@Version | 1.0 |
Owner | Head of Engineering |
Last Updated On | 31 Jan |
Last Updated by | |
Approved by |
...
Management of network rules and settings may only be performed by authorized members of the Tech Team, and all changes must comply with change Management procedures defined in the Operations Security Policy.
Network diagrams must be created and kept current. Significant changes (additions or deletions to VPCs and subnets, new external connections, etc.) must be documented in the diagrams; even if no changes occurred, the diagrams will be reviewed at least annually for completeness and accuracy and approved/acknowledged (in version number/date field, etc.) by authorized members of Tech Team
In the PRODUCTION ENVIRONMENT, defined rules and configurations must be enforced to control traffic from untrusted networks (e.g. publicly available services) to internal production networks; additionally, rules must be in place to restrict traffic to and from production networks to untrusted networks, and all inbound and outbound traffic must be evaluated by the traffic management configuration.
Network control systems must be configured to use default Network Address Translation to prevent the disclosure of internal IP addresses to the Internet. If private IP addresses are used, any disclosure to external parties must be appropriately authorized, documented, and periodically reviewed for business necessity.
All network control systems must be configured with default antispoofing rules to block or deny inbound internal addresses originating from the Internet.
Network control systems may only allow established connections into the internal network and must deny any inbound connections not associated with a previously established session.
External configurations must limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
Port and IP ranges are prohibited unless specifically reviewed and justified; all available services must be justified and support secure configurations, and all other ports, services, and network traffic must be specifically denied.
Use of insecure services and protocols without justification and documentation of additional security features implemented to mitigate risk is prohibited.
Remote access sessions must be configured to enforce timeout after a specified period of (X hours1 hour).
Remote-access technologies for vendors and business partners that access production systems must be enabled only when needed for business purposes and immediately deactivated after use.