System Planning and Acceptance
To limit disruption to the network, applications, and business functions, CX Index will monitor system capacity and plan for future capacity needs in sufficient time to procure system resources prudently. This will ensure adequate resources are available and reduce the possibility of system overload.
Provisioning of Hardware and Software
The Senior Management must be consulted whenever deploying any new systems for adequate provisioning of system hardware and software to take advantage of any contracts or discounts that may be in place. Senior Management will obtain and install the equipment, as appropriate, and then allow access to the appropriate groups for use of the equipment. Provisioning of software requires purchasing of any applicable licenses for use.
Management of Network Storage
To allow adequate storage capability to support all users, Senior Management will develop standards and processes for managing online and offline storage capacity. These standards will include types or classes of storage, data backup, protection by classification, and any quotas necessary based on the business reasons for storage. Management of storage will incorporate any requirements given in information retention policies.
To ensure new systems or applications do not disrupt the network, existing applications, or other systems, a system acceptance process will be defined. This process will outline acceptance criteria for new systems prior to acceptance. All systems will be tested prior to acceptance, including a vulnerability assessment or scan prior to being permitted to connect to the CX Index network. This process will
ensure that security controls are in place and that the new system complies with the design and function required.
System owners shall ensure that the equipment capacity requirements are met prior to use of new system.
Managers and users (when applicable) shall inspect major new systems periodically throughout the development to ensure functionality is appropriate and compliant with design requirements.
Prior to the acceptance and use of new systems the following controls shall be documented and in place:
- The system is built according to CX Index standard hardware or software builds
- Effective manual contingency procedures are documented (if applicable)
- Error recovery/restart procedures and contingency plans (if applicable)
- Updated business continuity plans (if applicable)
- Compatibility of new system to the security requirements of CX Index
- Compatibility of the new system to the existing systems
- Security controls are in place and tested
- Vulnerability scan run against system to verify that patch levels are current and that no unnecessary services are running.
Users shall be adequately trained prior to taking a new system into operational mode.
Systems must meet acceptance criteria, or have formal exceptions authorised, before being connected to the CX Index network.
Deployment of Network Infrastructure Systems on the Production Network
Network infrastructure systems, such as Domain Controllers, DNS servers, DHCP servers, or other similar systems will not be deployed on the production network except where authorised by the Senior Management.
Third Party Systems on the CX Index Network
If partners or vendors require placement of their devices on the CX Index network, special acceptance criteria must be applied. Third party devices must meet all system acceptance criteria as if they were CX Index systems, in addition to special access to the network. CX Index may not necessarily have physical or administrative control of the systems, so mitigating network controls must be also put in place.
Third party devices must be restricted in the access they may have on the network. This should be implemented through the use of Access Control Lists on the closest network device or other similar technologies. Third party systems should be placed on a segregated network segment allowing only specific data (required by the business) transferred between that network and the rest of the CX Index network.
The placement of such devices must be approved by the Senior Management before the device may be connected.