4.2 Network Security Policy

Purpose and Scope

The purpose of this document is to define basic rules and requirements for network security and ensure the protection of information within and across networks and supporting information processing facilities.

This document is applied to the security of all services, architecture, software and systems that make up Sord's product(s)/service(s).

Users of this document are all employees and applicable contractors who work on network engineering, security, and maintenance at Sord.

Network Controls

Sord manages, controls, and secures its networks, the connected systems and applications, and data-in-transit to safeguard against internal and external threats.

Firewalls & Threat Defense

Sord utilizes network and/or web application firewalls to safeguard networks and core applications from threats. Sord configures appropriate firewall alerts and alarms for timely response and investigation.

Sord ensures available networking ports and protocols are restricted based on the principle of least privilege. Firewall configurations and rulesets are reviewed on a semi-annual basis or earlier. Firewall rules are set to "deny all, allow by exception" by default.

As an additional layer of defense, Sord utilizes an IDS/IPS and/or other threat monitoring solutions to detect and alert on network-based threats.

Network Diagramming

Jonathan Gautsch maintains network and data flow diagrams. Diagrams are reviewed and updated at least every 6 months, or when significant network infrastructure changes occur.

Network Access Control

Sord establishes, documents, and reviews access control policy based on business and security requirements, which also encompasses network access control. Reference the Access Control and Termination Policy for more information.

Sord segregates networks based on the required groups of information services, users, and systems.

Sord utilizes firewall configurations to restrict connections between untrusted networks and trusted networks.

Additionally, Sord may utilize security groups and network access control lists (NACLs) to improve network security for individual virtual machines.

Network Engineering

Sord implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

Sord is required to use a defense-in-depth (DiD) architecture to protect the Confidentiality, Integrity, and Availability of information systems and data, i.e. placing information systems that contain sensitive data in an internal network zone, segregated from the DMZ and other untrusted networks.

Sord synchronizes clocks of all applicable information systems to the same time protocol to enforce consistent and accurate timestamping.

Data-in-transit Protection

Sord uses strong cryptography and security protocols (e.g. TLS 1.2+ or an equivalent protocol) to safeguard sensitive data during transmission over open, public networks. Sord protects the integrity and confidentiality of data passing over public networks from fraudulent activity, contract dispute, and unauthorized disclosure and modification.

Sord prohibits the transmission of unprotected sensitive data using insecure end-user messaging technologies.

Network Service Level Agreements (SLAs)

Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.

Exceptions

Sord business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

This document is maintained by Jonathan Gautsch.

This document was last updated on 03/27/2024.