Network Access Control
Policy on Use of Network Services
Users shall only have access where there is a specific business requirement and the access has been specifically authorised. Users will be granted specific access to networks that they are permitted to access. Users may not access networks that they are not given specific authorisation to access.
Information Security shall provide users with the rules, policies and procedures for accessing network connections and network services.
Third parties that must deploy non-CX Index controlled systems must be specifically approved by the Senior Management.
User Authentication for External Connections
All remote users will be authenticated before they are permitted to access information resources. Users will be given remote access only when their job function requires it. Any non-employee who receives approval for remote access must be to access to specific systems only.
The system owners, in coordination with the Senior Management shall select from the following options, based upon the results of the risk assessment:
- Cryptography
- Hardware tokens
- Challenge/response protocol
- Dedicated private lines
- Network user address checking
- Call-back procedures and controls (without call forwarding)
All procedures and controls shall be thoroughly tested prior to use.
Remote Diagnostic Port Protection
Remote diagnostic ports, usually in the form of vendor modems attached to systems, must be protected from unauthorised use. Diagnostic ports shall not be connected when not in use. The Senior Management must approve any requests for a vendor or third party to access a device through a remote port. The vendor must be fully authenticated before access is granted.
Senior Management must review the system after the vendor has accessed it to ensure no unauthorised activities were performed on the system.
Segregation in Networks
External Segregation
Network Controls must segregate groups of information services, users and information systems when interconnecting networks to partners or other third parties.
A risk assessment must be performed to determine the necessary controls prior to allowing access of CX Index’s networks by new partners or third parties, and the Senior Management must approve of any such connections.
Network segregation controls will be selected on the basis of the risk assessment; cost and the impact of incorporating suitable routing and gateway technology. External connections must terminate in some form of controlled network (DMZ or similar) and must be subject to security controls. There shall be no direct connection between the CX Index corporate (internal) network and any third party.
Internal Segregation
Based on site risk assessments, internal segregation of sites or networks within sites may be warranted. Development and testing networks/systems must be segregated from the rest of the internal network (either completely or through a firewall/proxy arrangement) to prevent malfunctions in software from impacting the rest of the network.
Confidential information shall be consolidated and isolated on dedicated access servers, active storage and inactive storage (such as tape media) whenever possible.
Segregation of Development and Production Environments
CX Index will separate development and production environments to prevent unfinished or malfunctioning software from affecting the business network. Only approved systems will be connected to production environments, and only after the systems have fulfilled acceptance criteria.
Network Connection Control
Highly sensitive systems will have network access controls (i.e., firewalls or Access Control Lists) in place to prevent unauthorised connections from inside, or outside, CX Index. This is in addition to any application or system access controls. Restrictions will be consistent with CX Index’s access control policy.
Network controls shall be configured to allow only network traffic required by the business to enter or leave the CX Index network. The Senior Management shall work with management to determine those business requirements. These controls shall include:
- Ingress and egress filtering on border devices
- Firewall/Access Control List configuration that is host and port specific.
An annual risk assessment will be performed to establish which systems and/or applications should be protected.
Wireless Network Policy for CX Index Facilities
This policy prohibits access to CX Index secure networks via wireless communication mechanisms.
This policy covers all wireless data communication devices capable of transmitting packet data. Wireless devices and/or networks without any connectivity to CX Index’s networks do not fall under the purview of this policy.