to Numeraxial proprietary information and technology.
All employees, contractors, consultants, temporary and other workers at Numeraxial and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by Numeraxial or registered under a Numeraxial-owned internal network domain.
This policy specifies requirements for equipment on the internal Numeraxial network. Employees at Numeraxial take security very seriously, and we pride ourselves on making sure we live up to your expectations for protecting your sensitive application and data.
For Numeraxial LLC company, responsibility for security falls to the following employees and divisions:
Network administrators: These are the employees charged with maintaining the network Web servers and ensuring that those servers are kept current with the latest security patches and antivirus definitions.
Application developers: Along with the network administrators, the application developers are charged with following all best practices in secure programming and in exploiting the security features of the Web servers within the code they generate.
Application architect: These individuals are responsible for overseeing the entire application development process and for completing and managing the security policy and associated documentations and change control policies involved in application development.
Clear instructions on the specific individuals with authorization to access specific secure zones within Numeraxial main building or location where the server reside are conspicuously posted.
All Numeraxial employees should be proactive about monitoring access the restricted zones.
Access to restricted zones for repairs or delivery should be minimized, and those entrants should understand Numeraxial confidentiality requirements.
Any support contract that involves onsite, non-Numeraxial personal should include standard verbiage on privacy, confidentiality, and security.
Upon termination of an employee for any cause, removal of access to electronic systems will be immediately enforced.
As a responsible developer and server administrator, Numeraxial takes all necessary steps to keep your server and workstation properly update with the latest antivirus definition files and security patches.
Definition of patch management: The Numeraxial LLC network is composed of computers (both client and network server machines) running a wide variety of other software products from a range of vendors. Frequently attempts are made to identify and exploit security holes in many of those products. Many software vendors therefore release periodic list of identified security holes and corresponding patches (that is fixes) to these holes. The Numeraxial LLC Network Security Manager Network Administrator will be charged with monitoring these periodic lists, as well as communications from other security organizations, to determine their ability to affect a network computing infrastructure.
Procedures for addressing infected/compromised machines: When a computer has been identified as being compromised, the antivirus and security logs of that machine will be examined to determine the severity of the compromise. If for example, the antivirus software has quarantined the infected file(s), this may be inferred to imply a containment of the threat; however, if the antivirus software has not quarantined the files, this will imply the potential for larger contamination and the affected machine will be completely removed from Numeraxial LLC network. In the worst-case scenario (that is multiple servers infected), the machines will be immediately taken offline, and directives indicated in the Backup and Disaster Recovery section will be immediately implemented.
No one likes to think about having to restore a network (and the sensitive data contained within it) after a disaster; unfortunately, this type of action plan is a common occurrence. During the time frame when the service was offline, the ISP still managed to communicate the situation, both through an outside source and by keeping regular update massages on its outgoing voicemail system. As the provider came back online and restored regular e-mail service, it did a terrific job in clearly communicating with its customers the extent of the damage, as well as giving insights into the very effective disaster recovery plan the ISP had in place. (The ISP had an offsite backup data center from which it could restore all sensitive data.)
All internal servers deployed at Numeraxial must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by Numeraxial. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by Numeraxial. The following items must be met:
For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.
Operating System configuration should be in accordance with approved Numeraxial guidelines.
Services and applications that will not be used must be disabled where practical.
Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible.
The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient.
Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do.
If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
Servers should be physically located in an access-controlled environment.
Servers are specifically prohibited from operating from uncontrolled cubicle areas.
All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:
Security-related events will be reported to Numeraxial, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
The Numeraxial team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Numeraxial team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.