Numeraxial Security Policy

Section 1: Security Policy

Overview

Consistent Server installation policies, ownership and configuration management are all about doing the basics well.


Purpose

This policy establishes the information security requirements to help manage and safeguard the resources and Numeraxial networks by minimizing the exposure of critical infrastructure and information assets to threats that may result from unprotected hosts and unauthorized access

Establish standards for the base configuration of internal server equipment that is owned and/or operated by Numeraxial. Effective implementation of this policy will minimize unauthorized access to Numeraxial proprietary information and technology.


Scope

All employees, contractors, consultants, temporary and other workers at Numeraxial and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by Numeraxial or registered under a Numeraxial-owned internal network domain.

This policy specifies requirements for equipment on the internal Numeraxial network. Employees at Numeraxial take security very seriously, and we pride ourselves on making sure we live up to your expectations for protecting your sensitive application and data.


Section 2: Identification of Responsible Security Personnel

For Numeraxial LLC company, responsibility for security falls to the following employees and divisions:

  • Network administrators: These are the employees charged with maintaining the network Web servers and ensuring that those servers are kept current with the latest security patches and antivirus definitions.

  • Application developers: Along with the network administrators, the application developers are charged with following all best practices in secure programming and in exploiting the security features of the Web servers within the code they generate.

  • Application architect: These individuals are responsible for overseeing the entire application development process and for completing and managing the security policy and associated documentations and change control policies involved in application development.


Section 3: Ensuring Physical Security

Clear instructions on the specific individuals with authorization to access specific secure zones within Numeraxial main building or location where the server reside are conspicuously posted.
All Numeraxial employees should be proactive about monitoring access the restricted zones.
Access to restricted zones for repairs or delivery should be minimized, and those entrants should understand Numeraxial confidentiality requirements.
Any support contract that involves onsite, non-Numeraxial personal should include standard verbiage on privacy, confidentiality, and security.
Upon termination of an employee for any cause, removal of access to electronic systems will be immediately enforced.


Section 4: Policy on Antivirus and Patch Management

As a responsible developer and server administrator, Numeraxial takes all necessary steps to keep your server and workstation properly update with the latest antivirus definition files and security patches.

Definition of patch management: The Numeraxial LLC network is composed of computers (both client and network server machines) running a wide variety of other software products from a range of vendors. Frequently attempts are made to identify and exploit security holes in many of those products. Many software vendors therefore release periodic list of identified security holes and corresponding patches (that is fixes) to these holes. The Numeraxial LLC Network Security Manager Network Administrator will be charged with monitoring these periodic lists, as well as communications from other security organizations, to determine their ability to affect a network computing infrastructure.

Procedures for addressing infected/compromised machines: When a computer has been identified as being compromised, the antivirus and security logs of that machine will be examined to determine the severity of the compromise. If for example, the antivirus software has quarantined the infected file(s), this may be inferred to imply a containment of the threat; however, if the antivirus software has not quarantined the files, this will imply the potential for larger contamination and the affected machine will be completely removed from Numeraxial LLC network. In the worst-case scenario (that is multiple servers infected), the machines will be immediately taken offline, and directives indicated in the Backup and Disaster Recovery section will be immediately implemented.


Section 5: Backup and Disaster Recovery

No one likes to think about having to restore a network (and the sensitive data contained within it) after a disaster; unfortunately, this type of action plan is a common occurrence. During the time frame when the service was offline, the ISP still managed to communicate the situation, both through an outside source and by keeping regular update massages on its outgoing voicemail system. As the provider came back online and restored regular e-mail service, it did a terrific job in clearly communicating with its customers the extent of the damage, as well as giving insights into the very effective disaster recovery plan the ISP had in place. (The ISP had an offsite backup data center from which it could restore all sensitive data.)


Section 6: Server Security Policy

Policy
General Requirements:

All internal servers deployed at Numeraxial must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by Numeraxial. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by Numeraxial. The following items must be met:

  • Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact:
    • Server contact(s) and location, and a backup contact
    • Hardware and Operating System/Version
    • Main functions and applications, if applicable
  • Information in the corporate enterprise management system must be kept up-to-date.
  • Configuration changes for production servers must follow the appropriate change management procedures

For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.

Configuration Requirements

Operating System configuration should be in accordance with approved Numeraxial guidelines.
Services and applications that will not be used must be disabled where practical.
Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible.
The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient.
Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do.
If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
Servers should be physically located in an access-controlled environment.
Servers are specifically prohibited from operating from uncontrolled cubicle areas.

Monitoring

All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:

  • All security related logs will be kept online for a minimum of 1 week.
  • Daily incremental tape backups will be retained for at least 1 month.
  • Weekly full tape backups of logs will be retained for at least 1 month.
  • Monthly full backups will be retained for a minimum of 2 years.

Security-related events will be reported to Numeraxial, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:

  • Port-scan attacks
  • Evidence of unauthorized access to privileged accounts.
  • Anomalous occurrences that are not related to specific applications on the host.

Policy Compliance
Compliance Measurement

The Numeraxial team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exception to the policy must be approved by the Numeraxial team in advance.

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.