Server Security Policy

Scope

This Policy applies to:

• Servers that are connected to the Corporate Group internal network.

• Servers that are operated for or on behalf of Corporate Group regardless of which network they are connected to.

General Requirements

• All servers deployed must be owned by an Operational Team that is responsible for system administration.

• Approved Server Configuration Hardening Standard must be established and maintained by each Operational Team, based - on business needs and approved by the Information Security Team.

• Operational Teams should monitor configuration compliance and implement an exception policy tailored to their environment.

• Each Operational Team must establish a process for changing the configuration guides, which includes review and approval by the Information Security Team.

• Servers must be registered within the Information Asset Register.

• Information in the Information Asset Register must be kept up to date.

• Configuration changes for production servers must follow Change Management Policy.

• The Information Security Team must regularly scan to detect vulnerabilities on servers and for communicating vulnerability assessments with the Information Asset Owner and Operational Team .

• Configuration Requirements:

  1. Operating System configuration should be in accordance with approved Information Security Requirements Standard and Server Configuration Hardening Standard

  2. The server’s operating system and other software must be configured to prevent security weaknesses both upon initial deployment and ongoing

  3. Services and applications that will not be used must be disabled, where practical

  4. Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible

  5. Critical security patches must be applied within 30 days of release from the vendor, the only exception being when immediate application would interfere with business requirements

  6. The server only runs network services, protocols and ports that are necessary to achieve its business purpose,

  7. A trust relationship is not used when other method of communication is sufficient

  8. Standard security principles of least required access to perform a function are used (root account is not used when a non-privileged account will do)

  9. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec)

  10. Servers should be physically located in an access-controlled environment

  11. Servers are specifically prohibited from operating from uncontrolled cubicle areas.

• Applications to servers are installed only necessary to achieve its business purpose and according to approved Allowed server application list.

Monitoring

• Application and operating system audit and event logs are configured and maintained in a useful state. For important servers the logs are monitored automatically and manually

• All authentication and account and group management events must be logged

• These logs must be retained for a minimum of 6 months

• Effective logging includes the following:

  1. Server system clock is kept accurate and synchronized,

  2. Log settings include date, time, source and destination addresses and other useful information

  3. Storage space is sufficient to meet retention requirements

  4. Logs are rotated and retained as required

  5. System audit and events must be configured according to Information Security Requirements Standard.

• Security-related events will be reported to the Information Security Team, who will review logs.

Standard Compliance

Any exception to the Policy must be approved by the Information Security Team in advance.

Review and Update

This Policy must be maintained in accordance with the Information Security Policy.

Revision History