Example of IT Lab security policy

1. Purpose

This policy establishes the information security requirements to help manage and safeguard lab resources and XXX’s networks by minimizing the exposure of critical infrastructure and information assets to threats that may result from unprotected hosts and unauthorized access.

2. Scope

This policy applies to all employees, contractors, consultants, temporary and other workers at XXX and its subsidiaries must adhere to this policy. This policy applies to XXX owned and managed labs, including labs outside the corporate firewall (DMZ). 

3. Policy

3.1 General Requirements

  1. Lab owning organizations are responsible for assigning lab managers, a point of contact (POC), and a back-up POC for each lab. Lab owners must maintain up-to-date POC information with IT and the Corporate Enterprise Management Team. Lab managers or their backup must be available around-the-clock for emergencies, otherwise actions will be taken without their involvement.
  2. Lab managers are responsible for the security of their labs and the lab’s impact on the corporate production network and any other networks. Lab managers are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined lab managers must do their best to safeguard XXX from security vulnerabilities.
  3. Lab managers are responsible for the lab’s compliance with all XXX security policies.
  4. The Lab Manager is responsible for controlling lab access. Access to any given lab will only be granted by the lab manager or designee, to those individuals with an immediate business need within the lab, either short-term or as defined by their ongoing job function. This includes continually monitoring the access list to ensure that those who no longer require access to the lab have their access terminated.
  5. All user passwords must comply with XXX’s Password Policy.
  6. Individual user accounts on any lab device must be deleted when no longer authorized within three (3) days. Group account passwords on lab computers (Unix, windows, etc) must be changed quarterly (once every 3 months).
  7. PC-based lab computers must have XXX’s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Lab Admins/Lab Managers are responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are verified as virus-free.
  8. Any activities with the intention to create and/or distribute malicious programs into XXX’s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Policy.
  9. No lab shall provide production services. Production services are defined as ongoing and shared business critical services that generate revenue streams or provide customer capabilities.
  10. In accordance with the Data Classification Policy, information that is marked as Highly Confidential or  Restricted is prohibited on lab equipment.
  11. Immediate access to equipment and system logs must be granted to members of IT and the Network Support Organization upon request, in accordance with the Audit Policy.
  12. IT will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

3.2 Internal Lab Security Requirements

  1. The Network Support Organization must maintain a firewall device between the corporate production network and all lab equipment.
  2. The Network Support Organization reserve the right to interrupt lab connections that impact the corporate production network negatively or pose a security risk.
  3. The Network Support Organization must record all lab IP addresses, which are routed within  XXX’s  networks, in Enterprise Address Management database along with current contact information for that lab.
  4. Any lab that wants to add an external connection must provide a diagram and documentation to IT with business justification, the equipment, and the IP address space information. IT will review for security concerns and must approve before such connections are implemented.
  5. All traffic between the corporate production and the lab network must go through a Network Support Organization maintained firewall. Lab network devices (including wireless) must not cross-connect the lab and production networks.
  6. Original firewall configurations and any changes thereto must be reviewed and approved by IT. IT may require security improvements as needed.
  7. Labs are prohibited from engaging in port scanning, network auto-discovery, traffic spamming/flooding, and other similar activities that negatively impact the corporate network and/or non-XXX’s networks. These activities must be restricted within the lab.
  8. Traffic between production networks and lab networks, as well as traffic between separate lab networks, is permitted based on business needs and as long as the traffic does not negatively impact on other networks. Labs must not advertise network services that may compromise production network services or put lab confidential information at risk.
  9. IT reserves the right to audit all lab-related data and administration processes at any time, including but not limited to, inbound and outbound packets, firewalls and network peripherals.
  10. Lab owned gateway devices are required to comply with all XXX’s product security advisories and must authenticate against the Corporate Authentication servers.
  11. The enable password for all lab owned gateway devices must be different from all other equipment passwords in the lab. The password must be in accordance with XXX’s Password Policy. The password will only be provided to those who are authorized to administer the lab network.
  12. In labs where non-XXX personnel have physical access (e.g., training labs), direct connectivity to the corporate production network is not allowed. Additionally, no confidential information can reside on any computer equipment in these labs. Connectivity for authorized personnel from these labs can be allowed to the corporate production network only if authenticated against the Corporate Authentication servers, temporary access lists (lock and key), SSH, client VPNs, or similar technology approved by IT.
  13. Lab networks with external connections are prohibited from connecting to the corporate production network or other internal networks through a direct connection, wireless connection, or other computing equipment.

3.3 Lab Anti virus policy

All XXX PC-based lab computers must have XXX’s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Lab Admins/Lab Managers are responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into XXX’s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Policy.

3.4 DMZ Lab Security Requirements

3.4.1 Ownership and Responsibilities

  1. All new DMZ Labs must present a business justification with sign-off at the business unit Vice President level. The IT Team must keep the business justifications on file.
  2. Lab owning organizations are responsible for assigning lab managers, point of contact (POC), and back up POC, for each lab. The lab owners must maintain up to date POC information with the IT Team [and the corporate enterprise management system, if one exists]. Lab managers or their backup must be available around-the-clock for emergencies.
  3. Changes to the connectivity and/or purpose of existing DMZ Labs and establishment of new DMZ Labs must be requested through a XXX Network Support Organization and approved by the IT Team.
  4. All ISP connections must be maintained by a XXX Network Support Organization.
  5. A Network Support Organization must maintain a firewall device between the DMZ Lab(s) and the Internet.
  6. The Network Support Organization and The IT Team reserve the right to interrupt lab connections if a security concern exists.
  7. The DMZ Lab will provide and maintain network devices deployed in the DMZ Lab up to the Network Support Organization point of demarcation.
  8. The Network Support Organization must record all DMZ Lab address spaces and current contact information [in the corporate enterprise management system, if one exists].
  9. The DMZ Lab Managers are ultimately responsible for their DMZ Labs complying with this policy.
  10. Immediate access to equipment and system logs must be granted to members of  the IT Team and the Network Support Organization upon request, in accordance with the Audit Policy
  11. Individual lab accounts must be deleted within three (3) days when access is no longer authorized. Group account passwords must comply with the Password Policy and must be changed within three (3) days from a change in the group membership.
  12. The IT Team will address non-compliance waiver requests on a case-by-case basis.

3.4.2 General Configuration Requirements

  1. Production resources must not depend upon resources on the DMZ Lab networks.
  2. DMZ Labs must not be connected to XXX’s corporate internal networks, either directly or via a wireless connection.
  3. DMZ Labs should be in a physically separate room from any internal networks. If this is not possible, the equipment must be in a locked rack with limited access. In addition, the Lab Manager must maintain a list of who has access to the equipment.
  4. Lab Managers are responsible for complying with the following related policies:
    1. Password Policy
    1. Wireless Communications Policy
    1. Lab Policy
  5. The Network Support Organization maintained firewall devices must be configured in accordance with least-access principles and the DMZ Lab business needs. All firewall filters will be maintained by the IT Team.
  6. The firewall device must be the only access point between the DMZ Lab and the rest of XXX’s networks and/or the Internet. Any form of cross-connection which bypasses the firewall device is strictly prohibited.
  7. Original firewall configurations and any changes thereto must be reviewed and approved by the IT Team (including both general configurations and rule sets). The IT Team may require additional security measures as needed.
  8. Traffic from DMZ Labs to the XXX internal network, including VPN access, falls under the Remote Access Policy
  9. All routers and switches not used for testing and/or training must conform to the DMZ Router and Switch standardization documents.
  10. Operating systems of all hosts internal to the DMZ Lab running Internet Services must be configured to the secure host installation and configuration standards. [Add url link to site where your internal configuration standards are kept].
  11. Current applicable security patches/hot-fixes for any applications that are Internet services must be applied. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
  12. All applicable security patches/hot-fixes recommended by the vendor must be installed. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
  13. Services and applications not serving business requirements must be disabled.
  14. XXX Confidential information is prohibited on equipment in labs where non-XXX personnel have physical access (e.g., training labs), in accordance with the Data Classification and Protection Policy.
  15. Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks.

3.5 DMZ Equipment Policy

3.5.1 General Configuration Policy

All equipment must comply with the following configuration policy:

  • Hardware, operating systems, services and applications must be approved by IT as part of the pre-deployment review phase.
  • Operating system configuration must be done according to the secure host and router installation and configuration standards [Insert a reference to any standards that you have]
  • All patches/hot-fixes recommended by the equipment vendor and IT must be installed. This applies to all services installed, even though those services may be temporarily or permanently disabled. Administrative owner groups must have processes in place to stay current on appropriate patches/hotfixes.
  • Services and applications not serving business requirements must be disabled.
  • Trust relationships between systems may only be introduced according to business requirements, must be documented, and must be approved by IT.
  • Services and applications not for general access must be restricted by access control lists.
  • Insecure services or protocols (as determined by IT) must be replaced with more secure equivalents whenever such exist.
  • Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks. Where a methodology for secure channel connections is not available, one-time passwords must be used for all access levels.
  • All host content updates must occur over secure channels.
  • Security-related events must be logged and audit trails saved to IT-approved logs. Security-related events include (but are not limited to) the following:
    • User login failures.
    • Failure to obtain privileged access.
    • Access policy violations.
  • IT will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

3.5.2 New Installations and Change Management Procedures

All new installations and changes to the configuration of existing equipment and applications must follow the following policies/procedures:

  • New installations must be done via the DMZ Equipment Deployment Process.
  • Configuration changes must follow the Corporate Change Management (CM) Procedures.
  • IT must be invited to perform system/application audits prior to the deployment of new services.
  • IT must be engaged, either directly or via CM, to approve all new deployments and configuration changes.

3.5.3 Equipment Outsourced to External Service Providers

The responsibility for the security of the equipment deployed by external service providers must be clarified in the contract with the service provider and security contacts, and escalation procedures documented. Contracting departments are responsible for third party compliance with this policy.

4. Policy Compliance

4.1 Compliance Measurement

The IT team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

4.2 Exceptions

Any exception to the policy must be approved by the Infosec team in advance.

4.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Leave a Reply