1. OVERVIEW AND SCOPE
1.1. Overview
In accordance with mandated organizational security requirements set forth and approved by management, PlusPlus has established a formal set of information security policy and supporting procedures. This comprehensive Policy document is to be implemented immediately, along with all relevant and applicable procedures. Additionally, this Policy is to be evaluated on an annual basis for ensuring its adequacy and relevancy regarding PlusPlus’s needs and goals.
1.2. Purpose
This Policy and supporting procedures are designed to provide PlusPlus with a documented and formalized information security policy to comply with various regulatory and business needs. Additionally, this Policy also serves as the
organization’s primary, enterprise-wide information security manual. Compliance with the stated policy and supporting procedures helps ensure the safety and security of all PlusPlus system components within the sensitive data environment, and any other environments deemed applicable.
1.3. Scope
This Policy and supporting procedures cover all system components within the sensitive data environment that are owned, operated, maintained, and controlled by PlusPlus and all other system components, both internally and externally, that interact with these systems, and all other relevant systems.
o Internal system components are those owned, operated, maintained, and controlled by PlusPlus and include all network devices (firewalls, routers, switches, load balancers, other network devices), servers (both physical and virtual servers, along with the operating systems and applications that reside on them) and any other system components deemed in scope.
o External system components are those owned, operated, maintained, and controlled by any entity other than PlusPlus, but for which these very resources may impact the confidentiality, integrity, and availability (CIA) and overall security of the sensitive data environment and any other environments deemed
applicable.
o Please note that when referencing the term “system component(s)” or “system resource(s)” it implies the following: Any network component, server, or
application included in or connected to the sensitive data environment or any other relevant environment deemed in-scope for purposes of information security.
2. Roles and Responsibilities
The following roles and responsibilities are to be developed and subsequently assigned to authorized personnel within PlusPlus regarding information security practices:
● Chief Technology Officer (CTO): Responsibilities include providing overall direction, guidance, leadership, and support for the entire information systems environment while also assisting other applicable personnel in their day-to-day operations. The CTO is to report to other members of senior management regularly regarding all aspects of the organization’s information systems posture.
● Chief Information Security Officer (CISO): Responsibilities include also providing overall direction, guidance, leadership, and support for the entire information systems environment, while also assisting other applicable personnel in their day-to-day operations, along with researching and developing information security standards for the organization as a whole. This will require extensive identification of industry benchmarks,
standards, and frameworks that can be effectively utilized by the organization for provisioning, hardening, securing, and locking-down critical system components. Subsequent to the researching of such standards, the CISO is to then oversee the establishment of a series of baseline configuration standards to include, but not limited to, the following system components: network devices, operating systems, applications, internally developed software and systems, and other relevant hardware and software platforms. Because baseline configuration can and will change, this authorized individual is also to update the applicable configurations, documenting all modifications and enhancements as required.
● Systems Administrator: Responsibilities include implementing the baseline configuration standards for all in-scope system components. This requires obtaining a current and accurate asset inventory of all such systems, assessing their initial posture with the stated baseline, and the undertaking of the necessary configurations. Because of the complexities and depth often involved with such activities, numerous personnel designated as Systems Administrators are often engaged in such activities.
Furthermore, these individuals are also responsible for monitoring compliance with the stated baseline configuration standards, reporting to senior management all instances of non-compliance, and efforts undertaken to correct such issues. Additionally, because these individuals are to undertake the majority of the operational and technical procedures for the organization, it is critical to highlight other relevant duties, such as the following:
o Assessing and analyzing baseline configuration standards for ensuring they meet the intent and rigor for the overall safety and security (both logically and
physically) of critical system components.
o Ensuring the asset inventory for all in-scope system components is kept current and accurate.
o Ensuring that network topology documents are also kept current and accurate. o Facilitating requests for validation of baseline configurations for purposes of regulatory compliance assessments and audits – such as those for SOC-2 compliance, PCI compliance, SSAE 16 reporting, HIPAA, FISMA, GLBA, etc. o Continuous training and certification accreditation for purposes of maintaining an acceptable level of information security expertise necessary for configuration management.
Additional duties of Systems Administrators include the following:
o Establishing networking environment by designing system configuration; directing system installation; defining, documenting, and enforcing system standards. o Optimizing network performance by monitoring performance; troubleshooting network problems and outages; scheduling upgrades; collaborating with network architects on network optimization.
o Updating job knowledge by participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations.
o Securing network system by establishing and enforcing policies; defining and monitoring access.
o Reporting network operational status by gathering, prioritizing information; managing projects.
● Software Developers: Responsibilities include developing secure systems by implementing the required baseline configuration standards into all systems and software development lifecycle activities. Coding for security, not functionality, is a core theme for which all software developers are to adhere to. They are also to identify any other necessary baseline configuration standards when warranted. Ultimately, this requires removing, disabling, and not implementing insecure services, protocols, or ports that – while maybe conducive for purposes of ease-of-use – ultimately compromise the applicable systems being developed.
Additionally, these personnel are also responsible for following a structured project management framework, one that includes utilizing a documented SDLC process, complete with well-defined change management policies, processes, and procedures. Moreover, these personnel are to support and coordinate all required requests for validation of the baseline configurations within their systems being developed for purposes of regulatory compliance and/or internal audit assessments.
Additional duties of Software Developers include the following:
o Developing software solutions by studying information needs; conferring with users; studying systems flow, data usage, and work processes; investigating problem areas; following the software development lifecycle.
o Determining operational feasibility by evaluating analysis, problem definition, requirements, solution development, and proposed solutions.
o Adequate documentation via flowcharts, layouts, diagrams, charts, code comments, and clear code.
o Preparing and installing solutions by effectively designing system specifications, standards, and programming.
o Improving operations by conducting systems analysis; recommending changes in policies and procedures.
o Obtaining and licensing software from vendors.
● Change Management Personnel: Responsibilities include reviewing, approving, and/or denying all changes to critical system components and specifically for purposes of any changes to the various baseline configuration standards. While changes are often associated with user functionality, many times, the issue of vulnerability, patch, and configuration management are brought to light with change requests. In such cases, authorized change management personnel are to extensively analyze and assess these issues for ensuring the safety and security of organizational-wide system components.
● End Users: Responsibilities include adhering to the organization’s information security policies, procedures, practices, and not undertaking any measure to alter such
standards on any such PlusPlus system components. Additionally, end-users are to report instances of non-compliance to senior authorities, specifically those by other users. End users – while undertaking day-to-day operations – may also notice issues that could impede the safety and security of PlusPlus system components and are to also report such instances immediately to senior authorities.
● Vendors, Contractors, Other Third-Party Entities: Responsibilities for such individuals and organizations are much like those stated for end-users: adhering to the organization’s information security policies, procedures, practices, and not undertaking any measure to alter such standards on any such system components.
3. INFORMATION SECURITY POLICY
3.1. Information Security Solutions
As for all the tools, devices, and protocols utilized for protecting networks – there’s an endless list – but for purposes of gaining a basic understanding of these appliances, the following list is considered vital when it comes to information security best practices:
o Network Devices: Firewall, routers, switches, load balancers, intrusion detection systems (IDS).
o Malware Solutions: anti-virus and anti-spam software and devices.
o File Integrity Monitoring (FIM) and change detection software, host-based intrusion detection, and intrusion prevention devices.
o Secure services – those that are operating system (O/S) and application-specific to all major operating systems (Windows, UNIX, Linux) and applications (web server applications, database applications, internally developed applications). o Secure protocols, such as SSL, SSH, VPN, etc.
o Secure ports, such as 443, 22, etc.
o User access principles, such as Role Based Access Controls (RBAC), etc. o Username and password parameters, such as unique user ID’s, password complexity rules, password aging rules, account lockout thresholds, etc.
o Event monitoring.
o Configuration and change monitoring.
o Performance and utilization monitoring.
o Logging and reporting.
o Appropriate incident response measures.
3.2. Defense-in-Depth
Some of the best practices to use for ensuring the CIA triad is upheld at all times is Defense-in-Depth and Layered security – mainly utilizing various resources for helping protect an organization’s information systems landscape. As for Defense in-Depth, it was initially a military strategy that put forth a “delay rather than prevent” concept, one that advocated yielding various elements to the enemy for purposes of
buying extra time. Over time, the National Security Agency (NSA) adopted Defense-in-Depth as an information assurance (IA) concept in which multiple layers of security are used for protecting an organization’s information technology infrastructure. Defense-in-Depth has since become a highly-adopted framework for many organizations around the world for helping ensure the safety and security of critical system components. It’s been praised as a highly effective concept, one that employs effective countermeasures for thwarting attacks on an enterprise’s information systems environment. Defense-in- Depth – for purposes of information security – includes the following layers, which have been loosely adopted and agreed upon by industry-leading vendors and other noted organizations:
o Data
o Application
o Host
o Internal Network
o Perimeter
o Physical
o Policies, Procedures, Awareness
3.3. Layered Security
Layered security, often mentioned in the context of Defense-in-Depth, is a concept whereby multiple layers of security initiatives are deployed to protect an organization’s critical system components. Specifically, by utilizing several security tools, protocols, and features, organizations can effectively put in place layers of security that – in the aggregate – help ensure the confidentiality, integrity, and availability (CIA) of systems. It’s important to note that the main emphasis of layered security is about protection, ultimately making it a subset of Defense-in Depth, which casts a much wider net on the broader subject of enterprise-wide information security. Furthermore, layered security seeks to put in place measures that compensate for possible weaknesses in other tools, but again – in the aggregate – form a comprehensive security strategy.
As for layered security initiatives, common examples can include the following:
●
o The use of firewalls, intrusion detection systems, web application firewalls, anti virus, and anti-spam tools, as they each provide specific measures unique to one another for network security protection.
For purposes of information security, all individuals form a cohesive and vital component of an organization’s overall Defense-in-Depth platform – one that utilizes multiple resources for enterprise-wide cybersecurity protection.
3.4. Online Security and Mobile Computing
Information Security is also about understanding today’s ever-growing online threats, many of which can result in serious security issues for PlusPlus. The company expects all employees to take the following precautions:
o Trust, but verify. It is each employees’ responsibility to know who is requesting information, whether it be highly sensitive and confidential customer information to employee personal information. Social engineering – tactics used to gain access and steal valuable assets – is on the rise, so all employees must be watchful and mindful at all times.
o Enable security. Anti-virus must be on all computers used to access the Internet. In addition, usernames and passwords are to be used to protect the contents on laptops should they ever be lost, stolen, or misplaced.
o Protect physical assets. Physical assets such as laptops, phones, tablets, notebooks, etc. are not to be left unattended for any period other than in company offices. For company-owned laptops, serial numbers must be recorded with I.T. Each employee who uses a personal laptop for company business must register the serial number as well.
o Clear out browser sessions. Browser history should be periodically cleared, ensuring no pre-populated usernames and passwords exist, especially on non company owned desktops, laptops, and workstations. Usernames and passwords must be kept secure at all times.
o Social media sites. Employees represent the company in everything they do, both inside and outside the walls of the facilities. As such, employees should be aware of information posted and strive to use a professional tone and dialect at all times, even with friends, family members, co-workers, and other online participants. Employees should ask themselves: “Does the posting or uploading of content to any of my personal social media resources disclose any “sensitive information” related to my company, or does it in any way impact the safety and security of my organization?
o Wireless Access Points. Though they are free and easy to connect to, wireless access points are vulnerable in terms of security issues, so employees must follow the subsequent protocols:
▪ Wireless connectivity must be turned off when not in use.
▪ Only trusted Wi-Fi “hotspots” can be connected to.
▪ Wireless access points should not be used for conducting business activities unless with an approved VPN and secure, remote access
software on your laptop.
o Protect wireless handheld devices. The continued growth and use of small, mobile devices capable of sending, receiving, and storing information – through highly efficient – also requires putting in place protective measures, such as the following:
▪ Employees must use PIN and/or password security parameters for accessing and unlocking phones
▪ When disposing of any wireless handheld devices, employees must ensure that all sensitive and confidential data has been removed.
3.5. Security Updates
I.T. professionals are responsible for updating and applying critical security patches to PlusPlus system components. It is essential that all employees also do the same with the applications they use daily. Along with ensuring that a current and stable version of anti-virus is used, the following are to be updated by employees regularly:
●
o Internet browsers: Updating browsers (Internet Explorer, Mozilla, Google Chrome) is vital for ensuring all web pages display correctly, security holes are not present, and all performance features are maximized.
o Operating Systems: Updating operating systems for devices is crucial to making sure all systems have the latest security patches.
o Portable Document Format (PDF) / Adobe: Hackers can create malicious files and other executables that can exploit Portable Document Format (PDF) protocol software; therefore it’s essential to ensure the latest Adobe software security updates are in place.
o Other essential applications: There’s an almost endless list of applications used today, so employees need to keep a list handy of what’s on their computer, making sure to perform security updates as required for safety, performance, and software stability.
3.6. Laptop Security
All laptops must be secured physically and cryptographically at all times to protect electronic data residing on laptops. Specifically, the following measures must be taken:
Encryption. Full-disk encryption must reside on all laptops, ensuring the safety and security of data (i.e., user files, swap files, system files, hidden files, etc.).
Anti-virus. Laptops must have anti-virus running at all times, along with scanning at regular intervals for viruses, and that the software is current.
Firewalls. Blocking suspicious traffic is essential for laptop security. Personal default firewalls or an approved firewall software appliance must be turned on.
Use strong passwords for your laptop. Laptop passwords should be enabled to log into the device. Initial laptop passwords should be robust, with a combination of letters, numbers, and symbols used. All PlusPlus issued laptops are required to have screensavers that are activated after 15 minutes of inactivity, which then requires a password to be entered to re-activate the session.
Security updates. All required security updates for the operating system and all other applications must be installed at all times. This also means having anti-virus running at all times and conducting periodic scans. Additionally, the use of anti-
spyware is required as it provides additional layers of protection, especially during Internet usage.
Unapproved software. Laptops have been configured to provide employees the necessary tools for performing daily roles and responsibilities, which means no additional software is needed. Employees are prohibited from downloading or installing into any of the drives or ports additional software that has not been approved as it may contain malicious files, could consume additional resources, or is simply not professionally suitable for the work environment.
Removable storage devices. Removable storage devices, USB ports, such as thumb drives, external hard drives, and other removal storage and memory devices are never to contain highly sensitive and confidential information, such as Personally Identifiable Information (PII), or any other data deemed privileged. Such information should be transferred over the network using approved protocols and reside on company servers only.
Instant Messaging. Sensitive or confidential information should never be transmitted over instant messaging channels. This includes what is commonly known as Personally Identifiable Information (PII) – unique identifiers for any individual, such as social security numbers, dates of birth, medical accounts, etc.
Stolen Laptops. Laptops, unfortunately, do get stolen, so employees must think and act quickly, and report the theft to local authorities and inform management (and the I.T. department) immediately.
Software Licensing and Usage
PlusPlus has the following policies as it relates to software licensing and usage.
Approved software. Only software approved and purchased from the company may be installed and used on any company-wide system components. This includes workstations and any other device provided to employees from the company. Unapproved software that has not been thoroughly vetted by authorized I.T. personnel can contain dangerous or malicious code that’s harmful to computers. Employees should only load and use legally approved software on computers.
Duplicate software. The licensing rights for software are strict and extremely rigid, allowing only a predetermined number of installations for a given data set. Company approved and purchased software is never to be duplicated or
copied in any manner. U.S copyright laws – and other regulations throughout the world – often place strict guidelines on software usage.
Accept updates. For software to function efficiently and safely, security and patch updates have to be applied regularly. Employees must accept such updates when pushed out and also take the time to update any software on personal computers that do not rely on updates pushed out by I.T. personnel.
Software audits. PlusPlus will conduct random software compliance audits on workstations, including company-owned laptops and personal laptops, to ensure compliance with software licensing rules and to remove potentially dangerous applications.
Penalties and fines. According to the U.S. Copyright Act, illegal reproduction of software is subject to civil damages up to $150,000 (Section 504(c)(1) Title 17) per title infringed, and criminal penalties, including fines of as much as $250,000 per title infringed and imprisonment of up to ten (Section 2319 (b) (2) Title 18) years.
3.7. Clean Desk Policy
The purpose of PlusPlus’s clean desk policy is to ensure confidentiality. Employees in physical possession of documents or electronic media (USB drives, disks, etc.) containing sensitive or confidential information must store those documents in a locked filing cabinet, locked desk, or office when not working on them, when away from their desks, or when leaving for the day. Employees must ensure that no documents are left on their desks unattended overnight and must turn their work papers face down before leaving their workspaces temporarily.
Employees may not dispose of sensitive or confidential information in the trash. Employees are responsible for keeping copier/printer areas free from sensitive or confidential information every day. Any documents not retrieved by employees must be disposed of in secure shredding bins.
All workstations, when feasible, should be positioned to limit the ability of unauthorized individuals to view confidential or sensitive information.
Unattended computers should be locked or logged off so that the information displayed on the screens cannot be viewed by anyone other than the single user of the computer. Computers should be configured to automatically lock or engage password-protected screensaver after an unattended duration of 15 minutes.
3.8. Security Awareness Training
All employees within PlusPlus are to undergo annual security awareness training initiatives to ensure they stay abreast of significant security issues that pose a credible threat to the organization as a whole, including, but not limited to, PlusPlus’s network infrastructure and all supporting system resources. While the goal of the program is to have in place a comprehensive framework that effectively addresses the core components of Awareness, Training, and Education, the program must also provide subject matter directly related to the safety and security of specific system components. Specifically, all users (both end-users and administrators) having access rights to various PlusPlus I.T. resources must have adequate knowledge in understanding the threats associated to these specified system components, along with the knowledge of the necessary response and resolution measures to undertake.
As such, the security awareness training program provides both general, enterprise-wide training measures along with subject matter specifically related to system components. Security awareness is provided to all employees on a routine basis, rather than just a once-per-year calendar activity. It must be stressed that security awareness training is dynamic, changing as needed to meet the growing threats facing PlusPlus. As such, the training and awareness program is reviewed on at least an annual basis to ensure that it is effective for the organization’s current and future state.
Training will be provided by management and conducted via a presentation followed by a quiz ensuring the employee both understood and retained the information presented.
3.9. Speak Up Policy
PlusPlus has a genuine interest in protecting the integrity of its workplace, but this is only achievable if employees Speak Up when that integrity might be compromised. Employees are expected to know and comply with company policies and to use their best judgment when reporting any form of fraud or misconduct. If there is a reasonable basis to believe that an employee, or another person in relation to the company, has violated the law, company policy, or contributed in unethical behavior, then PlusPlus strongly encourages employees to Speak Up.
If an employee is ever informed to “keep quiet” about a suspected violation, then it is the employee’s responsibility to report the suspected violation to a Speak Up representative and include in the report that the employee has been asked to “keep quiet” about the matter.
If an employee approaches another employee about potential fraud or non compliance, then the employee should encourage them to use the Speak Up policy to report their concern. In case the employee accused of misconduct is in a senior position or is a reporting staff member, then the employee should report the issue to the Company Compliance Officer.
All an employee needs to do is Speak Up, and the company will investigate for them. Employees do not need to have proof and can be mistaken. By simply holding others accountable within the company, the company can avoid financial or reputational risk that results from unreported harmful activity. Therefore, by choosing to Speak Up, employees directly contribute to making the company workplace more integral, fair, and safe for everyone.
4. Data Protection
4.1. Physical & Environmental Security
PlusPlus has implemented physical access controls to safeguard Company facilities and the equipment therein from unauthorized physical access, tampering, and theft. Physical access to sensitive and confidential data must be limited to authorized personnel. This includes physical access to the facility where the information system resides. Role-based access controls should be included in the facility security plan and roles appropriately assigned to authorized individuals. Physical access rights are reviewed at least annually and include the following:
o Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.
o All visitors are required to present identification and are signed in and escorted by authorized staff.
o When an employee or contractor no longer requires these privileges, his or her access is promptly revoked, even if he or she continues to be an employee. In addition, access is automatically revoked when an employee’s record is
terminated.
o Authorized staff utilizes multi-factor authentication mechanisms to access data center floors.
o All decommissioned hardware is sanitized and physically destroyed in accordance with industry-standard practices.
o Appropriate fire detection and suppression elements, along with fire
extinguishers, are placed in mission-critical areas.
Please refer to the Data Protection and Handling Policy for specific requirements regarding data protection processes.
5. Access Control
Access controls establish a uniform and prudent standard for preventing unauthorized access to information assets.
5.1. Access rights
Access rights to PlusPlus system components are limited to authorized personnel only, with all end-users being properly provisioned in accordance with stated access rights policies and procedures. This includes using all applicable provisioning and de-provisioning forms as necessary, along with ensuring users’ access rights incorporate Role-Based Access Control (RBAC) protocols or similar access control initiatives.
Additionally, users with elevated and/or superuser privileges, such as system administrators, I.T. engineers, and other applicable personnel, are responsible for ensuring access rights for all users (both end-users and users with elevated and/or superuser privileges) are commensurate with one’s roles and responsibilities within PlusPlus.
Thus, the concepts of “separation of rights” and “least privileges” are to be adhered to at all times by PlusPlus regarding access rights to system
components. Specifically, “separation of rights” implies that both the “functions” within a specified system component, for which there are many, should be separated along with the roles granted to end-users and administrators of these very system resources. “Functions” pertains to the actions a system component and its supporting components (i.e., the OS and applications residing on the server) can perform and the associated personnel who have authority over these functions. Thus, when permissible, functions (such as read, write, edit, etc.) should never be grouped, and end-users and administrators should not be granted access to multiple functions.
By effectively separating access rights to system components whereby only authorized individuals have access to the minimum rights needed to perform their respective duties, PlusPlus is adhering to the concept of “least privileges,” a well known and best practices rule within information technology. In addition, any individual requiring access to sensitive information to perform their duties is authorized only after additional personnel screening is performed.
Every user must use a unique user ID and a password for access to Company information systems and networks. Passwords must be appropriately safeguarded
and not shared with other users. Furthermore, passwords used by all users must meet or exceed all stated PlusPlus policies for password complexity requirements. Along with ensuring strong passwords, additional password parameters regarding account lockout policies and password resets are also to be enforced with appropriate system settings. Furthermore, only authorized personnel are allowed to make any changes to the password complexity rules and lockout policies to system components.
The use of non-authenticated (e.g., no password or security token) user IDs or user IDs not associated with a single identified user are prohibited. Shared or group user IDs are never permitted for user-level access.
Employee access must be reviewed quarterly and logged appropriately. User IDs shall be disabled after ninety (90) days of inactivity. After an additional thirty (30) days, disabled user IDs must be purged. These requirements may not apply to certain specialized accounts (e.g., admin, root, etc.). Access logs must be maintained to track granting, documenting, reviewing, modifying, and terminating user access to Company information systems. Logs must also be maintained to track all access to such data and identify who and when the data was accessed.
5.2. Onboarding process
When an employee or contractor joins PlusPlus, they are assigned a unique PlusPlus employee ID. This ID defaults to the first name lower-cased. If that ID already exists, then the ID will be first name last name.
Each employee’s ID is unique to them. It is strictly forbidden to share ID’s and the access they confer, or to use another’s ID, (with or without their permission).
The employee is then given access to their PlusPlus email, internal resources, and any other elevated permissions that their role may entitle them to only after a formal access request has been submitted to and approved by the appropriate system owner via access request ticket or email. This same process is applied when existing employees require additional levels of access.
All employees receive the Company’s Information Security Policy and Procedures upon commencement of employment and must acknowledge having read and received the policies prior to being allowed to access Company information systems and networks.
5.3. Methods of Authentication
PlusPlus uses automated access control systems to restrict user access to its network and data. These automated access controls require users to authenticate before they may access the corporate network, the PlusPlus’s source code, PlusPlus and its clients’ consumer data, and other restricted data
Authentication to PlusPlus system components are to be enacted by utilizing one of or a combination thereof the following three (3) stated factors:
(1). Something a user knows: This method of authentication generally includes passwords, passphrases, numerical PINS, or some other type of knowledge that is known by a user.
(2). Something a user has: This method of authentication generally includes some physical attribute provisioned to a user, such as a swipe card, badge reader, key fob, smart card, dynamically generated unique identifier, or any other type of utility owned by the user.
(3). Something a user is: This method of authentication generally includes a unique physical attribute of the user, commonly known as biometrics. Many devices will read a user’s biometrics for purposes of authentication, which may include, but is not limited to, the following:
o Iris Scanners
o Palm Scanners
o Fingerprint Readers
o Facial Recognition Utilities
o Voice Recognition Devices
Additionally, along with utilizing the above three (3) methods of authentication, all users are to invoke strong authentication measures (more commonly known as multi-factor authentication) at all times for ensuring access to PlusPlus system components are protected at all times. Multi-factor authentication is met by incorporating two (2) of the three (3) given methods of authentication.
5.4. Password Policy
Passwords are a critical component of information security. Passwords protect user accounts; however, a poorly constructed password may result in the compromise of systems and data.
PlusPlus’s password requirements are outlined in its Password Construction Policy, which is incorporated here by reference. This Policy requires at a minimum that all passwords should meet or exceed the following guidelines:
o Contain at least 15 alphanumeric characters.
o Contain both upper- and lower-case letters.
o Contain at least one special character (for example,$%^&*()_+|~-=\`{}[]:”;'<>?,/) or at least one number (for example, 0-9).
Poor, or weak, passwords have the following characteristics, and are not allowed:
o Contain less than fifteen characters.
o Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
o Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
o Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
All users are forced to change their password every 365 days, and all users are forced to change their password on the first login to a new account for which the user does not select their own initial password.
5.5. Offboarding Process
User offboarding is a critical component of the user identity, provisioning, & access rights lifecycle, and as such, comprehensive measures are implemented to ensure that all terminated users are appropriately removed from system components. Failure to enact these measures could potentially result in a breach of security for PlusPlus as terminated users may still be able to gain authorized access to company-wide system components. The following offboarding procedures are to be taken when an employee is terminated:
o Completing an offboarding form and contacting via email, telephone, or in person, all appropriate personnel responsible for de-provisioning users from the company system components.
o Obtaining signatures from the personnel de-provisioning the user confirming that the termination is completed.
o Collecting all organization-owned assets from the terminated individual. o Confirming that system access to all company-wide system components for terminated users has been effectively removed, by inspecting all system components and supporting utilities for which authentication and authorization rights were initially established for terminated users.
Critical accounts for offboarded users are to be appropriately maintained by authorized personnel to ensure that correspondence, such as emails, voicemails, and other forms of communication, are addressed in a timely manner by PlusPlus. As such, the following critical accounts are to be monitored following the offboarding process for terminated users:
o Email Accounts
o Any other forms of communication
PlusPlus offboards users with its Termination Checklist, which must be completed on the last day of the user’s employment or contract with PlusPlus.
5.6. Access Review
On a quarterly basis, access to production systems is reviewed to confirm appropriateness of user access and compliance with least privilege principles. The review along with any modifications to system access are formally documented and tracked.
5.7. Remote Access
All-access to PlusPlus system components initiated outside the organization’s trusted network infrastructure is to be considered “remote access,” and as such, only approved protocols are to be used for ensuring that a trusted connection is initiated, established, and maintained. Specifically, all users are to utilize approved technologies, such as IPSec and/or SSL Virtual Private Networks (VPN) for remote access, along with additional supporting measures, such as Secure Shell (SSH), while also employing multi-factor authentication. The concept of multi-factor authentication (i.e., something you know, something you have, something you are) along with strong password policies creates yet another layer of security relating to access rights for all authorized users granted remote access into PlusPlus’s network.
Authentication of the subscriber shall be repeated at least once per 12 hours during an extended usage session, regardless of user activity. Reauthentication of the subscriber shall be repeated following any period of inactivity lasting 30 minutes or longer. The session shall be terminated (i.e., logged out) when either of these time limits is reached.
Additionally, all workstations (both company and employee-owned) are to have current, up-to-date anti-virus software installed, while also utilizing any other malware utilities as needed for protecting the workstations and the information traversing to and from the remote access connection. This may also include the use of personal firewall software, along with enhanced operating system settings on the applicable workstations.
PlusPlus requires any remote access to be over HTTPS, SSH, or VPN, and to use multi-factor authentication.
6. Software Development Life Cycle (SDLC)
The Software Development Life Cycle (SDLC) for PlusPlus encompasses a number of phases, each concluding with a major milestone. Assessments are conducted after each phase to determine if objectives have been satisfied. Material changes within the development phases are controlled through the process set forth in the Configuration and Change Management Policy. Skilled software engineers are utilized throughout all phases, which results in a thorough and uninterrupted process from beginning to end.
The development/test environment and the production environment are appropriately segregated. Development uses multiple separate environments that stage into production to ensure that untested code is not released in the primary system. Multiple safeguards exist to ensure that data and code are not compromised at each stage of the development pipeline.
SDLC activities for internally-developed systems/applications consist of the following procedures and phases:
● Request for New System/Application or Features. The process begins with the request for a new system/application, feature, or tool. Authorized personnel will initiate the request. All requests are to be appropriately logged in the Atlassian product life cycle management tool.
● Feasibility Study. Once a request for a new system/application, feature or tool is received, PlusPlus analyzes it and evaluates its market opportunity and/or operational impact. Once the benefits are identified, PlusPlus conducts a feasibility study with the assistance of the development team.
● Estimate and HW/SW Requirements. Along with estimating the effort and time required to implement the new system/application, feature or tool, an estimate of hardware and software required for development and final deployment is conducted.
● Management Decision. After reviewing the business rationale for the new system/application, feature, or tool, PlusPlus decides whether the cost/benefits and strategic direction warrant the development to proceed. A review of the business rationale for a completely new project includes studying market opportunity and conducting a competitive analysis. As soon as the project receives approval, the process progresses to the development and deployment phases.
● Requirement Analysis. During this phase, a detailed requirements analysis of the new system/application, feature, or tool is conducted and documented in the form of a requirements specification. Documents and activities for this phase include obtaining copies of documents used during this phase and interviewing personnel for major activities during this phase.
● In this phase, various technical personnel collaborate to develop a detailed design of the various activities involved. The design and development team will review the design, and the final version is documented in the form of a design specifications document. If the feature or tool is to be a part of an existing system/application or functionality, the existing design document may be modified in lieu of creating a new document. Test plans and procedures for system tests are also developed.
● Once the design is finalized, the actual implementation of the system/application, feature, or tool begins with a test in a development environment. After all errors found during the testing stage are corrected, the application code is released to a test server.
● Code Review. Secure code review is the single-most effective technique for identifying security bugs early in the system development lifecycle. Code is reviewed by individuals other than the originating code author, and by individuals knowledgeable about code review techniques and secure coding practices. Code Review is the process of auditing the source code to verify the following requirements
o the proper security and logical controls are present,
o that they work as intended
o that they have been invoked in the right places, and
o code is developed according to secure coding guidelines
● Static Code Analysis. Static Code Analysis is carried out during the implementation phase. PlusPlus runs a static code analysis tool that identifies possible vulnerabilities within the ‘static’ (non-running) source code. Bugs may exist in the application due to insecure code, design, or configuration.
● Quality Assurance and Testing. Once all the modules are moved to a test server and integrated into the test environment, any necessary test database tables and stored procedures are also created on the test server(s). The test environment is configured as a replica of the production environment or a specific client environment; however, there may be external interfaces which, at times, may not be duplicated, and approximations may be used. Testers then assess the new modules in this test environment. Test cases and scripts are written and documented as required. Any discrepancies are resolved with the development team, and any other additional testing is
conducted. Customers and/or third-party users may be involved at different levels in this phase of the project cycle, based on a mutual understanding of verification requirements. Test results are documented and reviewed with development personnel and management for final approval.
● Release for Production. Once the system/application, feature, or tool is successful in the test environment, PlusPlus approves the release for production. Modules are moved to the production servers where functionality is tested after all modules are updated.
● Production Monitoring. Once the system/application, feature or tool is released into production, it is monitored for the first hour, and then for a day, and then a week.
7. Vulnerability and Patch Management
7.1. Patch Management
All necessary system patches and system updates to PlusPlus system components (those defined as critical from a security perspective) are to be obtained and deployed in a timely manner as designated by the following software vendor and/or other trusted third-parties:
1. Vendor websites and email alerts.
2. Vendor mailing lists, newsletters, and additional support channels for patches and security.
3. Third-party websites and email alerts.
4. Third-party mailing lists.
5. Approved online forums and discussion panels.
Effective patch management and system updates help ensure the confidentiality, integrity, and availability (CIA) of systems from new exploits, vulnerabilities, and other security threats.
The timeline for applying patches depends on the severity level of the vulnerability. PlusPlus uses the following timelines for patch management based on severity level:
o Critical – Immediately to 7 days from identification.
o High – within 30 days of identification.
o Medium and Low – should be identified, tracked, and a timeline established.
Patches fixing highly critical or zero-day vulnerabilities are to be escalated and applied as soon as possible.
Once an employee has identified a critical or zero-day vulnerability, they should report the vulnerability immediately to the CTO. The CTO will consider the following factors on when to apply the patch.
o The relative importance of the vulnerable systems.
o The relative severity of each vulnerability.
o The operational risks of patching without first performing thorough testing. o Whether there is a viable option to mitigate the vulnerability through an alternative method, at least until patches are fully deployed and operational.
Additionally, all patch management initiatives are to be documented accordingly, which shall include information relating to the personnel responsible for conducting patching, list of sources used for obtaining patches and related security information, the procedures for establishing a risk ranking for patches, and the overall procedures for obtaining, deploying, distributing, and implementing patches specifically related to PlusPlus system components.
Various external security sources and resources are to be utilized for ensuring that PlusPlus maintains awareness of security threats, vulnerabilities, and what respective patches, security upgrades, and protocols are available. Authorized I.T. personnel are to subscribe to the following types of security sources and resources for ensuring retrieval of security patches in a timely manner:
o Vendor websites and email alerts, such as those for Microsoft, UNIX, Linux, Cisco, HP, etc.
o Vendor mailing lists, newsletters, and additional support channels for patches and security.
o Approved third-party websites, email alerts, and mailing lists.
o Approved online information security forums and discussion panels. o Information security conferences, seminars, and trade shows.
o Community driven platforms relating to vulnerability management of information system, such as the following MITRE websites, and many others:
o Open Source Vulnerability Database (OSVDB)
o Common Configuration Enumeration (CCE)
o Common Vulnerabilities and Exposures (CVE)
o Common Platform Enumeration (CPE)
o Common Weakness Enumeration (CWE)
o Malware (MAEC)
o Cyber Observables (CyboX)
o Structured Threat Information Expression (STIX)
o Trusted Automated Exchange of Indicator Information (TAXII)
o Making Security Measurable (MSM)
o Open Vulnerability and Assessment Language (OVAL)
o Common Attack Pattern Enumeration and Classification (CAPEC)
More detail is discussed in PlusPlus’s Change and Configuration Management Policy, which is incorporated here by reference. PlusPlus in particular monitors for CVE’s and patches from:
o The National Vulnerability Database (NIST)
o Canonical
o Debian
o Apache
o Apple
o Cloud Environment
7.2. Vulnerability Management
A well-conceived vulnerability management program for PlusPlus is one that ensures the confidentiality, integrity, and availability (CIA) of the organization’s information systems landscape, which includes all critical system resources. The Company’s Vulnerability management program includes internal and external scans, penetration testing, remediating issues, and includes identifying and detecting, classifying and prioritizing, remediating, validating, and continuously monitoring vulnerabilities related to the following:
o Configuration Standards: Provisioning, hardening, securing, and locking-down all critical system resources within PlusPlus is crucial for ensuring a baseline of information security, one that can be built upon over time by continuous monitoring and updating of such systems with security patches.
o Network Architecture and Topology: Insecure network topologies and weak security architectures – even if the systems themselves are properly secured and hardened – can result in significant vulnerabilities for the organization.
o Network Vulnerabilities: The use of internal and external vulnerability scanning procedures, along with the network layer and application layer penetration tests, are a critical component of PlusPlus’s vulnerability management program.
The classification and prioritization of vulnerabilities are based on Industry Best Practice OWASP Risk Rating Methodology. Separate Likelihood and Impact scores are assigned to the identified vulnerability, and the combined scores result in an overall severity score for the vulnerability indicating its prioritization for remediation.
Ultimately, an important component of developing a comprehensive vulnerability management program requires PlusPlus to adequately address the following major issues and constraints:
o Vulnerabilities: Software flaws or a misconfiguration that may potentially result in the weakness of the security of a system within the organization’s system resources.
o Remediation: The three (3) primary methods of remediation are
▪ (1) installation of a software patch,
▪ (2) adjustment of a configuration setting and
▪ (3) removal of the affected software.
o Threats: Threats are capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and potentially cause harm to a computer system or network. Potential threats also include insider threats, which can be mitigated through the enforcement of access controls and the rapid identification and reporting of suspicious activity.
More detail is discussed in the Change and Configuration Management Policy. 7.3. Malware
Malicious software (malware) poses a critical security threat to PlusPlus system components, thus effective measures are to be in place for ensuring protection against viruses, worms, spyware, adware, rootkits, trojan horses, and many other forms of harmful code and scripts. As such, PlusPlus is to have anti-virus (AV) solutions deployed on all applicable system components, with the respective AV being the most current version available from the vendor, enabled for automatic updates, configured for conducting periodic scans as necessary and capable of removing all known types of malicious software. Additionally, all AV solutions generate audit logs which are used for monitoring and alerting against infected machines. Because strong and comprehensive malware measures are not just limited to the use of AV, additional tools are to be employed as necessary for eliminating all other associated threats, such as those discussed above. The seriousness of malware and its growing frequency of attacks within organizations
require that all I.T. personnel within PlusPlus stay abreast of useful tools and programs that are beneficial in combating harmful code and scripts.
7.4. Performance and Security Testing
All applicable PlusPlus system components are to undergo annual vulnerability assessments along with penetration testing for ensuring their safety and security from the large and ever-growing external and internal security threats being faced with today. Vulnerability assessments, which entails scanning a specified set of network devices, hosts, and their corresponding Internet Protocol (IP) addresses, helps identify security weaknesses within PlusPlus’s network architecture, along with those related to specific system components. Additionally, penetration testing services, which are designed to actually compromise the organization’s network and application layers, also assist in finding security flaws that require immediate remediation. Moreover, contractual requirements, along with regulatory compliance laws and legislation, often mandate organizations to perform such services, at a minimum, annually (for penetration tests), and often on a periodic and/or quarterly basis (for vulnerability assessments). Vulnerability scans are performed after any significant change. As such, PlusPlus will adhere to these stated requirements and will perform the necessary services on all applicable system components with an appropriately independent team.
Careful planning and consideration of what systems are to be included when performing vulnerability assessments and, particularly, penetration testing, is a critical factor, as all environments (i.e., development, production, etc.) must be safeguarded from any accidental or unintended exploits caused by the tester.
Additionally, for PlusPlus’s internally developed, proprietary applications (i.e., software), appropriate code reviews are to be conducted for ensuring the software itself has been coded and developed with the appropriate security measures. Poorly coded software, specifically software used for web-facing platforms, can be compromised through numerous harmful tactics, such as Cross-site scripting (XSS), injection flaws (SQL, etc.), and other damaging methods.
PlusPlus also runs periodic automated security vulnerability scans on its systems by contracting with third-parties.
8. Encryption
When necessary and applicable, appropriate encryption measures are to be invoked for ensuring the confidentiality, integrity, and availability (CIA) of PlusPlus system
components and any sensitive data associated with them. Additionally, any passwords used for accessing and/or authentication to the specified system component are to be encrypted at all times, as passwords transmitting via clear text are vulnerable to external threats. As such, approved encryption technologies, such as Transport Layer Security (TLS), Secure Shell (SSH), and many other secure data encryption protocols are to be utilized when accessing the specified system component. Additional encryption measures for PlusPlus are to also include the following best practices for all applicable devices that have the ability to store sensitive and confidential information:
Servers – Depending on the type of server and the underlying applications, a large range of encryption measures can be adopted. The first measure is identifying the type of information residing on such servers and the necessary encryption protocols to apply. All application servers which may store, process, or transmit consumer or client information must use full disk encryption. Additionally, servers are to be provisioned and hardened accordingly, with anti-virus also installed.
Desktop Computers – Any desktop computer storing sensitive and confidential information are to utilize encryption for the actual hard drives. Additionally, access rights are to be limited to authorized personnel at all times. Non-PlusPlus owned desktops, such as those physically located at an employee’s home, are to never contain sensitive and confidential information under any circumstances. If such data needs to be accessed for performing remote duties, then a secure connection must be made to the PlusPlus network for accessing all relevant information. Additionally, desktop computers are to be provisioned and hardened accordingly, with anti-virus also installed.
Laptops, Mobile Computing Devices, Smart Devices – Such devices are to have approved encryption installed and enabled prior to their use, which requires PlusPlus authorized I.T. personnel to configure appropriate encryption programs. Specifically, full disk encryption or other approved methods, such as file-level encryption, are to be used, and these devices are not to be used for long-term storage of sensitive and confidential information. The phrase “long term” is discretionary in nature, but consists of any data residing on laptops, mobile computing devices, and smart devices longer than thirty (30) calendar days. Non-PlusPlus owned laptops, mobile computing devices, and smart devices, are to never contain sensitive and confidential information under any circumstances. If such data needs to be accessed for performing remote duties, then a secure connection must be made to the PlusPlus network for accessing all relevant information. Additionally, laptops, mobile computing devices, and smart devices are to be provisioned and hardened accordingly, with anti-virus also installed.
8.1. Encryption Standards
PlusPlus requires that the following list of industry-leading security standards, benchmarks, and frameworks are utilized:
1. Ciphers in use must meet or exceed the set defined as “AES-compatible” or “partially AES-compatible” according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption.
2. Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to the date of
implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.
3. In general, PlusPlus adheres to the NIST Policy on Hash Functions. 4. Key exchanges must use one of the following cryptographic protocols: Diffie Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH).
5. Endpoints must be authenticated prior to the exchange or derivation of session keys.
6. Public keys used to establish trust must be authenticated prior to use. Examples of authentication include transmission via cryptographically signed message or manual verification of the public key hash.
7. All servers used for authentication (for example, RADIUS or TACACS) must have installed a valid certificate signed by a known trusted provider.
8. All servers and applications using TLS must have the certificates signed by a known, trusted provider. Only TLS 1.2+ is permitted. TLS must be configured according to the OWASP recommendations in their TLS Cheat Sheet.
9. Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.
10. Key generation must be seeded from an industry-standard random number generator (RNG). For examples, see NIST Annex C: Approved Random Number Generators for FIPS PUB 140-2
8.2. Encryption Key Management
Cryptographic keys are to be secured and strongly protected at all times by PlusPlus as those who obtain access will be able to decrypt highly sensitive data. Key-encrypting keys, if used, must thus be at least as strong as the data-encrypting key in order to ensure proper protection of the key that encrypts the data as well as the data encrypted with that key. The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A well-thought-out, high-quality key-management process, whether it is manual or automated as part of the encryption product, is to be based on industry standards that address all critical key management elements.
Keys must be generated, accessed, distributed, and stored in a controlled and secure manner.
8.3. Key Access
Keys used to encrypt and decrypt cardholder data must be protected from general access. Only approved custodians should be able to access the key components.
Access to encryption key components will only be granted to those custodians specifically requiring access due to job function. Access may only be granted by the CTO and key access must be recorded.
8.3.1.Split Knowledge and Dual Control
A minimum of two custodians, authorized by the CTO, are required to collaborate to perform any key action (such as key generation or loading the key). Additionally, no single custodian may know or have access to all pieces of a data encryption key.
8.3.2.Key Generation
Only strong encryption keys are to be used. Creation of encryption keys must be accomplished using a random number generation algorithm. Depending on the encryption scheme in question, the following are minimum length requirements for the encryption keys:
▪ Triple-DES – 128 bits
▪ AES – 256 bits
▪ RSA – 1024 bits
▪ Industry recommendations/best practices for other encryption
methodologies
Generating encryption keys must be accomplished by a minimum of two custodians authorized by the CTO. Each custodian will generate one random clear text piece (key component) that will be used to create the encryption key.
To prevent unauthorized substitution of keys, physical and logical access to the key generating procedures and mechanisms must be secured.
8.3.3. Key Storage
All data encryption keys must be stored encrypted and in a secure location. Key encrypting keys must be stored separately from data-encrypting keys within all applicable programs.
Clear-text backups of encryption key components must be stored separately in tamper-evident packaging in a secure location.
8.3.4.Key Changes and Destruction
An encryption key change is a process of generating a new key, decrypting the current production data, and re-encrypting the confidential data with the new key. All data encryption keys must be changed regularly or when circumstances dictate a change to maintain encryption or key integrity. The following dictates when a key change is required:
▪ Regular Rotation: Keys must be changed at least every year.
▪ Suspicious Activity: This change is driven by any activity related to the key process, which raises concern regarding the security of the existing key.
▪ Resource Change: Keys must be changed if a resource with knowledge of the keys terminates employment or assumes a new job role that no longer requires access to an encryption process.
▪ Technical Requirement: Keys must be changed if the key in place has become questionable due to a technical issue such as corruption or
instability.
Encryption keys no longer in service are to be disposed of in accordance with the process outlined in the Data Retention and Disposal Process.
8.4. Transmission over Un-trusted Networks
In order to maintain integrity, confidential and sensitive information must be encrypted during transmission over networks in which is it easy and common for the data to be intercepted, modified or diverted. Some examples of strong encryption that is acceptable are,
o Transport Layer Security (TLS) v1.2 or higher
o Internet Protocol Security (IPSEC)
8.4.1.Email Transmission of Confidential Information
Confidential and sensitive information is never to be sent unencrypted through end-user messaging technologies such as e-mail, instant messaging, or chat. Employees with a valid business justification for sending confidential or sensitive information via any of these technologies must be issued a strong encryption solution by the CTO.
8.4.2.Encryption of Wireless Networks
All wireless networks in use at Company facilities must be protected through secure data encryption such as WiFi Protected Access (WPA or WPA2), IPSEC VPN, or SSL v3.0/TLS v1.2+. Under no circumstances should the encryption strength be configured to be less than 128 bits. Wired Equivalent Privacy (WEP) is a vulnerable technology and must never be used to protect wireless networks within the cardholder environment. If for any reason WPA or WPA2 encryption is not available, Company-approved VPN access must be used in concert with 128 bit or 256-bit WEP levels of encryption. Cellular data environments already maintain an equivalent level of elliptical curve encryption and do not require further levels of transport encryption but do require VPN connectivity to internal networks.
8.4.3.Corporate WiFi Usage by Non-Employees
Instances exist where non-employees may require Internet access from within or around the Company. To support this need, the IT department has available a WiFi access point located outside the corporate firewall and directly connected to the Internet. All users seeking temporary access to this network must support a hardware address that can be registered and tracked, i.e., a MAC address, and users seeking access to this network must register their network cards’ physical MAC address with the IT Department prior to accessing this network. Time limitations will also be set for network access and will expire unless additional time to access the network is implicitly requested. The use of one-time tokens may be implemented at the discretion of the IT Department. Note: All data traffic on this WiFi network is unprotected and functions much as a public HotSpot access point. Users should take note and utilize security precautions as necessary.
9. Monitoring
PlusPlus utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. PlusPlus’s monitoring tools are implemented to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts.
PlusPlus monitors key operational metrics and alarms are configured to automatically notify operations and management personnel when early warning thresholds are
crossed. An on-call schedule is used such that personnel are always available to respond to operational issues. This includes a pager system so alarms are quickly and reliably communicated to operations personnel.
9.1. Event Monitoring
Comprehensive auditing and monitoring initiatives for PlusPlus system components are to be implemented that effectively identify and capture the following events:
(1). All authentication and authorization activities by all users and their associated accounts, such as logon attempts (both successful and unsuccessful).
(2). Any creation, modification or deletion of various types of events and objects (i.e., operating system files, data files opened and closed and specific actions, such as reading, editing, deleting, printing).
(3). All actions undertaken by system administrators who have elevated privileges and access rights.
9.2. Configuration and Change Monitoring
Furthermore, the use of specialized software, such as File Integrity Monitoring (FIM), Host-based Intrusion Detection Systems (HIDS), and/or change detection software programs are to be implemented for monitoring PlusPlus system components as they provide the necessary capabilities for assisting in the capture of all the above-stated, required events. Additionally, configuration change monitoring tools are to be used to detect any file changes made within a specified system component, ranging from changes to commonly accessed files and folders, to more granular based data, such as configuration files, executables, rules, and permissions. Changes made are to result in immediate alerts being generated with appropriate personnel being notified. Moreover, these tools effectively aid in capturing and forwarding all events in real-time, thus mitigating issues relating to native logging protocols, which can be accessed by users with elevated privileges on various system components themselves, resulting in the disabling and modification of its services and the resulted output.
9.3. Performance and Utilization Monitoring
Additional measures are to be employed for ensuring that PlusPlus system components – such as servers – are actively being monitored for all necessary performance and utilization measures, such as the following:
o CPU Utilization-Identifies current, real-time capacity of the CPU, and provides alerting and notification measures regarding capacity limits along with underutilization metrics.
o Memory Utilization-Identifies current, real-time memory usage and provides alerting and notification measures if memory usage is high and/or if memory availability is low.
o Disk Utilization-Identifies current, real-time disk space and provides alerting and notification measures if disk space is low.
o Process Monitoring-Monitors all critical processes and provides alerting and notification measures when processes fail.
o Network Interface Monitoring-Monitors the overall health and status of the network interface.
9.4. Logging and Reporting
Along with capturing all necessary events as described in “Event Monitoring”, effective protocols and supporting measures are to be implemented for ensuring all required events and their associated attributes are logged, recorded, and reviewed as necessary. Additionally, all applicable elevated permissions (those for administrators) along with general access rights permissions (those for end-users) to PlusPlus system components are to be reviewed on a quarterly basis by an authority that is independent from all known users (i.e., end-users, administrator, etc.) and who also has the ability to understand, interpret, and ultimately identify any issues or concerns from the related output (i.e., log reports, and other supporting data). The specified authority reviewing the logs is to determine what constitutes any “issues or concerns,” and to report them immediately to appropriate personnel.
Moreover, protocols such as Syslog and other capturing and forwarding protocols and, or technology, such as specialized software applications, are to be used as necessary, along with employing security measures that protect the confidentiality, integrity, and availability (CIA) of the audit trails and their respective log reports (i.e., audit records) that are produced. Additionally, all audit records are to be stored on an external log server (i.e., centralized Syslog server or similar platform) that is physically separated from the original data source, along with employing effective backup and archival procedures for the log server itself. All logs are maintained for a minimum of 12 months from the time of event or logging, except where prohibited or otherwise required by applicable law. These measures allow PlusPlus to secure the audit records as required for various legal and regulatory compliance mandates, along with conducting forensic investigative procedures if necessary.
PlusPlus uses for ongoing logging and log reviews across the enterprise. Any anomalies such as unauthorized configuration changes present in the logs are escalated in accordance with the Incident Management Policy.
10. POLICY ADMINISTRATION
10.1. Ownership and Review
The Policy Owner owns this Policy and is responsible for reviewing the Policy for updates annually, or following any major changes to PlusPlus’s sensitive data environment. The Policy Approver retains approving authority over this Policy.
10.2. Monitoring and Enforcement
PlusPlus periodically monitors adherence to this Policy to help ensure compliance with applicable laws, requirements, and contractual agreements that apply to Client & Consumer Data. PlusPlus may also establish enforcement mechanisms, including disciplinary actions, to help ensure compliance with this Policy.
Last reviewed on 12/4/2023 by Tomomi Menjo