Version | 1.0 |
Owner |
CTO |
Last Updated On |
| |
Last Updated by | |
Approved by | |
Last Review |
Purpose
To ensure the correct and secure operation of information processing systems and facilities.
...
Changes to the organization, business processes, information processing facilities, production software and infrastructure, and systems that affect information security in the production environment and financial systems shall be tested, reviewed, and approved prior to before production deployment. All significant changes to in-scope systems and networks must be documented.
Change management processes shall include:
Processes for planning and testing of changes, including remediation measures
Documented managerial approval and authorization before proceeding with changes that may have a significant impact on information security, operations, or the production platform
Advance communication/warning of changes, including schedules and a description of reasonably anticipated effects, provided to all relevant internal and external stakeholders
Documentation of all emergency changes and subsequent review
A process for remediating unsuccessful changes
Our Change management procedures can be found in Change Management Policy.
Capacity Management
The use of processing resources and system storage shall be monitored and adjusted to ensure that system availability and performance meets ecoPortal requirements.
...
Vulnerabilities assessed by ecoPortal shall be patched or remediated in the following timeframes:
Determined Severity | Remediation Time |
Critical | 30 Days |
High | 30 Days |
Medium | 60 Day |
Low | 90 Days |
Informational | As needed |
Service tickets for any vulnerability which cannot be remediated within the standard timeline must show a risk treatment plan and planned remediation timeline.
...
Management of network rules and settings may only be performed by authorized members of the Tech Team, and all changes must comply with change Management procedures defined in the Operations Security Policy.
Network diagrams must be created and kept current. Significant changes (additions or deletions to VPCs and subnets, new external connections, etc.) must be documented in the diagrams; even if no changes occurred, the diagrams will be reviewed at least annually for completeness and accuracy and approved/acknowledged (in version number/date field, etc.) by authorized members of Tech Team
In the PRODUCTION ENVIRONMENT, defined rules and configurations must be enforced to control traffic from untrusted networks (e.g. publicly available services) to internal production networks; additionally, rules must be in place to restrict traffic to and from production networks to untrusted networks, and all inbound and outbound traffic must be evaluated by the traffic management configuration.
Network control systems must be configured to use default Network Address Translation to prevent the disclosure of internal IP addresses to the Internet. If private IP addresses are used, any disclosure to external parties must be appropriately authorized, documented, and periodically reviewed for business necessity.
All network control systems must be configured with default antispoofing rules to block or deny inbound internal addresses originating from the Internet.
Network control systems may only allow established connections into the internal network and must deny any inbound connections not associated with a previously established session.
External configurations must limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
Port and IP ranges are prohibited unless specifically reviewed and justified; all available services must be justified and support secure configurations, and all other ports, services, and network traffic must be specifically denied.
Use of insecure services and protocols without justification and documentation of additional security features implemented to mitigate risk is prohibited.
Remote access sessions must be configured to enforce timeout after a specified period of (X hours1 hour).
Remote-access technologies for vendors and business partners that access production systems must be enabled only when needed for business purposes and immediately deactivated after use.