Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Ensono, LP Information Security Policy
January 20, 2016
© 2016 Ensono, LP. All Rights Reserved.
2
Document Version Control
Data Classification: Internal Use Only
Intended Distribution: All Ensono, LP Associates and authorized business partners
Issue Date: January 20, 2016
Revision: FINAL v1.0
Last Revision Date: Initial Release
Approved By: Ensono Security Director
REVIEW HISTORY
VERSION NUMBER DATE REVIEWED BY
DRAFT v1.1 January 19, 2016 HR; Legal; Audit and Compliance
APPROVAL HISTORY
VERSION NUMBER DATE APPROVED BY TITLE
DRAFT v1.1 December 18, 2015 Peter Bazil Chief Legal Officer &
Corporate Secretary
DRAFT v1.1 January 6, 2016 Jens Teagan Chief Financial Officer
DRAFT v1.1 January 7, 2016 Jeff Von Deylen Chief Executive Officer
DRAFT v1.1 January 8, 2016 Brian Klingbeil Chief Operating Officer
FINAL v1.0 January 20, 2016 Elizabeth Martin Director, Security
REVISION HISTORY
VERSION NUMBER DATE CHANGES MADE MADE BY
FINAL v1.0 January 20, 2016 N/A – Initial Release Elizabeth Martin
© 2016 Ensono, LP. All Rights Reserved.
3
Support Information
INFORMATION SECURITY POLICY SUPPORT
Contact Ensono Security (E-SEC) for Information Security support:
© 2016 Ensono, LP. All Rights Reserved.
4
Legal Notices
COPYRIGHT
Copyright 2016 by Ensono, LP. All rights reserved.
Reproduction of all or any portion of this document without the prior written consent of Ensono, LP is expressly
prohibited.
Users may copy this document only for the express purpose(s) for which the product(s) were designed. Any and all
copies of the materials must contain appropriate Ensono copyright statements and acknowledgments.
© 2016 Ensono, LP. All Rights Reserved.
5
TABLE OF CONTENTS
1 Information Security Policy ..................................................................... 12
1.1 Purpose .................................................................................................................... 12
1.2 Scope ....................................................................................................................... 12
1.3 Policy Communication .............................................................................................. 13
1.3.1 Creation and Distribution .............................................................................................................. 13
1.3.2 Security Communication and Training ........................................................................................... 13
1.3.3 Enforcement and Compliance ....................................................................................................... 14
1.3.4 Review, Update, and Maintenance................................................................................................ 14
1.3.5 Exception Request Process ............................................................................................................ 14
2 Organizational Security ........................................................................... 16
2.1 Organizational Security Objectives ........................................................................... 16
2.2 Information Security Governance ............................................................................. 16
2.3 Roles and Responsibilities ........................................................................................ 16
2.3.1 Executive Leadership ..................................................................................................................... 16
2.3.2 Risk Management Committee ....................................................................................................... 17
2.3.3 Information Owners ....................................................................................................................... 17
2.3.4 Audit & Compliance ....................................................................................................................... 18
2.3.5 Security Director ............................................................................................................................ 18
2.3.6 Ensono Security (E-SEC) ................................................................................................................. 19
2.3.7 Physical Security............................................................................................................................. 19
2.3.8 Legal Organization ......................................................................................................................... 19
2.3.9 Human Resources Organization (HR) ............................................................................................. 20
2.3.10 Chief Technology Office (CTO) ................................................................................................... 21
2.3.11 Ensono Service Operations ........................................................................................................ 21
2.3.12 Enterprise Operations Center (EOC) .......................................................................................... 22
2.3.13 End Users ................................................................................................................................... 22
2.4 Authorization Process for New Information Assets ................................................... 22
2.5 Cooperation between Organizations ......................................................................... 23
2.6 Independent Review of Information Security ............................................................ 23
2.7 Security Requirements for Third Party Access ........................................................... 23
© 2016 Ensono, LP. All Rights Reserved.
6
2.7.1 Requirements in Third Party Contracts.......................................................................................... 23
2.7.2 Requirements for Outsourcing to 3rd Parties ................................................................................. 23
2.7.3 Requirements for Ensono Delivered Services ................................................................................ 24
2.7.4 Confidentiality Agreements for Non-Employees ........................................................................... 24
3 Acceptable Use Policy ............................................................................. 25
3.1 General Acceptable Use Policy .................................................................................. 25
3.2 Electronic Communications and Online Systems Acceptable Use Policy ..................... 25
3.3 Workstation Acceptable Use Policy ........................................................................... 26
3.4 Authorized Use Banner ............................................................................................. 27
4 Access Control ......................................................................................... 28
4.1 Access Control Objectives ......................................................................................... 28
4.2 User Access Controls ................................................................................................ 28
4.2.1 General Requirements for User Access ......................................................................................... 28
4.2.2 General Requirements for Account Registration ........................................................................... 29
4.2.3 Requirements for User Account Creation ...................................................................................... 29
4.2.4 Management of User Accounts and Access ................................................................................... 29
4.2.5 Requirements for Privileged Access .............................................................................................. 30
4.2.6 Review of User Access ................................................................................................................... 31
4.2.7 User Account Lock-Out and Suspension ........................................................................................ 31
4.2.8 Suspension of Active Accounts ...................................................................................................... 31
4.2.9 User Account Termination ............................................................................................................. 31
4.3 User Conduct Policy .................................................................................................. 32
4.3.1 User Responsibilities ...................................................................................................................... 32
4.3.2 Prohibition against Harassment ..................................................................................................... 33
4.3.3 Restriction on Possession or Solicitation of Non-Public Data ........................................................ 33
4.4 Password Policy ....................................................................................................... 33
4.5 Concurrent Sessions and Session Timeouts ............................................................... 33
4.5.1 Session Timeout ............................................................................................................................. 33
4.5.2 Concurrent Sessions ....................................................................................................................... 34
4.6 Auditing and Logging Standard ................................................................................. 34
4.6.1 Activity Logs and Audit Trails ......................................................................................................... 34
4.6.2 Clock Synchronization .................................................................................................................... 34
4.6.3 Architecture for Logging Activities ................................................................................................. 34
4.6.4 Backup, Archive, and Protection .................................................................................................... 35
© 2016 Ensono, LP. All Rights Reserved.
7
4.6.5 Deactivation, Modification, or Deletion ........................................................................................ 35
4.6.6 Activity Auditing ............................................................................................................................. 35
4.6.7 Incident Reporting and Notification .............................................................................................. 36
4.7 Mobile Computing .................................................................................................... 36
4.7.1 Modems, Remote Access Devices, and Remote Access Software ................................................. 36
4.7.2 Remote Access ............................................................................................................................... 36
4.7.3 Mobile Devices ............................................................................................................................... 36
5 Asset Classification and Control .............................................................. 37
5.1 Asset Classification and Control Objectives ............................................................... 37
5.2 Accountability for Assets .......................................................................................... 37
5.2.1 Inventory of Assets ........................................................................................................................ 37
5.2.2 Documentation .............................................................................................................................. 37
5.2.3 Hardware Assets ............................................................................................................................ 37
5.2.4 Software Assets .............................................................................................................................. 38
5.3 Information Classification ......................................................................................... 38
5.3.1 Ensono’s Classification Levels ........................................................................................................ 38
5.3.2 Ensono’s Classification Guidelines ................................................................................................. 39
5.3.3 Classification and Release of Security Related Documentation .................................................... 39
5.4 Information Labeling ................................................................................................ 40
5.4.1 General Labeling Requirements ..................................................................................................... 40
5.5 Information Handling ............................................................................................... 40
5.5.1 General Controls ............................................................................................................................ 40
5.5.2 Reproduction ................................................................................................................................. 41
5.5.3 Remote Printing ............................................................................................................................. 41
5.5.4 Storage ........................................................................................................................................... 41
5.5.5 Transport ........................................................................................................................................ 41
5.5.6 Electronic Transmission ................................................................................................................. 42
5.5.7 Verbal Communication .................................................................................................................. 42
5.5.8 Destruction .................................................................................................................................... 42
6 Communications and Operations Management ...................................... 44
6.1 Communications and Operations Management Objectives ....................................... 44
6.2 Operational Procedures and Responsibilities ............................................................ 44
6.2.1 General Controls ............................................................................................................................ 44
6.2.2 Documented Operating Procedures .............................................................................................. 44
6.2.3 Change Management ..................................................................................................................... 45
© 2016 Ensono, LP. All Rights Reserved.
8
6.2.4 Security Incident Management ...................................................................................................... 45
6.2.5 Segregation of Duties ..................................................................................................................... 45
6.2.6 Separation of Development and Production Environments .......................................................... 45
6.3 System Planning and Acceptance .............................................................................. 46
6.3.1 Capacity Planning ........................................................................................................................... 46
6.3.2 System Acceptance ........................................................................................................................ 46
6.4 Protection against Malicious Software ...................................................................... 46
6.4.1 Controls against Malicious Code .................................................................................................... 46
6.4.2 Malware Protection Policy ............................................................................................................. 47
6.4.3 Vulnerability Management Program ............................................................................................. 48
6.4.4 Configuration and Patch Management Policy ............................................................................... 51
6.4.5 Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS) .......................................... 51
6.5 Backup and Restoration ........................................................................................... 52
6.5.1 Information Backup ....................................................................................................................... 52
6.6 Media Handling and Security .................................................................................... 52
6.6.1 Management of Removable Computer Media .............................................................................. 52
6.6.2 Disposal of Media .......................................................................................................................... 53
6.6.3 Security of System Documentation ............................................................................................... 53
6.7 Network Security and Management ......................................................................... 53
6.7.1 Restriction on Physical Access to Ensono’s Network ..................................................................... 53
6.7.2 Requirements for the Security of Ensono’s Network .................................................................... 53
6.7.3 Requirements for Network Management ..................................................................................... 54
6.7.4 Network Firewall Standard ............................................................................................................ 54
6.7.5 Router and Switch Security Standards ........................................................................................... 57
6.7.6 Wi-Fi Networks and Devices .......................................................................................................... 57
6.7.7 Remote Access Standard ............................................................................................................... 58
6.8 System Configurations .............................................................................................. 59
6.8.1 Server and Mainframe Security Standard ...................................................................................... 59
6.8.2 Workstation Security Standard ...................................................................................................... 61
6.8.3 Email Standard ............................................................................................................................... 62
6.9 Exchanges of Information and Software ................................................................... 63
6.9.1 Information Confidentiality ........................................................................................................... 63
6.9.2 Information Reliability ................................................................................................................... 64
6.9.3 Public Representation .................................................................................................................... 64
7 Firewall General Security Controls .......................................................... 66
7.1.2 Router and Switch Security Standards ........................................................................................... 68
© 2016 Ensono, LP. All Rights Reserved.
9
7.1.3 Wi-Fi Networks and Devices .......................................................................................................... 68
7.1.4 Remote Access Standard ............................................................................................................... 69
7.2 System Configurations .............................................................................................. 70
7.2.1 Server and Mainframe Security Standard ...................................................................................... 70
7.2.2 Workstation Security Standard ...................................................................................................... 72
7.2.3 Email Standard ............................................................................................................................... 73
7.3 Exchanges of Information and Software ................................................................... 74
7.3.1 Information Confidentiality ........................................................................................................... 74
7.3.2 Information Reliability ................................................................................................................... 75
7.3.3 Public Representation .................................................................................................................... 75
8 Personnel Security .................................................................................. 77
8.1 Personnel Security Objectives ................................................................................... 77
8.2 Security Included in Job Roles ................................................................................... 77
8.2.1 Including Security in Job Role Definition ....................................................................................... 77
8.2.2 Personnel Screening Policy ............................................................................................................ 77
8.2.3 Terms and Conditions of Employment .......................................................................................... 77
8.3 Personnel Education, Training, and Awareness ......................................................... 77
8.3.1 Security Training and Awareness ................................................................................................... 77
8.4 Responding to Security Incidents .............................................................................. 78
8.4.1 Security Incident Handling Priorities ............................................................................................. 78
8.4.2 Security Incident Reporting ........................................................................................................... 78
8.4.3 Security Incident Response Procedures ......................................................................................... 78
8.4.4 Reportable Information Security Incidents Standard .................................................................... 78
8.4.5 Security Incident Information Retention and Classification .......................................................... 80
8.5 Problem Management .............................................................................................. 80
8.5.1 Reporting Software Malfunctions .................................................................................................. 80
9 Application Development and Maintenance ........................................... 81
9.1 Application Development and Maintenance Objectives ............................................ 81
9.2 Security Inclusion in Application Development ......................................................... 81
9.2.1 Application Development General Security Controls .................................................................... 81
9.2.2 Application Development Design and Planning ............................................................................. 81
9.2.3 Creation of New Security Architecture or Design .......................................................................... 81
9.3 Software Coding and Testing Requirements .............................................................. 81
9.3.1 Input Data Validation ..................................................................................................................... 81
© 2016 Ensono, LP. All Rights Reserved.
10
9.3.2 Control of Internal Processing ....................................................................................................... 82
9.3.3 Output Data Validation .................................................................................................................. 82
9.4 Cryptographic Controls ............................................................................................. 82
9.4.1 Key Management ........................................................................................................................... 82
9.4.2 Encryption ...................................................................................................................................... 83
9.5 Security of System Files ............................................................................................ 83
9.5.1 Control of Operational Software ................................................................................................... 83
9.5.2 Protection of System Test Data ..................................................................................................... 84
9.5.3 Access Control to Program Source Library .................................................................................... 84
9.6 Security in Development and Support Processes ....................................................... 84
9.6.1 Change Control Procedures ........................................................................................................... 84
9.6.2 Technical Review of Operating System Changes ........................................................................... 85
9.6.3 Covert Channels and Trojan Code ................................................................................................. 85
10 Business Continuity/Disaster Recovery (BC/DR) ...................................... 87
10.1 Business Continuity/Disaster Recovery Objectives .................................................... 87
10.2 BC/DR Management Oversight ................................................................................. 87
10.2.1 BC/DR Management Controls ................................................................................................... 87
11 Physical and Environmental Security ....................................................... 88
11.1 Physical and Environmental Security Objectives ....................................................... 88
11.2 Physical Security General Controls ............................................................................ 88
11.2.1 General Physical Security Notification ...................................................................................... 88
11.2.2 Clean Desk Policy ....................................................................................................................... 88
11.2.3 Removal of Property .................................................................................................................. 89
11.3 Secure Areas ............................................................................................................ 89
11.3.1 Physical Security Perimeter ....................................................................................................... 89
11.3.2 Physical Entry Controls .............................................................................................................. 89
11.3.3 Securing Offices, Rooms and Facilities ...................................................................................... 89
11.3.4 Working in Secure Areas ........................................................................................................... 90
11.4 Equipment Security .................................................................................................. 90
11.4.1 Equipment Protection ............................................................................................................... 90
11.4.2 Power Supplies .......................................................................................................................... 90
11.4.3 Cabling Security ......................................................................................................................... 90
11.4.4 Security of Offsite Equipment ................................................................................................... 90
11.4.5 Secure Disposal or Re-use of Equipment................................................................................... 91
© 2016 Ensono, LP. All Rights Reserved.
11
12 Compliance ............................................................................................. 92
12.1 Compliance Objectives ............................................................................................. 92
12.2 Compliance with Legal Requirements and Ensono Policy .......................................... 92
12.2.1 Identification of Applicable Legislation ..................................................................................... 92
12.2.2 Intellectual Property Rights ....................................................................................................... 92
12.2.3 Safeguarding of Organizational Records ................................................................................... 92
12.2.4 Legal Conflicts ............................................................................................................................ 92
12.2.5 Prevention of Misuse of Information Assets ............................................................................. 92
12.2.6 Collection of Evidence ............................................................................................................... 93
12.2.7 Reviews of Security Policy Compliance ..................................................................................... 93
12.3 System Audit Considerations .................................................................................... 93
12.3.1 System Audit Controls ............................................................................................................... 93
12.3.2 Protection and Use of System Audit Tools ................................................................................ 93
© 2016 Ensono, LP. All Rights Reserved.
12
1 Information Security Policy
1.1 PURPOSE This document, along with any subordinate policies, standards, procedures, and guidelines, collectively, the
Ensono, LP (Ensono) Information Security Policy (ISP), establishes a risk-oriented Information Security governance
framework through which comprehensive confidentiality, integrity, and availability controls are defined for the
protection of information, systems, and solutions owned or managed by Ensono.
Ensono’s business model is such that this policy represents the objectives of a new security program to be
implemented as the Ensono business matures in accordance with the significant event of an acquisition of
Ensono’s business.
The Information Security Policy is provided to outline those controls Ensono feels should be present in an
appropriately secured environment. To be effective, an Information Security governance program must be a team
effort involving the participation and support of Ensono users at all levels and locations within the organization. It
is the intent of the ISP to define the means by which Ensono can effectively identify and respond to a variety of
threats to information and information resources. These threats include unauthorized access, disclosure,
duplication, modification, appropriation, destruction, loss, misuse, and denial of service.
The ISP outlines Ensono’s directives for Information Security. These directives include:
Communicating expectations concerning Information Security to members of Ensono’s board and all
employees, contractors, consultants, clients, potential clients, vendors, business partners and other
users of information, systems, or solutions managed by Ensono.
Promoting Information Security awareness.
Establishing responsibility and accountability for overseeing Information Security issues.
Establishing a mechanism to notify the appropriate personnel in case of an Information Security
incident.
Establishing guidelines to assess security and protection techniques applied to information, systems,
and solutions.
Protecting Ensono’s information, systems, and solutions; as well as those entrusted to Ensono by
clients, by safeguarding its Confidentiality, Integrity, and Availability (CIA).
Establishing effective security controls designed to protect the organization’s information, systems,
or solutions from theft, abuse, misuse, or any other form of damage.
Encouraging employees at all levels within the company to maintain an appropriate level of
awareness, knowledge, and skill such that they can assist in minimizing the occurrence and severity of
Information Security incidents.
Ensuring that Ensono is able to continue its commercial activities in the event of significant
Information Security incidents.
Providing a suitable baseline that facilitates conformance with ISO 27002:2013 and other industry
recognized Information Security frameworks.
1.2 SCOPE
© 2016 Ensono, LP. All Rights Reserved.
13
The scope of this document encompasses Ensono’s enterprise-wide Information Security management system
framework, which defines specific policies to protect the confidentiality, integrity, and availability of the company’s
information assets. The security domains include but are not limited to:
Organizational Security
Access Control
Asset Classification and Control
Communications and Operations Management
Personnel Security
Application Development and Maintenance
Business Continuity/Disaster Recovery Management
Physical and Environmental Security
Compliance
Internal Audit
This document applies to the following:
All users of Ensono’s information assets which may include, but are not limited to, employees,
contractors, consultants, clients, vendors, temporary personnel and business partners. These
individuals are collectively referred to as “users”
All users working at Ensono sites remotely or in any other situation where Ensono information or
information assets are used or accessed
All Ensono information assets including, but not limited to, computing devices, networks, telephones,
magnetic or optical media and paper regardless of the location, organizational unit, or controlling
entity where these information assets are being generated, created, accessed, viewed, processed,
stored, used, acquired, purchased, obtained, manipulated, modified, deleted, or disposed.
Ensono assets delivering client services in a multi-tenanted, shared resource manner.
This policy does not apply to dedicated client environments managed by Ensono, nor does it govern
the manner in which Ensono clients use Ensono assets. Dedicated client environments will be
governed by policies specified by the client.
1.3 POLICY COMMUNICATION
1.3.1 Creation and Distribution Ensono’s Security Director has overall responsibility for the creation and distribution of the ISP.
The ISP is distributed for viewing by all associates and authorized third parties through Ensono’s
associate portal.
This document is classified INTERNAL USE ONLY. It is releasable to clients, customers, vendors, or
other individuals or organizations with a need-to-know that have executed a Non-Disclosure
Agreement.
1.3.2 Security Communication and Training Associates are kept aware of policy changes via the following communication methods:
© 2016 Ensono, LP. All Rights Reserved.
14
Emails
Intranet (e.g., Ensono’s associate portal)
Staff meetings
Annual security awareness training
Security awareness training is conducted for all associates at least annually, to ensure that all
personnel are aware of the importance of Information Security. New hires are required to
complete security awareness training within ten (10) business days of start date as part of the
required new hire training curriculum.
Ensono ensures that all authorized third parties covered by the ISP are familiar with its
requirements.
1.3.3 Enforcement and Compliance Ensono’s Security Director maintains primary responsibility for enforcing compliance with the ISP
and any subordinate policies, standards, procedures. The Security Director may authorize specific
teams to assist in managing these responsibilities. To be effective, Information Security must be
supported by management and is a team effort involving the participation and support of every
user. All users of Ensono information assets are responsible for properly using the security
controls Ensono makes available including technical, administrative, or other appropriate
measures to protect information assets.
All users of Ensono information assets shall fully comply with this policy and all related security
documents. Users who are found in violation of policy are subject to disciplinary action up to and
including immediate termination of employment, or immediate termination of client, partner,
and/or vendor relationship.
1.3.4 Review, Update, and Maintenance Ensono’s Security Director, as set forth within Ensono’s Security Charter, is responsible for
maintaining the ISP as necessary to ensure Ensono’s security practices contain the controls
required to offset new security threats and vulnerabilities as they arise. The ISP is reviewed and
approved at least annually by the Executive Leadership and the Risk Management Committee.
The ISP is considered a living document and as such is subject to the changes and modifications,
with or without notification, as necessary to protect Ensono business objectives. When business
requirements may require a policy change within the ISP, users are encouraged to request the
change by contacting the Ensono Security team (E-SEC) via email at [email protected].
1.3.5 Exception Request Process As necessary for business continuity, Ensono allows for exceptions to the ISP or subordinate
policies, standards, and procedures.
Exceptions are a deviation from Ensono’s identified security stance and are granted with the
expectation that the requesting party will expeditiously devise and implement a solution that
allows for a return to normal security operations. Exceptions should be submitted to E-SEC by
sending the request via email to [email protected].
© 2016 Ensono, LP. All Rights Reserved.
15
Exception requests can be granted up to a maximum of one year. Failure to abide by the
documented Exception Request is considered a security violation and may be subject to
disciplinary action up to and including immediate termination of employment or immediate
termination of client, partner, and/or vendor relationship.
© 2016 Ensono, LP. All Rights Reserved.
16
2 Organizational Security
2.1 ORGANIZATIONAL SECURITY OBJECTIVES To identify and document specific roles and responsibilities to ensure that Information Security is
consistently reinforced throughout Ensono and that security controls are successfully implemented.
To provide guidance for cooperation with external entities.
To ensure proper authorization for integration of new assets into Ensono’s environment.
To ensure adequate security of information and information assets when accessed and used by third
parties.
To maintain the security of information when outsourced to another organization.
2.2 INFORMATION SECURITY GOVERNANCE The ISP provides governance and structure for Ensono as it relates to all Information Security. This document takes
precedence over documentation of similar content and has the following objectives:
To protect Ensono’s information and information assets against accidental or deliberate modification
or destruction through the use of a continuous program of risk assessment and management.
To prevent the unauthorized (accidental or deliberate) disclosure, misuse, or misappropriation of
information.
To detect unauthorized access or misuse of information and information assets.
To perform damage assessments in a timely and accurate manner following the detection of
unauthorized disclosure of information or the unauthorized penetration or misuse of information
assets.
To identify, report and correct vulnerabilities and exposures within Ensono’s information assets.
To identify and document specific roles and responsibilities to ensure that Information Security is
consistently reinforced throughout Ensono and that security controls are successfully implemented.
2.3 ROLES AND RESPONSIBILITIES This section outlines the primary roles within Ensono’s Information Security framework as well as the
responsibilities and expectations associated with these roles.
2.3.1 Executive Leadership Ensono’s Executive Leadership fulfills the following responsibilities:
Establish accountability for Information Security and Enterprise Risk Management within the
Ensono organization
Define and communicate the overall vision, direction, and business objectives necessary for
the organization to be successful
Maintain strategic responsibility, knowledge, and awareness of the risk posture of Ensono’s
business
Provide continuous and visible support of the organizations’ Information Security program
Maintain accountability to the Ensono Board of Directors for overall risk to the Ensono
business; provide Risk Management reports to the Board of Directors quarterly or as
required by the Board of Directors
© 2016 Ensono, LP. All Rights Reserved.
17
2.3.2 Risk Management Committee Ensono’s Risk Management Committee fulfills the following responsibilities:
Provide on-going oversight of permissible risk for all business engagements
Provide guidance, oversight, education, and consultative services to those teams chartered
with limiting risk within Ensono
Oversee the quarterly Risk Management reporting process and where appropriate report
risks to Executive Leadership
Oversee implementation maintenance of the Enterprise Risk Management Program
Require quarterly reporting of Information Security related risks from the Security and
Compliance teams
The Risk Management Committee will be chaired by the following positions:
Security Director
Sr. Manager, Audit & Compliance
The Risk Management Committee participants will include functional areas such as Legal,
Human Resources, Service Operations, and other teams as appropriate.
2.3.3 Information Owners Information Owners are the identified and authorized individuals that have been tasked by
Ensono’s Senior Management with the responsibility for controlling the production,
development, maintenance, use, and security of information, systems, and solutions.
Information Owners fulfill the following responsibilities:
Serve as the business owner for the data being supported by all systems and solutions under
their purview
Assist in providing compliance with this policy for their designated area of responsibility
Assist Security and Ensono Service Operations teams in implementing relevant security
controls purposed to minimize identified risk to their information, systems, and solutions,
and Ensono’s business objectives.
Participate in the Security Incident Response Plan and act as liaison to all relevant Ensono
teams or third parties
Fulfill the role of primary point of contact for all information, systems, and solutions within
their purview
Identify and document classifications for all information within their purview.
Identify and document the criticality of systems and solutions to support business objectives
Define roles and responsibilities for access to information, systems, and solutions.
Authorize user access to information, systems, and solutions
Identify and document all processes required to support business objectives
Collaborate with Ensono Service Operations teams to ensure that systems and solutions
meet or exceed requirements outlined with the ISP
Designate a backup Information Owner in the event the primary is unavailable.
Assist Ensono Operations teams in reviewing user access to systems and solutions on at least
a quarterly basis
Assist in improving Ensono’s Information Security governance framework through feedback
to Security
Recommend policy and control enhancements to Security
© 2016 Ensono, LP. All Rights Reserved.
18
Participate in the Risk Management Committee as requested
Participate in the Security Incident Response Plan as requested
2.3.4 Audit & Compliance Ensono’s Audit & Compliance function is responsible for overseeing the implementation and
enforcement of all governance requirements. They are responsible for the following:
Contribute to the Enterprise Risk Management Program and chair the Risk Management
Committee
Conduct regular oversight activities to ensure all security controls are reasonable, effective,
and enforced where appropriate
Assist operational and technical teams in interpreting security compliance requirements
Communicate necessary enhancements to the ISP as a result of policy review or legislative
and regulatory changes
Facilitate the execution of both internal and external audits of Ensono controls and
processes
Facilitate the execution of Ensono customer audits and security assessments
Develop and communicate an audit schedule in advance to ensure participation by all
affected areas
Maintain a separation of duties from Ensono operations and Security teams
Determine the appropriate scope and objectives of internal audits covering risk areas as
identified in a prioritized approach based on the Risk Committee’s direction
Conduct internal audits of Ensono’s security and controls and report audit results to
management
Perform review of new/revised processes and provide input on audit controls
2.3.5 Security Director Ensono’s Security Director manages the Security organization. The Security Director fulfills the
following responsibilities:
Contribute to the Enterprise Risk Management Program and chair the Risk Management
Committee
Defines Ensono’s Information Security governance framework
Maintains the primary responsibility for enforcing compliance with the ISP, Information
Security governance framework and any subordinate policies, standards, procedures
Serves as custodian of the ISP facilitating approval from Executive Leadership and the Risk
Management Committee, or acts as delegated approver
Identifies those security requirements necessary to effectively limit the risk associated with
the identified business objectives as defined by Ensono’s executives and senior management
Provides oversight of the Ensono Information Security Program
Provides oversight of Information Security threat monitoring, management, and response
activities
Approves all ISP Exception Requests
© 2016 Ensono, LP. All Rights Reserved.
19
2.3.6 Ensono Security (E-SEC) The Ensono Security team (E-SEC) is the Security Director’s organizational unit that is comprised
of various security focused teams. Security staff members have the general responsibilities of
managing risks and Information Security at Ensono, the specifics of which vary by team, scope of
work, and area of expertise. These responsibilities may include, but are not limited to, the
following:
E-SEC will continuously update protection mechanisms and technologies to provide Ensono
the highest degree of service and protection.
Identify and assess risks that are associated with business objectives as defined by Ensono’s
corporate executives and senior management
Determine the risk management requirements necessary to effectively limit, mitigate,
monitor, and/or control identified risks in a way that aligns with and supports the associated
business objectives
Ensure that the selected risk management requirements are implemented and used
appropriately
Perform Information Security related threat monitoring, management, and response
activities
Assist the Security Director in identifying those security requirements necessary to
effectively limit the risk associated with the identified business objectives as defined by
Ensono’s corporate executives and senior management
Manage and facilitate all ISP Exception Requests
Maintains the Ensono Information Security Policy (ISP), as the foundation of Ensono’s
Information Security governance framework and any subordinate policies, standards,
procedures
Provide interpretation of the ISP and the Information Security governance framework when
necessary
Provide general information for security training, education, and awareness
Provide definitions for Information Security classifications
Provide management of the Security Incident Response Team (SIRT).
Act as the primary contact for and lead all investigative activities.
2.3.7 Physical Security Ensono’s Physical Security provides protection oversight and implementation of physical
safeguards within Ensono’s facilities. Physical Security fulfills the following responsibilities:
Define, enforce, and monitor compliance with identified physical safeguards
Define, maintain, and monitor all video surveillance, card readers, biometric controls, and
building access
Collaborate with E-SEC to develop, implement, and monitor a comprehensive security
education, training, and awareness program
Participate in the Risk Management Committee as requested
Participate in the Incident Response Program as requested
2.3.8 Legal Organization Ensono’s Legal Organization fulfills the following responsibilities:
© 2016 Ensono, LP. All Rights Reserved.
20
Protect Ensono’s intellectual property rights such as copyrights and patents
Advise Security regarding legal matters
Communicate necessary enhancements to the ISP as a result of policy review and legal,
regulatory, or contractual changes
Serve as Privacy Officer and maintain and enforce privacy policies in accordance with legal,
regulatory, and contractual requirements
Counsel Ensono account management and delivery teams on customer contractual
obligations
Review, amend and approve all customer and vendor contracts
Participate in the Risk Management Committee as requested
Participate in the Incident Response Program as requested
2.3.9 Human Resources Organization (HR) Ensono’s HR organization fulfills the following responsibilities:
Inform all employees, contractors and third party users of their Information Security roles
and responsibilities, prior to granting access to sensitive information or information systems
Ensure all employees, contractors and third parties are provided with guidelines/rules that
state the security expectations of their roles within the organization
Achieve an appropriate level of awareness of security controls among all employees,
contractors and third parties, relevant to their roles and responsibilities
Assure conformity to the terms and conditions of employment related to privacy and
security
Motivate adherence to the privacy and security policies of the organization, such as with an
appropriate sanctions policy
Mitigate the risks of a failure to adhere to policies by facilitating role based access to the
organization's information
Conduct pre-employment screening by ensuring appropriate background verification checks
(“screening”) for all candidates for employment, contractor status, or third party user status
or those that will have access to Ensono
Implement and maintain terms and conditions of employment by ensuring all employees,
contractors, and third party users agree to and sign a statement of rights and responsibilities
for their affiliation with the organization, including rights and responsibilities with respect to
information privacy and security.
Facilitate Information Security awareness, education and training by ensuring all employees
of the organization, and, where relevant, contractors and third party users, receive
appropriate awareness training and regular updates of organizational policies and
procedures relevant to their job functions.
Implement a formal disciplinary process for employees who have committed a policy
violation
Maintain responsibilities and practices for performing employment termination or change of
employment including the following:
Removal of access to all information resources
© 2016 Ensono, LP. All Rights Reserved.
21
Changes of responsibilities and duties within the organization are processed as a termination
(of the old position) and re-hire (to the new position), using standard controls for those
processes unless otherwise indicated
Facilitating the return of all information and physical assets upon termination of the
employment relationship or contract
Participate in the Risk Management Committee as requested
Participate in the Incident Response Program as requested
2.3.10 Chief Technology Office (CTO) Ensono’s Chief Technology Office is responsible for the following:
Maintain knowledge and awareness of industry related security, privacy, and regulatory
requirements
Serve in an evangelist role for promoting security and risk management related practices
within Ensono products, services, and technologies
Ensure Information Owners and Data Classifications are appointed for all new products,
services, systems, and assets under the CTO purview
Ensure security, privacy, and regulatory requirements are incorporated into Ensono
products, services, and technologies
Set guidelines and standards for incorporation of security and risk management practices
into Ensono products, services, and technologies
Participate in the Risk Management Committee as requested
Participate in the Incident Response Program as requested
2.3.11 Ensono Service Operations Ensono Service Operations provides the day-to-day administrative and operational aspects of all
technologies supporting both Ensono’s business as well as clients. This organization fulfills the
following responsibilities as it relates to the areas of responsibility:
Serve as Information Custodian and support the day to day operational tasks associated with
implementing the Information Owners’ and Security requirements
Review and understand the information classification level for the information with which
they are responsible
Review and understand the handling requirements for the various classifications of
information present at Ensono
Notify the Information Owner, their chain of management, or Security in the event they feel
a security incident has occurred
Ensure Information Security controls are present and consistent with the intent and
direction of the Information Security governance framework
Recommend policy and control enhancements to Security
Provide detailed subject matter expertise to assist with the development and maintenance
of the ISP
Identify potential Information Security vulnerabilities and gaps
Monitor Ensono’s environment, where appropriate, to identify, contain, or eliminate
unauthorized activity
© 2016 Ensono, LP. All Rights Reserved.
22
Collaborate with E-SEC to investigate unauthorized activities and Information Security
incidents
Execute the day-to-day security management of information, systems, and solutions through
the application of controls as defined within the ISP
Serve in the role of subject matter expert for all technical and developmental issues
regarding Information Security within the area of responsibility
Participate in the Risk Management Committee as requested
Participate in the Incident Response Program as requested
2.3.12 Enterprise Operations Center (EOC) The EOC serves as Ensono’s single point of contact for all data center operations’ and support
activities. This organization fulfills the following responsibilities:
Provide 24x7x365 operational support
Facilitate triage calls on behalf of Ensono or clients
Escalate critical issues to appropriate Ensono or client teams
Facilitate communication and status updates to Ensono and client teams
Provide broadcast messaging
Identify and contact Ensono support teams
Provide support and participate in the Incident Response Program as requested
Participate in the Risk Management Committee as requested
Participate in the Incident Response Program as requested
2.3.13 End Users Ensono defines an End User as any individual that interacts with information, systems, or
solutions owned or managed by Ensono. End users fulfill the following responsibilities:
Conduct day-to-day business practices in such a way as to support intent of the ISP
Review and understand the information classification level for the information with which
they are working.
Review and understand the handling requirements for the various classifications of
information present at Ensono
Notify the Information Owner, their chain of management, or Security in the event they feel
a security incident has occurred
Comply with Ensono’s security and privacy policies related to data handling
2.4 AUTHORIZATION PROCESS FOR NEW INFORMATION ASSETS The acquisition and use of any new information assets shall have appropriate managerial approval.
Prior to implementation or integration into any environment, all hardware/software assets shall be
evaluated for to ensure it supports business and security requirements.
Ensono’s Mobile Handheld Usage Standard establishes the requirements for the approved use of
personal mobile devices (such as smartphones and tablet computers) to connect to the Ensono
infrastructure and/or to access Ensono -owned or managed data.
For personal assets not addressed by Ensono’s Mobile Handheld Usage Standard:
© 2016 Ensono, LP. All Rights Reserved.
23
Use of such personal assets to conduct Ensono business and/or to connect to Ensono information
resources shall be strictly limited and shall be approved by the appropriate manager and Security
prior to use.
All such devices shall adhere to all of Ensono’s security practices prior to integration into Ensono’s
environment.
2.5 COOPERATION BETWEEN ORGANIZATIONS Ensono shall maintain appropriate contacts with outside organizations to ensure that appropriate
actions can be quickly taken and advice obtained in the event of a security incident. This should
include, but is not limited to, the following:
Law enforcement authorities
Regulatory agencies
Information service providers
Telecommunications operators
Others, as necessary, to protect Ensono’s information assets.
Exchanges of security information shall be restricted to ensure that confidential information is not
inadvertently provided during a security incident.
2.6 INDEPENDENT REVIEW OF INFORMATION SECURITY Ensono Audit & Compliance shall conduct independent reviews of Ensono’s Information Security practices.
2.7 SECURITY REQUIREMENTS FOR THIRD PARTY ACCESS
2.7.1 Requirements in Third Party Contracts All contracts between Ensono and a third party shall include language protecting Ensono’s
information assets and requiring compliance with the ISP and Information Security practices,
where necessary and applicable.
Non-Disclosure Agreements shall be completed prior to engaging any third-party, including
clients or potential clients, in any business endeavor that discloses information beyond that
designated as “Public,” regardless of the format.
Security shall be engaged whenever a legal contract includes Information Security concerns
or security controls.
The customer waiver shall be used whenever a third party requests a practice that
introduced unnecessary or unacceptable risk to Ensono. The need for the waiver will be
determined by Ensono Legal, Audit & Compliance, or Security.
2.7.2 Requirements for Outsourcing to 3rd Parties Outsourcing contracts shall contain appropriate language identifying which organizations’
security practices will govern the controls within the specified environment
When governing security practices have not been identified the ISP shall be the governing
document.
Ensono 3rd Party contracts shall contain language that provides Ensono with the right to
audit in the event that Ensono so chooses
© 2016 Ensono, LP. All Rights Reserved.
24
Outsourcing contracts shall, where necessary, contain provisions for compliance with
international, federal, state and local requirements.
2.7.3 Requirements for Ensono Delivered Services Security requirements within customer environments are defined by clients’ written
specifications.
Clients are responsible for managing their compliance program(s), protecting regulated data,
and ensuring compliance by formally specifying Ensono’s responsibilities.
Where security and compliance requirements have not been specified by the customer the
degree of security controls implemented will be at Ensono’s discretion.
Ensono will track all environment changes within the Ensono ticketing system as well as
ensure approvals are received by all appropriate parties.
All security related administration activities provided by Ensono will require written
procedures provided by the client.
Client environments that do not conform to a minimum set of security controls may be
asked to sign a liability waiver.
2.7.4 Confidentiality Agreements for Non-Employees Non-employee users shall be required to complete Ensono’s Non-Disclosure Agreement
prior to being granted access to information resources owned or managed by Ensono.
Violations of Ensono’s Non-Disclosure Agreement are considered breach of contract, and
may be subject to immediate termination of client, partner, or vendor relationship.
© 2016 Ensono, LP. All Rights Reserved.
25
3 Acceptable Use Policy
3.1 GENERAL ACCEPTABLE USE POLICY Use of Ensono information assets or facilities either owned, managed or leased, are limited to authorized users.
Users of Ensono information assets or facilities shall not assume their actions are private, privileged or protected.
Where permissible by law, Ensono reserves the right to monitor users in any manner the company deems
appropriate. This may include video, audio or electronic monitoring of activities including, but not limited to, the
following:
Telephone conversations
Email content and destinations
Instant messaging communications
Social media/networking communications
Cloud service usage
Internet access and downloading
Data access
Key strokes
Work habits
In the event that monitoring reveals criminal activities, the evidence and related information may be turned over
to law enforcement officials at the sole discretion of Ensono without consent or notice to involved individuals.
Violations of the ISP, unauthorized use of information assets or inappropriate use of information assets are cause
for disciplinary action up to and including immediate termination of employment or access.
3.2 ELECTRONIC COMMUNICATIONS AND ONLINE SYSTEMS ACCEPTABLE USE
POLICY Ensono’s electronic communications and online systems are provided to employees for business purposes, but
Ensono does recognize that employees may, on occasion, wish to use these systems for personal use. Employees
should keep in mind that use during company time and use that interferes with the performance of company
business or an employee’s assigned duties is not permitted, and may be cause for disciplinary action and/or
termination. Examples of personal use include, but are not limited to: personal communications, game playing,
chat rooms, job searching, online merchandising, sports, personal pages and other entertainment.
In all situations, Ensono reserves the right to monitor the user’s electronic communications and online activity.
Ensono has the right and the ability to track, review, audit or disclose any records originating and/or accessed by a
user ID, as well as from Ensono equipment or non-Ensono owned equipment that is using Ensono resources.
Accordingly, users should not have an expectation of privacy in electronic communications or online systems and
should not consider such activities to be private or confidential. All electronic communications and online records
are considered company property and are subject to inspection and disclosure to certain Ensono employees, law
enforcement, and government officials or to other third parties as deemed appropriate by Ensono.
© 2016 Ensono, LP. All Rights Reserved.
26
Ensono’s electronic communications and online systems shall not be utilized to:
Create any discriminatory, defamatory, offensive, disruptive or otherwise inappropriate or
unprofessional communications. Among those communications considered inappropriate or
unprofessional are any communications which contain sexual implications, racial slurs, gender
specific comments or any other comments that inappropriately or unprofessionally address
someone’s age, race, gender, color, national origin, religion, sexual orientation, disability or veteran
status.
Access any discriminatory, defamatory, offensive, disruptive or otherwise inappropriate or
unprofessional websites including, but not limited to, sites that contain information related to the
communications described above, pornography, hate speech, illegal drugs, other illegal activities or
gambling.
Divulge or secure copyrighted materials, confidential information, trade secrets, proprietary financial
information or similar materials without prior authorization.
Load unapproved applications on computer/workstation that periodically and automatically
download data from the Internet. These applications, when widely installed, can be detrimental to
the performance of Ensono’s networking systems.
Perform any act that is illegal or otherwise in violation of any applicable federal, state or local laws,
regulations or ordinances.
Conduct private business activities.
Cause Ensono to incur any additional unauthorized costs.
Misrepresent, obscure, suppress or replace a user’s identity.
Establish new Internet Web pages dealing with Ensono business or make modifications to existing
Web pages dealing with Ensono business unless done in compliance with Ensono policies and
applicable contract requirements.
Download, copy, distribute or share copyrighted, illegal or illicit material.
Duplicate or use unauthorized computer software for any purpose.
Download content in violation of copyright laws. In addition, users shall be prohibited from using file
sharing or “peer to peer sharing” applications or software for the purpose of acquiring or distributing
music in violation of copyright laws.
3.3 WORKSTATION ACCEPTABLE USE POLICY Workstations provided by Ensono to conduct Ensono-related business are property of Ensono and are
subject to removal or reallocation at any time.
Ensono-provided workstations are provided for the primary purpose of conducting Ensono business.
Users are prohibited from using Ensono-provided workstations to negatively impact Ensono business
processes.
Users are prohibited from altering or changing workstation hardware configurations without approval
from Ensono Desktop team.
Users are prohibited from altering or changing workstation software configurations that modify or
disable administrative controls implemented by Ensono support personnel.
Installation of user-provided software is restricted and shall adhere to software installation
requirements as specified within the ISP.
USB drives shall be disabled on user workstations unless specifically authorized in accordance with
the established security exception process.
© 2016 Ensono, LP. All Rights Reserved.
27
Permitted external storage devices conforming to Ensono’s standards will be distributed to
authorized users.
Only Ensono issued devices are permitted for use with Ensono workstations. Mobile devices are
permitted in accordance with the Mobile Device Standard.
Ensono associates should make every effort to store company data on shared drives and avoid
storage on local hard drive.
The use of cloud based services with Ensono assets is prohibited unless sanctioned by Ensono.
The use of cloud or other such services to transfer Ensono data under personal accounts, credit cards,
or other such manners is strictly prohibited.
3.4 AUTHORIZED USE BANNER The following banner, or similar language, shall be displayed wherever user logon occurs:
This system is for authorized use only. Any use of the system is subject to monitoring and recording by systems
personnel. Anyone using this system expressly consents to such monitoring and recording and is advised that if
such monitoring and/or recording reveals possible criminal or unethical activity, system personnel may, in addition
to other actions, provide the evidence of such monitoring to law enforcement officials.
© 2016 Ensono, LP. All Rights Reserved.
28
4 Access Control
4.1 ACCESS CONTROL OBJECTIVES To control access to information and information assets
To protect network services
To detect unauthorized activities
To ensure effective Information Security practices when using mobile computers and telecommuting
4.2 USER ACCESS CONTROLS
4.2.1 General Requirements for User Access Access to information in the possession of or under the control of Ensono must be provided only
to people who have a legitimate business need for the information. The access levels of
individuals and groups are to be determined by comparing the classification of the data to the
business requirements. User access management must be implemented to prevent unauthorized
access to systems and/or data.
The process of granting user access shall be standardized and documented for all types of
access granted.
Each user’s access privileges shall be authorized by their appropriate manager according to
business needs.
All user access shall be restricted based on Ensono’s information classifications.
Privileged user attributes must be restricted to users with a job function requiring that level
of access
The process for creating user accounts shall be standardized and documented for all types of
user accounts.
All individual Ensono users shall be uniquely identified.
Anonymous access to any Ensono resource shall be strictly prohibited unless the system is
designed for all users to be anonymous. This includes, but is not limited to, electronic
bulletin boards, Internet web sites and intranet web sites.
All users shall sign documentation stating they understand the appropriate use of their
assigned user accounts and they understand they are solely responsible for use of their user
account.
All accounts used to access Ensono’s information and/or information assets shall be required
to have a password, or other solution approved by Security, for authentication of that
account.
All passwords shall comply with the Ensono’s password standard.
Ensono user access shall not compromise the confidentiality, integrity or availability of
Ensono resources.
Generic or shared user accounts shall be generally prohibited on all Ensono resources unless
authorized by Security through the ISP Exception Request Process.
All Ensono user accounts shall be reviewed on a regular basis as defined in the ISP and
associated standards.
Ensono user access shall be updated, when necessary, in a timely manner.
© 2016 Ensono, LP. All Rights Reserved.
29
Ensono user access shall be implemented in such a way as to support the concept of
separation of duties.” This includes the separation of security administration job roles from
any system administration job roles, and software development job roles from change
management controls.
All Ensono users shall protect confidentiality, integrity and availability of Ensono information
assets.
Wherever feasible a centralized user account administration shall be implemented for all
Ensono systems
Development environments shall leverage a centralized user authentication structure
Multi-factor authentication shall be implemented for all remote access and wherever
technically feasible.
Privileged accounts will adhere to an elevated level of security standards
4.2.2 General Requirements for Account Registration User access to multi-user information systems including, but not limited to, workstations,
servers, network resources, production environments, development environments and
mainframes shall be controlled through the following formal user registration process:
The creation of an individual user account shall require a written or electronic request from
an appropriately authorized manager.
Redundant or duplicate user IDs shall be prohibited on all Ensono information resources.
All user registration shall be administered by a limited and controlled group of
administrators.
The Information Owner shall be responsible for review of the creation of each user account
to ensure that creation of each account was conducted as appropriate.
4.2.3 Requirements for User Account Creation User accounts should be created in such a way as to facilitate their periodic review by
Information Custodians. To that extent, user account creation shall adhere to the following:
When the system permits, the user account name shall match the user’s full name as
specified within Ensono’s payroll system. Creation of user accounts for non-Ensono users
shall follow the same format.
For systems that are incapable of implementing user account names that match payroll, all
user account names shall follow a standardized format that has been identified and
documented.
Whenever the system permits, user account information shall contain the following:
Owner or user’s full name
Business unit or customer name
Business purpose for shared, group and anonymous user accounts.
User details including physical location, email address, and phone number
For systems that are incapable of implementing all user account identification information,
identifying information shall be provided to the extent possible.
4.2.4 Management of User Accounts and Access
© 2016 Ensono, LP. All Rights Reserved.
30
Access to information systems including, but not limited to, workstations, servers, network
resources, production environments, development environments and mainframes shall be
controlled through the following formal user management process:
Access to information systems shall require a unique user ID.
Access to information systems by an individual user ID shall require approval by the
appropriate Information Custodian or designee.
Information Custodians shall ensure the level of access granted for each user ID and/or
group ID is appropriate for the business purpose.
Access to information systems shall be prohibited unless explicitly granted by the
Information Custodian or designee.
Information Custodians shall maintain an accurate record of all users registered to use their
information resource.
Information Custodians or designees shall periodically review the information resources,
checking for and removing terminated user IDs, generic/anonymous user IDs, and
redundant/duplicate user IDs.
Information Custodians or designees shall immediately notify the appropriate personnel
when a user is transferred or has been terminated.
Upon notification of user transferal or termination, security administrators shall immediately
remove, revoke or change user account access rights as appropriate.
4.2.5 Requirements for Privileged Access The allocation and use of privileged user accounts shall be restricted and controlled as follows:
The privileges associated with each information resource shall be identified and
documented. This includes, but is not limited to:
Operating Systems
Database Management Systems
Applications
Categories of staff for which privileged access should be granted shall be identified and
documented. This includes, but is not limited to:
Operating Systems
Database Management Systems
Applications
The allocation of privileged access shall be provided on a need-to-use basis.
The process for granting privileged access shall follow the same requirements as the user
registration process.
The Information Custodian shall maintain documentation for all users provided with
privileged access.
Wherever possible, system routines and automated processes shall be used to conduct
privileged tasks.
Privileged access shall be audited and logged at all times. Logs shall be maintained in a
centralized solution and monitored by Security teams.
Privileged access shall be protected and granted in such a way as to ensure that actions
conducted while using privileged access can be traced to a unique user account.
© 2016 Ensono, LP. All Rights Reserved.
31
4.2.6 Review of User Access To maintain effective controls over user access to data and information resources, a formal
process shall be implemented to review user access on a regular basis. To maintain these
effective controls the following shall be adhered to:
Information Custodians or their designees shall review user access to resources on a
quarterly basis. The review should specifically identify and revoke access for, or remove the
following:
Active User IDs that are no longer needed.
User IDs assigned to terminated users with active access.
Generic or anonymous user IDs.
Redundant or duplicate user IDs.
User IDs with excessive privileges which are no longer necessary and/or are not approved by
the Information Custodian.
4.2.7 User Account Lock-Out and Suspension In order to reduce the risk of a malicious user or program using a brute force attack or a
continuous process to access Ensono resources, the following shall be adhered to:
Inactive user IDs shall be suspended after sixty (60) days of non-use.
All user accounts shall be suspended and/or locked out after five (5) or fewer unsuccessful
access attempts.
Suspended and/or locked user accounts shall require a system administrator to unlock the
account, or;
Users with the appropriate access may use the password maintenance application to unlock
their account using either a personalized Q&A system or a hard key (such as a RADIUS card),
or;
Users with the appropriate access may utilize a system that provides a process to
automatically unlock an account after a predetermined period of time. Systems of this
nature must be authorized by the appropriate Information Custodian.
Ensono’s Mobile Handheld Usage establishes the requirements for user account lock-out and
suspension on mobile devices (such as smartphones and tablet computers) that connect to
the Ensono corporate infrastructure and/or that access Ensono -owned or managed data.
4.2.8 Suspension of Active Accounts In certain instances, it may be necessary to temporarily suspend access for Ensono employees
that have active status. In those instances, access shall be suspended unless the employee’s
manager authorizes in writing or electronic form that the employee’s access should be
maintained. Those instances include, but are not limited to, the following:
Leave of absence
Short-term disability
Long-term disability
4.2.9 User Account Termination User terminations are divided into the following three (3) categories:
© 2016 Ensono, LP. All Rights Reserved.
32
Voluntary termination
Involuntary termination
Third-party or non-employee termination
In the event of a termination, the following shall be adhered to:
For terminations, both voluntary and involuntary, HR shall be involved in the notification
process.
For terminations, both voluntary and involuntary, HR shall notify all appropriate parties in a
timely manner.
Upon appropriate notification, all appropriate administrators shall immediately disable
access to Ensono resources on systems within their control.
Administrators are responsible for notifying the appropriate client or delivery teams for
termination of access within client environments.
For non-Ensono user terminations, the client organization or other sponsoring organization
shall be responsible for timely notification to Ensono.
The organization, business unit or individual sponsoring a non-Ensono user shall be
responsible for informing the client of the client’s responsibility for timely notification of
terminated users.
4.3 USER CONDUCT POLICY
4.3.1 User Responsibilities Compliance with the ISP standards, procedures and guidelines on a daily basis is an important
aspect of the overall Information Security structure. Users should be aware of the following
responsibilities:
Users shall be responsible for the use of their personal user account.
Users who own a group, shared or anonymous account shall be responsible for use of that
account.
Users shall not use their authorized access to negatively impact, modify or compromise
Ensono information resources.
Users shall not engage in the subversion of existing security controls unless appropriately
authorized by the Security Director. This includes, but is not limited to, the following:
Password cracking.
Network, computer or device hacking.
Brute force attacks.
Unauthorized file decryption.
Bootleg software copying, downloading or sharing.
Unauthorized network, computer or device scanning.
Users shall be diligent in regard to protecting Ensono’s information resources and the overall
Information Security of Ensono.
Users shall report suspected or identified Information Security incidents as required by the
ISP.
© 2016 Ensono, LP. All Rights Reserved.
33
Unauthorized attempts to circumvent an existing security measure may be unlawful and will be
considered serious violations of the ISP standards, procedures and guidelines. Violations may
result in disciplinary actions up to and including termination.
4.3.2 Prohibition against Harassment Ensono strives to maintain a workplace that is free of harassment and is sensitive to the diversity
of its users. Ensono prohibits the use of any information resource including, but not limited to
voicemail, computers, e-mail and Internet systems in ways that are disruptive, offensive to
others, or harmful to morale. Examples of inappropriate use of such information systems include,
but are not limited to, the following:
Threatening or harassing other users.
Using obscene or abusive language.
Creating, displaying or transmitting inappropriate images, messages or cartoons regarding
sex, race, religion, color, national origin, marital status, age, physical or mental disability,
medical condition, or sexual orientation, or which in any way violate Ensono’s policy
prohibiting employment discrimination and harassment in employment.
Creating, displaying or transmitting inappropriate “junk mail” such as inappropriate
cartoons, inappropriate gossip or inappropriate “joke of the day” messages.
Creating, displaying or transmitting inappropriate “chain letters.”
Users are expressly prohibited from abusing Ensono’s information systems.
4.3.3 Restriction on Possession or Solicitation of Non-Public Data Users shall not solicit, possess, receive or in any way try to gain access to another company’s
non-public data.
Employees shall not coerce new employees to disclose information from their former
employer that might be beneficial to Ensono or detrimental to their former employer.
4.4 PASSWORD POLICY Access to Ensono information, systems, or solutions shall be secured by appropriate authentication methods to
verify the identity of the users. All passwords must adhere to requirements published in the Ensono Password
Standard. Exceeding those requirements is strongly encouraged.
The Ensono Password Standard provides details on the use and communication of passwords. All users are
required to read and follow those restrictions.
4.5 CONCURRENT SESSIONS AND SESSION TIMEOUTS
4.5.1 Session Timeout Whenever permitted by system software, a computer terminal, workstation, communication
device/system, or microcomputer will automatically blank the screen and suspend the session
after the recommended ten (10) minutes of system inactivity. Reestablishment of the session
must take place only after the user has provided a valid password.
© 2016 Ensono, LP. All Rights Reserved.
34
4.5.2 Concurrent Sessions Whenever required by contractual obligations, or by the Information Owner, concurrent sessions
may be limited.
4.6 AUDITING AND LOGGING STANDARD Administrators of Ensono information assets shall perform a review of logging activity and audit trails using the
following:
4.6.1 Activity Logs and Audit Trails There are certain activities that occur on networks, systems and applications that shall be logged.
These include activities such as data requests, data transfers, changes to configuration files, the
addition, deletion or modification of user IDs, etc.
Logs of security events shall provide sufficient data to support the comprehensive audits of the
effectiveness and compliance with the ISP and associated standards. Audit logs will be collected
by all Ensono systems. Logs should be stored in a centralized manner and the Security Risk
Management team is responsible for log monitoring and oversight.
File integrity monitoring tools or change detection software on logs must be used to ensure that
existing log data cannot be changed (except when new data is added) without generating alerts.
4.6.2 Clock Synchronization The internal clocks on systems that generate activity on Ensono-owned or managed networks
shall accurately reflect the current time and date for the geographic location of the equipment.
The accurate time and date shall be recorded in all log activity.
4.6.3 Architecture for Logging Activities Logs shall be created in such a manner that individual events are attributed to individual user IDs.
Network devices, systems and applications that generate logs shall record the following where
applicable:
Intrusion Activity
Attempts to use privileges that have not been authorized
Failed login attempts with a valid user ID (password guessing attempts)
Failed login attempts with an invalid user ID
Failed password change attempts
IP Address
User Activity
Application invoked
Attempted access to unauthorized data
Changes to critical application system files
Logoff date/time
Logon date/time
© 2016 Ensono, LP. All Rights Reserved.
35
Password date/time
Use of authorized advanced privileges (security bypass, etc.).
User IDs
IP address
UserID Administration Activity
Additions
Changes to the privileges of users
Deletions
Disabling
Modifications
Re-enabling
System Activity
Shutdown
Startup
Hardware
Hardware and disk media errors
Maintenance activity
4.6.4 Backup, Archive, and Protection Log files shall be archived to external media and secured in offsite or other appropriate storage.
Log files shall be backed up as follows:
Logs shall be rolled (a new log file activated, the old file log saved) rather than overwritten
(the same log file is used again, losing data).
In general, unless a specific retention period is documented; all logs containing security-
relevant events shall be retained for a minimum of one (1) year. Retention beyond this will
be governed by the data backup and retention policy.
Log files are classified as CONFIDENTIAL and shall be protected such that no individual can
modify or delete the logs.
Individuals authorized to view logs include E-SEC, information owners, and Information
Custodians.
In the event persons require access to log files, approval shall be obtained from Security
and/or the Information Owner.
4.6.5 Deactivation, Modification, or Deletion Mechanisms to detect and record significant computer security events shall be resistant to
attacks. These attacks include attempts to deactivate, modify, or delete the logging software
and/or the logs themselves.
4.6.6 Activity Auditing System administrators shall monitor the event logs created by information assets to ensure that
inappropriate behavior or potential intrusions are recognized and addressed.
At a minimum, activity logs shall be examined on a routine basis (daily is recommended) for
the following:
Failed logon attempts
© 2016 Ensono, LP. All Rights Reserved.
36
Attempts to use unauthorized privileges
All administration activity
Other significant events
A centralized logging solution shall be in place and monitoring conducted by E-SEC.
Automated systems that are capable of identifying and reporting on significant events shall
be preferred for use over manual review of logs.
4.6.7 Incident Reporting and Notification System administrators shall be responsible for following Ensono’s Security Incident Response
Plan when a security incident is identified.
Information Custodians shall be responsible for following Ensono’s Security Incident Response
Plan when a security incident is identified.
4.7 MOBILE COMPUTING
4.7.1 Modems, Remote Access Devices, and Remote Access Software Unauthorized network devices, such as modems or Wireless Access Points, shall not be
connected to PCs, workstations, or laptops. When modem or out of band devices are
authorized:
Modems or out of band devices are prohibited except when explicitly approved
Modems may not be used in the auto answer mode such that they are able to receive
incoming dialup calls.
The use of devices and software that permits remote access to Ensono workstations from
anywhere except from Ensono systems located on the internal Ensono network is
prohibited.
Remotely connecting to Ensono owned devices from home computers or non-Ensono owned
devices is prohibited.
4.7.2 Remote Access All Ensono employees will be provided with remote access capability unless explicitly prohibited
by their management. This privilege may be revoked at any time.
4.7.3 Mobile Devices Ensono’s Mobile Handheld Usage Standard establishes the requirements for the approved use of
mobile devices (including, but not limited to, smartphones, PDAs, and tablet computers) to
connect to the Ensono corporate infrastructure and/or to access Ensono-owned or Ensono-
managed data.
© 2016 Ensono, LP. All Rights Reserved.
37
5 Asset Classification and Control
5.1 ASSET CLASSIFICATION AND CONTROL OBJECTIVES To maintain appropriate protection of Ensono’s assets.
To ensure appropriate responsibility is identified.
To ensure an information classification level is assigned to all information assets.
To ensure all users understand Ensono’s classification levels.
To identify the default classification level for all information assets.
5.2 ACCOUNTABILITY FOR ASSETS
5.2.1 Inventory of Assets Ensono shall maintain an accurate inventory of all information assets including, but not limited to
documentation, hardware and software. This inventory shall include all information necessary to
recover from a disaster, including the following:
Asset identification
Hostname
IP address
Information Owner
Asset type
Tenant (where appropriate)
Location
Backup information
License information
Other information deemed necessary by Ensono leadership.
Each information asset shall have an identified Information Owner who is accountable for
classification of the information asset, responsible for ensuring that the asset is part of
documented inventory, and maintenance of related security controls as specified within the ISP.
5.2.2 Documentation An inventory of all documentation including, but not limited to system documentation, user
manuals, training manuals, operational procedures, support procedures, continuity plans,
fallback arrangements and archived information shall be maintained and documented by the
identified Information Owner or Information Custodian and shall include the following:
Information Owner
Client Tenant (where appropriate)
Associated responsible Service Operations team
Classification
Physical location
5.2.3 Hardware Assets
© 2016 Ensono, LP. All Rights Reserved.
38
An inventory of all hardware assets, including but not limited to computer equipment,
communication equipment, network equipment, magnetic media, and optical media shall be
maintained and documented by the identified Information Owner and shall include a minimum
of the following:
Information Owner
Configuration Item (CI) Owner
Host name
IP Address
Client Tenant ( where appropriate)
Associated responsible Service Operations team
Classification
Device Type
Vendor (where applicable)
Physical location
5.2.4 Software Assets An inventory of all physical assets including, but not limited to application software, system
software, development tools, software utilities, and development code shall be maintained and
documented by the identified Information Owner and/or the designated shall include the
following:
Information Owner
Configuration Item (CI) Owner
Client Tenant ( where appropriate)
Associated responsible Service Operations team
Classification
Vendor (where applicable)
Software license (where applicable)
5.3 INFORMATION CLASSIFICATION
5.3.1 Ensono’s Classification Levels Due to relationships with a large number of clients and the nature of our business environment,
Ensono identifies classifications for information assets based in part on the type of disclosure
allowed (e.g., no disclosure, limited disclosure, full disclosure, etc.).
There are four (4) primary levels of as identified in Table A as follows:
ENSONO INFORMATION CLASSIFICATION LEVELS
Classification Level Description
PUBLIC This classification applies to that has been deemed appropriate for wide distribution by legal and marketing. Disclosure is supported and often encouraged.
© 2016 Ensono, LP. All Rights Reserved.
39
Information that has been designated by Legal and/or Marketing as PUBLIC can be disclosed to anyone without formal management approval.
INTERNAL USE ONLY This classification applies to information which cannot be considered PUBLIC due to the nature of the information, but is not of a sensitive nature that would harm Ensono should it be disclosed in an unauthorized manner (e.g. security standards, internal service offering documents, company practices such as PDO policy, etc.) For this type of information, encryption is preferred but not required. Disclosure of INTERNAL USE ONLY information requires a Non-Disclosure Agreement on file.
CONFIDENTIAL This classification applies to information that is releasable to a limited number of employees and can be provided to a limited number of clients or customers who have a legitimate business need, and with whom Ensono has a Non-Disclosure Agreement (NDA) on file. Its unauthorized disclosure could seriously and adversely impact Ensono, its employees, and/or clients. The Information Owner must define who is authorized to access CONFIDENTIAL information by job role and/or account team.
RESTRICTED This classification applies to information that is specific to Ensono, Ensono employees, or Ensono clients and is regulated or private and sensitive in nature (e.g., Protected Health Information, Personally Identifiable Information, or Ensono financial data). Unauthorized disclosure could result in harm to an individual; legal action against Ensono; regulatory fines; or breach of contract. Access to this information should be strictly controlled, provided only on a need-to-know basis, encrypted in transit and at rest, and protected by the highest level of security controls available.
5.3.2 Ensono’s Classification Guidelines The following is provided to assist Information Owners when classifying information within their
realm of responsibility:
All information assets shall be classified strictly according to their level of confidentiality,
sensitivity, value and criticality.
All information assets shall be protected in a manner to commensurate with their
confidentiality, sensitivity, value and criticality.
Information Owners shall review their information and information assets annually to
determine if the classification level has changed.
Information Owners shall work with members of the Audit & Compliance and Security teams
to help educate users about classification levels.
5.3.3 Classification and Release of Security Related Documentation Ensono security related documentation including, but not limited to policies, standards,
procedures and guidelines shall be classified as INTERNAL USE ONLY. Disclosure of such
documents to any non-Ensono person shall require 1) completion of Ensono’s Non-Disclosure
Agreement and 2) approval by Legal, Audit & Compliance and/or Security teams at each of these
team’s discretion.
All users, unless appropriately authorized, shall be prohibited from disclosing information related
to Ensono’s security posture or security practices.
© 2016 Ensono, LP. All Rights Reserved.
40
5.4 INFORMATION LABELING
5.4.1 General Labeling Requirements The default classification for any data (physical or logical) that is not officially labeled shall be
CONFIDENTIAL as specified in Section 5.3.1, Table A.
Data housed within Ensono shall be labeled only as appropriate to support business
processes, needs, or client requirements.
When information of different classifications is combined, the resulting information shall
have a classification equal to the most restrictive classification.
The Information Owner, with guidance from the Audit & Compliance
and Security teams, shall be responsible for identifying and designating the appropriate
classification level for all information assets within their realm of responsibility.
All users that create, compile, alter or procure a new type of production information shall
assign a classification consistent with the prior classification as specified by the Information
Custodian.
The Audit & Compliance and Security teams shall be available to assist all Information
Owners when appropriately classifying information assets.
With the exception of general business correspondence and copyrighted software, all
externally-provided information which is not clearly in the public domain shall receive an
Ensono classification level.
Department specific data classifications are permissible, but shall remain consistent with
classification standards.
Client names and acronyms are prohibited for use, either directly or inferred, when labeling
systems or devices unless the client specifically permits or requests such labeling of their
dedicated systems or devices.
Inappropriate or vulgar labels, as defined by Ensono HR, are prohibited for use on Ensono
owned or managed information systems.
5.5 INFORMATION HANDLING
5.5.1 General Controls All information must be appropriately secured, as determined by criticality and classification
of the information and/or contractual obligations, particularly when unattended during and
after work hours.
Users handling INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information shall be
vigilant to make sure the information is not inadvertently disclosed to people who do not
have a need to know.
Users shall cover or otherwise obscure INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED
information on their desks or working areas when unauthorized persons are in the
immediate area.
All Ensono employees that travel or work in public areas are required to use privacy screens
to prevent unauthorized viewing of protected information.
© 2016 Ensono, LP. All Rights Reserved.
41
Users shall enable screensavers to logoff/lock their workstation or take similar action if
unauthorized persons are in a position to see their computer screen.
Information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED shall be
protected from unauthorized disclosure at all times including times when the information is
not in use.
5.5.2 Reproduction Reproduction of INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information, including
printing additional copies and making additional electronic copies, shall be prohibited unless
specifically authorized by the Information Custodian.
Extracts, summaries, translations or derivatives of INTERNAL USE ONLY, CONFIDENTIAL, or
RESTRICTED information shall be strictly prohibited unless specifically authorized by the
Information Custodian.
Information Custodians shall be authorized to make backup copies of information within the
realm of their responsibility.
5.5.3 Remote Printing Users shall not leave INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information
unattended on printers, copiers, or fax machines, unless the physical location of the device is
physically protected such that unauthorized persons are not permitted to enter. This includes
during and after work hours.
5.5.4 Storage Information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED, shall be
securely stored physically when unattended during and after work hours to avoid
unauthorized disclosure. This includes printed information, as well as information stored on
laptops, removable electronic media, or mobile devices.
Currently, Ensono does not require that INTERNAL USE ONLY or CONFIDENTIAL information
at rest be encrypted unless specified by legal, regulatory, or contractual requirements.
RESTRICTED data must be encrypted at rest in all scenarios except where it is not technically
possible. Exceptions to this policy require Security approval.
5.5.5 Transport Physical transport of INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED hard data shall require
the use of a trusted courier as follows:
Ensono internal mail staff
U.S. Postal Service
UPS©
Federal Express©
Physical transport of INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED data shall require
the information be enclosed within an opaque and sealed envelope or container.
All information classified as INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED which is
stored on physical media, and transported to or from Ensono must be encrypted.
In cases where transportation of unencrypted devices, such as servers or network devices, is
required a secure transport solution that conforms to a higher degree of security controls
© 2016 Ensono, LP. All Rights Reserved.
42
should be employed. This solution must be approved by the Audit & Compliance and/or E-
SEC.
5.5.6 Electronic Transmission All information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED transmitted to
or from Ensono via any public network must be encrypted.
5.5.7 Verbal Communication All Ensono users shall be required to maintain confidentiality with regards to client data and
information.
All communication related to a client or a client’s business shall be confined within an
appropriate business environment and will not be accessible to users who are not
specifically authorized to access communication regarding the client.
Ensono associates shall take extra care when travelling or in public spaces, to ensure that
confidential information is not discussed in an area that can be overheard by the public or
unauthorized individuals.
Users shall be prohibited from communicating INTERNAL USE ONLY, CONFIDENTIAL, or
RESTRICTED information is such a way or in such an environment that it is known that
inappropriate disclosure will occur.
5.5.8 Destruction
5.5 .8 .1 GENERAL DESTRUCTION REQUIREMENTS
All information shall be retained until such a time as it is no longer needed
and has exceeded the documented retention period.
Users shall always destroy INTERNAL USE ONLY, CONFIDENTIAL or
RESTRICTED information in such a way as to not compromise the
classification level.
INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED information shall be
destroyed according to approved methods as specified within the ISP.
5.5 .8 .2 DESTRUCTION OF PAPER INFORMATION
INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED information in paper
form shall be shredded when no longer needed. The use of an Ensono
approved shredding service (i.e. “shred bins”) is required.
Users shall be prohibited from disposing non-shredded INTERNAL USE
ONLY, CONFIDENTIAL or RESTRICTED information in standard trash cans or
recycle bins.
Remote workers are required to either shred documents in a manner that
provides a certificate of destruction or ship the paper to an Ensono office
for destruction. It is each associates responsibility to ensure paper is
destroyed in accordance with Ensono policies.
Ensono information in paper form classified as PUBLIC may be disposed of
at the associate’s discretion, but shredding is always preferred.
5.5 .8 .3 DESTRUCTION OF MEDIA INFORMATION
© 2016 Ensono, LP. All Rights Reserved.
43
All Ensono information contained on USB drives, diskettes, magnetic tapes
or other computer-related magnetic media that is intended to be reused
for other purposes shall be permanently removed (e.g., degaussed or
securely overwritten) prior to reuse.
All Ensono information contained on USB drives, diskettes, magnetic tapes
or other computer-related magnetic media that is intended to be disposed
shall either be permanently removed prior to disposal (e.g., degaussed or
securely overwritten) or securely eradicated (e.g., shredded) in a manner
that ensures complete destruction of the classified information.
All computing devices and electronic storage media shall be checked and
verified to be free of 1) software licensed to Ensono and 2) any Ensono
information prior to being discarded, disposed, or otherwise permanently
removed from Ensono premises or permanently disconnected from
Ensono’s enterprise services.
© 2016 Ensono, LP. All Rights Reserved.
44
6 Communications and Operations Management
6.1 COMMUNICATIONS AND OPERATIONS MANAGEMENT OBJECTIVES To ensure the correct and secure operation of business processes.
To minimize the risk of system failures.
To protect the integrity of software and information from damage by malicious software.
To maintain the integrity and availability of business processes and communication services.
To ensure the safeguarding of information in networks and the protection of the supporting
infrastructure.
To prevent damage to assets and interruptions to business processes.
To prevent loss, modification or misuse of information exchanged between entities.
To ensure correct and appropriately-documented Information Security procedures for all processes
related to Information Security identified at Ensono.
6.2 OPERATIONAL PROCEDURES AND RESPONSIBILITIES
6.2.1 General Controls Each member of the Service Operations teams shall serve in the role of Information
Custodian.
Each Information Custodian shall identify and document all processes within their area of
responsibility.
Each Information Owner shall ensure Information Custodians maintain the system
documentation for all processes within their area of responsibility.
Each Information Owner and custodian shall be responsible for working with E-SEC and the
Audit & Compliance team to develop appropriate Information Security standards and
procedures for all identified processes to include appropriate operating instructions, as well
as incident response procedures.
Information Custodians shall work with applicable security teams to identify those areas
within their realm of responsibility where segregation of duties should be implemented to
reduce the risk of negligent or deliberate system misuse.
6.2.2 Documented Operating Procedures Information Custodians shall be responsible for maintenance of Information Security related
documented procedures and operations within their realm of responsibility.
All Information Security procedures shall be treated as formal documents and shall adhere
to Ensono’s identified change management processes.
Information Security procedures shall include, to the extent possible, the following:
Instructions for handling errors or other unexpected conditions.
Support contacts.
Any special handling instructions.
System restart and recovery procedures.
Related information such as security standards, procedures and guidelines.
Information Custodians shall be responsible for documenting system maintenance
procedures where applicable.
© 2016 Ensono, LP. All Rights Reserved.
45
6.2.3 Change Management Information Custodians shall be responsible for ensuring that all information assets within
their area of responsibility are part of an identified change management system.
Formal change management procedures shall be implemented to ensure satisfactory control
of all changes to equipment, software, code or applications.
For any change, audit logs containing relevant information shall be retained.
All significant changes shall be identified and recorded.
Any change to a controlled environment shall have a documented business reason prior to
any change being made.
The Information Custodian shall assess the potential impact for any change to an
information asset within their area of responsibility.
Changes shall always be communicated to all stakeholders.
All changes shall have documented procedures identifying responsibilities for aborting and
recovering from unsuccessful changes.
Problem Management Procedures
Information Custodians shall be responsible for ensuring all computers or computing devices
within their area of responsibility are part of an identified problem management system.
6.2.4 Security Incident Management Security incidents shall be addressed and handled as specified within Section 8.4 Responding to
Security Incidents.
6.2.5 Segregation of Duties In order to reduce opportunities for unauthorized modification or misuse of information or
information assets and maintain business operations, Ensono shall implement the concept of
“separation of duties” to the extent possible.
A separation of duties shall exist between those that set policy, those that implement
security controls, and those that oversee enforcement of security controls.
The separation of security administration and system administration shall be implemented
to the extent possible.
Information Custodians shall be responsible for ensuring that supervision and/or audit trails
exist for instances in which segregation cannot be achieved.
Individuals considered to be auditors or fulfilling auditing roles shall be independent from
the organization being audited.
All efforts should be made to avoid scenarios that create or advance excessive control of
environments by one individual.
6.2.6 Separation of Development and Production Environments Development and production environments shall be separated and shall adhere to the following:
Development teams shall be restricted from administrative level access to production
systems.
Development and production software shall be maintained on different systems where
possible.
© 2016 Ensono, LP. All Rights Reserved.
46
Development and production software shall be maintained on a logically separated network
where possible.
Compilers, editors and other system utilities shall not be accessible from operational
systems when not required.
Production data should not be used in development environments wherever possible.
Should production data be required in a development environment all restricted data should
be masked, truncated, or otherwise obfuscated.
6.3 SYSTEM PLANNING AND ACCEPTANCE
6.3.1 Capacity Planning Information owners shall be responsible for working with Information Custodians to monitor and
plan for capacity limitations and bottlenecks.
6.3.2 System Acceptance Information Custodians responsible for production and development environments shall develop
and document acceptable standards for integration of new systems into areas of their
responsibility. Where applicable these standards shall include:
Error recovery, restart procedures and contingency plans.
Agreed set of security controls.
Effective manual procedures.
Business continuity arrangements.
Evidence that integration of a new system will not adversely affect existing systems.
Evidence that consideration has been given to the effect of the new system on overall
security of the environment.
All systems being considered for use within a production or development environment shall be
approved by the environment’s Information Owner as being acceptable prior to introduction or
integration into said environment.
6.4 PROTECTION AGAINST MALICIOUS SOFTWARE
6.4.1 Controls against Malicious Code Detection and prevention controls shall be implemented on Ensono’s information assets to
protect against malicious code.
Non-Ensono equipment that connects to Ensono resources shall be subject to the same patch
and endpoint (e.g., laptop, desktop, server, and other mobile and network devices or software)
protection requirements as Ensono owned or managed equipment.
© 2016 Ensono, LP. All Rights Reserved.
47
6.4.2 Malware Protection Policy
6.4 .2 .1 DUTY TO PROTECT
The Security team shall maintain a duty to protect Ensono users and assets
from malicious code and threats. Updated and advanced technologies should
be implemented and malware protection policies, procedures, technologies,
and practices updated and renewed as the threat landscape changes and
technologies improve.
6.4 .2 .2 INTENTIONAL USER INVOLVE MENT WITH MALWARE
PROHIBITED
Any activity with the intention to create and/or distribute malicious programs
into Ensono’s network or onto any information asset shall be strictly
prohibited.
Users shall be strictly prohibited from writing, generating, compiling, copying,
collecting, propagating, executing or attempting to introduce any computer
code designed to self-replicate, damage or otherwise hinder the performance
of or access to any Ensono or Ensono client information asset.
6.4 .2 .3 MALWA RE PROTECTION FOR F I REWALLS , SERVERS, AN D
WORKSTATIONS
Centrally-managed malware protection software shall be loaded, enabled, and
active on all Ensono assets that support malware protection software.
6.4 .2 .4 NETWORK BASED MALWAR E PROTECTION
Wherever feasible network based malware protection controls should be
implemented to offer additional layers of protection against malicious code.
Technologies such as web and email content filtering, advanced threat
solutions, or other such protection mechanisms should be incorporated into
the overall malware protection strategy.
6.4 .2 .5 MALWARE PROTECTION F OR REMOTE WORKSTATIO NS
Malware protection software shall be loaded, enabled, and active on all
Ensono owned, managed, or supported workstations that remotely
connect to Ensono’s network resources.
Non-Ensono workstations shall have malware protection software loaded,
enabled and active prior to connecting to Ensono’s resources.
6.4 .2 .6 UPDATES FOR MALWARE PROTECTION SOFTWARE
Malware protection software and malware definition files shall be kept up-
to-date on all devices that are required to have malware protection
software.
Automatic updates of malware protection software and definitions shall be
the preferred method for updates.
© 2016 Ensono, LP. All Rights Reserved.
48
Users shall be responsible for timely updates of malware protection
software and definitions on their workstations.
System administrators shall be responsible for timely updates of malware
protection software and definitions for devices within their area of
responsibility.
6.4 .2 .7 TRUSTED SOURCES
Software loaded on Ensono computers and networks shall come from
trusted sources. Trusted sources include:
Business partners
Industry-recognized vendors
Commercial software vendors
Software downloaded from forums, shareware, public domain software or
other software from untrusted sources shall be avoided and only
implemented under controlled scenarios.
Software should never be installed or run from USBs or external drives.
These sources should be considered untrusted at all times.
6.4 .2 .8 SCREENING OF SOFTWAR E PRIOR TO USE
Prior to installing or running executable programs provided by third parties
or by other Ensono departments, users shall scan those programs using
malware scanning software.
Software source code provided by third parties or other Ensono
departments shall be visually reviewed prior to compilation, and the
resulting executable program shall be scanned with malware-checking
software prior to installation or execution on any Ensono system.
Users shall be prohibited from bypassing a scanning process that could
arrest the transmission of malware.
6.4 .2 .9 DECRYPTION OF F ILES BEFORE CHECKING FOR MALWARE
All externally-supplied computer readable files (software programs, databases,
word processing documents, spreadsheets, etc.) shall be decrypted prior to
being subjected to the malware checking process.
6.4 .2 .10 REQUIRED USER RESPON SE TO SUSPECTED MALW ARE
INFECTION
All significant errors, incomplete processing and improper processing of
production applications shall be promptly reported to the Ensono Service
Desk, as they may be indicators of a malware infestation.
Users who become a victim of malware infection shall immediately report
the infection to Ensono’s Service Desk
Users shall be responsible for working with relevant members of Ensono’s
technical teams to resolve malware infestations on their workstations.
6.4.3 Vulnerability Management Program
© 2016 Ensono, LP. All Rights Reserved.
49
Vulnerability management is a necessary part of the overall security framework at Ensono. For
the purposes of the ISP, Ensono defines a vulnerability detection solution as the automated
process of proactively identifying vulnerabilities of computing systems in a network in order to
determine if and where a system can be exploited or threatened. Ensono considers vulnerability
detection to be a part of a secured operating infrastructure, and as such, the following shall be
adhered to:
6.4 .3 .1 GENERAL CONTROLS
Ensono shall maintain centrally supported and administered vulnerability
detection solutions.
All network connected systems, and devices where applicable, shall be
required to participate in Ensono’s corporate vulnerability detection
solution.
All new systems shall be scanned and remediated prior to being used to
conduct Ensono related business.
All systems being moved or transferred, from their current environment to
a new environment, shall be scanned and remediated prior to being
connected to the new environment. This includes development, test, and
production environments.
Any system, connected to Ensono’s infrastructure shall be subject to
additional vulnerability scans, as warranted by security or operational
necessity, at the request of members of Ensono’s Security team.
No vulnerability detection scan shall be considered complete unless a
useable report has been provided to the information asset’s Information
Owner, Information Custodian, or their designees.
Information Custodians are welcome to and strongly encouraged to
conduct vulnerability scans on systems prior to deployment in production
in accordance with change control and other such relevant policies and
Ensono practices.
Vulnerability detection scans on all Ensono-owned or managed systems
and devices must adhere to Ensono’s Vulnerability Management Program
Standard. The minimum frequency of these vulnerability scans must be
approved by Security.
Users shall be permitted to run independent vulnerability testing against
systems for which they are responsible. However, this shall not be
considered sufficient to protect Ensono, and shall not exempt any system
or device from participating in Ensono’s Vulnerability Management
Program.
Third parties are prohibited from conducting vulnerability assessment
activities except when explicitly approved by Security.
6.4 .3 .2 ADMINISTRATIVE CONTR OLS
Security shall maintain overall responsibility for setup, administration, and
maintenance of all centrally managed vulnerability detection systems
deployed at Ensono locations.
© 2016 Ensono, LP. All Rights Reserved.
50
Centrally managed vulnerability detection systems shall be updated on a
regular basis. This regular basis shall be no less than once a week, or as
new updates are available.
6.4 .3 .3 CONFIGURATION
All centrally supported vulnerability detection solutions shall be configured
as follows:
Shall provide for a minimal number of false positives.
Shall provide non-intrusive scans, unless an intrusive scan has been
requested by the system administrator and approved by the Information
Owner or designee.
Shall allow system administrators to conduct scans within their individually
identified timeframes.
Shall provide automation of scanning.
Shall provide adequate reporting mechanisms.
6.4 .3 .4 SECURITY AND USER IN TERACTION WI TH VULNERABIL ITY
MANAGEMENT SYSTEMS
Detailed vulnerability scan results shall be classified as RESTRCITED.
Users shall be prohibited from viewing or accessing detailed vulnerability
scan results for systems and/or devices for which they do not have a need
to know.
Users, who have not been designated by Security or Ensono Service
Operations teams, shall be prohibited from running vulnerability detection
applications on or against systems for which they have not been provided
permission by the information assets Information Owner.
6.4 .3 .5 REMEDIATION AND RESP ONSIBIL ITY
Information Owners shall be responsible for ensuring that all information
assets within their area of responsibility participate in Ensono’s identified
vulnerability detection solution.
Information Custodians shall be responsible for providing notification of
false positives to the vulnerability scanning administrators.
Upon notification of a vulnerability, Information Custodians are
responsible for providing resolution in the timeframes defined in the
documentation standards for the Ensono Vulnerability Management
Program.
Information Custodians shall be responsible for working with members of
Security and other appropriate technical resources to resolve identified
vulnerabilities.
Corrective action plans shall be reviewed and approved by Security or an
appropriate reviewer prior to implementation. Any review of a corrective
action plan must occur in a timely manner that does not negatively impact
the dates identified within the corrective action plan.
© 2016 Ensono, LP. All Rights Reserved.
51
Security will oversee and report remediation status, at a minimum, on a
quarterly basis.
6.4 .3 .6 ENFORCEMENT
Security will maintain a duty to protect Ensono assets from exploitation of
vulnerabilities.
In order to protect Ensono’s business and clients, failure to resolve
relevant vulnerabilities within the identified time frames may result in
removal of a system or device from Ensono’s network without notification.
Compliance reviews of Ensono’s Vulnerability Management Program shall
be conducted as a joint effort between Ensono’s Security and Audit &
Compliance teams.
6.4 .3 .7 EXCEPTION PROCESS
Due to the nature of vulnerability detection systems, it is at times possible that
the scanning process will adversely affect a machine. To that extent exceptions
can be requested for systems that are impacted by the vulnerability detection
system. The exception process shall follow the standard process for all
exception requests. Exceptions are reviewed and granted based upon the
following:
Exception requests for a vulnerability detection scan shall be temporary.
All security and patch update controls shall be implemented as stated
within the ISP.
All granted exception requests shall be based on the fact that the team
requesting the exception will resolve all issues by a stated date.
All granted exception requests shall be based on the fact that the
Information Custodian will work diligently to return to a normal operating
environment, which includes recurring vulnerability detection scans.
The Information Owner will review, approve, and oversee exceptions
relevant to the environments for which they are responsible.
6.4.4 Configuration and Patch Management Policy All Ensono-owned or managed devices shall be periodically updated with vendor patches
and system upgrades, where applicable.
Appropriate testing of patches/upgrades and change management procedures shall be
followed for all applied patches and upgrades.
All Ensono-IT assets will be configured in a secure manner, centrally managed, and take
advantage of the latest technology for implementing secure configurations.
Systems classified as “RESTRICTED” shall follow an industry accepted hardening procedure,
such as the benchmarks provided by the Center for Internet Security (CIS).
In order to protect Ensono’s environment, failure to patch or update systems in a timely
manner may result in removal of a system from Ensono’s network without notification.
6.4.5 Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS)
© 2016 Ensono, LP. All Rights Reserved.
52
Security will maintain a duty to protect Ensono assets from exploitation of vulnerabilities by
ensuring all detection solutions take advantage of the latest technology and offer multiple
layers of detection.
All Ensono systems and devices shall be monitored by a centrally managed IDS/IPS solution.
Management of Ensono’s IDS/IPS solution shall be maintained by Security.
Information Custodians shall be responsible for ensuring that devices within their realm of
responsibility, which are considered Ensono core business critical, participate in Ensono’s
IDS/IPS solution.
Ensono shall use both host-based and network-based IDS/IPS solutions, where applicable.
IDS/IPS solutions shall be implemented and maintained to the minimum industry standard
expectation.
6.5 BACKUP AND RESTORATION
6.5.1 Information Backup Backup copies of essential Ensono business information and software shall be taken on a
regular basis.
Adequate backup facilities shall be provided to ensure that all essential Ensono business
information and software can be recovered following a disaster or media failure.
Backup arrangements for individual systems shall be regularly tested to ensure that they
meet the requirements of the Business Continuity/Disaster Recovery (BC/DR) plans.
A minimum level of backup information, together with accurate and complete records of the
backup copies and documented restoration procedures, shall be stored in a remote location
at a sufficient distance to escape any damage from a disaster at the main site.
A minimum of at least three (3) cycles of backup information shall be retained for all
important business applications.
Backup information shall be given the appropriate level of physical and environmental
protections.
Backup media shall be regularly tested, where practicable, to ensure the media can be relied
upon for emergency use when necessary.
Restoration procedures shall be regularly checked and tested to ensure they are effective
and they can be completed within the time allotted.
Retention and archive standards shall be followed as specified in the ISP.
6.6 MEDIA HANDLING AND SECURITY
6.6.1 Management of Removable Computer Media Ensono prohibits the use of writeable removable media in Ensono workstations for the
general employee population.
Removable media includes but is not limited to: writable optical media, external portable
storage devices, flash memory devices, MP3 Players, Tablets, PDAs, mobile phones, etc.
Employees will be permitted to use writeable removable media when the frequent use of
such is required by their specific job responsibilities. All such cases must be individually
© 2016 Ensono, LP. All Rights Reserved.
53
documented and approved by a senior manager and Security through the ISP Exception
Request Process.
6.6.2 Disposal of Media Media shall be disposed of securely and safely when no longer required for business processes.
6.6.3 Security of System Documentation Information Custodians shall be responsible for maintaining and securing all system
documentation for systems within their realm of responsibility.
Access to system documentation shall be kept to a minimum, and access shall be authorized
by the Information Custodian.
6.7 NETWORK SECURITY AND MANAGEMENT
6.7.1 Restriction on Physical Access to Ensono’s Network Access to Ensono’s network infrastructure shall be explicitly denied unless specifically
authorized.
All physical connections to Ensono’s network shall be managed and shall be disabled when
not in use.
Managers shall be responsible for notifying network personnel when physical connections
are no longer needed.
6.7.2 Requirements for the Security of Ensono’s Network All Ensono clients shall be segmented by stateful inspection firewalls and only the minimum
services permitted in and out of client environments.
All software installed on network-attached devices shall be maintained at a level supported
by the vendor.
Operational responsibility for network assets shall be separated from network security
operations where appropriate.
Personnel responsible for the management of network components must have defined roles
and responsibilities. All personnel must be made aware of the responsibility of securing
network components.
Security will maintain oversight of the secure operation of all network devices.
All assets connected to Ensono’s network shall have an identified and documented
Information Custodian. Information Custodians responsible for network assets shall work
with appropriate teams to identify and document relevant Information Security standards
for all network assets.
Information Custodians responsible for network assets shall implement and maintain
necessary security controls for Ensono’s network assets.
Where necessary and required by regulatory or contractual requirements, special controls
shall be implemented to safeguard the confidentiality and integrity of data passing over
public networks.
Network and network-related asset design, implementation, administration, maintenance
and decommission shall take security into consideration during all phases of each network
asset life cycle.
© 2016 Ensono, LP. All Rights Reserved.
54
Detailed information related to Ensono’s network shall be classified as INTERNAL USE ONLY.
Access to or disclosure of network-related information shall be strictly prohibited and shall
require appropriate authorization prior to disclosure.
All information assets used to manage, pass or filter network traffic shall be maintained
within an appropriately physically secured location.
Firewalls, demilitarized zones (DMZs) and proxy servers shall be implemented where
necessary to protect Ensono business processes.
All users shall be required to authenticate themselves at a firewall prior to establishing a real
time connection with any Ensono internal information asset over the Internet.
With the exception of telecommuters and mobile computer users, all users shall be required
to authenticate to the Internet through Ensono proxy servers.
All users shall be prohibited from establishing Internet or other external network
connections to Ensono’s internal network, which could allow a non-Ensono user access to
Ensono systems.
All users shall be prohibited from using new or existing internet connections to establish new
business channels prior to approval from relevant security teams, Security, Marketing, and
the Chief Legal Officer.
The use of remote control software shall be strictly prohibited, and shall be prohibited from
connecting into Ensono’s network or to Ensono’s network assets from a public network
without approval from Security through the ISP Exception Request Process.
Ensono’s standard desktop firewall software shall be installed and active on all Ensono -
owned or managed workstations (e.g., desktops and laptops).
6.7.3 Requirements for Network Management Network Management teams will maintain a duty to innovate to provide Ensono the highest
degree of service and protection.
Naming conventions for devices located on Ensono’s network shall be subject to approval
from relevant information owners, custodians, and the Risk Management Committee.
An asset management process shall be in place that ensures an inventory of network devices
is maintained that includes, at a minimum, IP subnet designation, hostnames, owner, and
other relevant information.
Traffic present on Ensono’s network shall be restricted and shall originate or terminate on
assets that are authorized to be on Ensono’s network.
Information Custodians responsible for network assets shall work with appropriate teams to
document relevant operational procedures for all network assets.
Network device audit logs shall be enabled and stored in a centrally managed log
management solution and reviewed and/or monitored by E-SEC.
Network assets shall be, at a minimum, maintained to applicable industry standards.
Network diagrams must be kept current and describe how networks are configured as well
as identify the location of all network devices.
6.7.4 Network Firewall Standard 6.7 .4 .1 FIREWALL GENERAL SEC URITY CONTROLS
Firewall devices shall be stationed at all points of entry into Ensono’s
network.
© 2016 Ensono, LP. All Rights Reserved.
55
Firewall devices shall be established between any trusted and non-trusted
network.
Firewalls shall exist as a dedicated system or device and shall be prohibited
from performing any other function other than firewall-related tasks.
Firewall devices shall, at a minimum, meet or exceed all vendor hardware
specifications.
All firewall devices which are in production shall have a backup device or
system fully capable of fulfilling the obligations of the primary firewall in
case of an emergency or failure.
Firewalls shall be configured as “default deny.”
Firewall policies and perimeter protection device configurations will be
reviewed quarterly by Security and Audit & Compliance teams.
6.7 .4 .2 IDENTIF IED RESPONSIB IL ITY
Ensono Network teams are responsible for all management of, changes to,
updates to, or modifications of all firewall devices managed or owned by
Ensono. Security and Audit & Compliance teams will review and approve
all significant modifications that may affect Ensono assets.
Ensono Network Teams shall be responsible for working with relevant
teams to identify and document all necessary technical standards for
firewall devices. This includes both devices currently in use, as well as
devices that are under consideration for use.
Ensono Network Teams shall be responsible for working with relevant
teams for creation, maintenance and administration of any procedure or
relevant documentation related to firewall devices.
6.7 .4 .3 FIREWALL CONFIGURATI ON
All firewall devices shall be configured to explicitly deny all traffic and
services on all ports not specifically authorized.
All openings through a firewall device shall have documentation
supporting the opening and will contain the following information:
Business unit requesting change
User requesting change
Business reason supporting change
Managerial approval
All firewall devices, in the event of a failure, shall be configured to “default
deny” for all network traffic until such a time the appropriate
administrator re-enables all services.
All firewall devices shall deny all traffic on an external connection that
appears to have originated from an internal network address.
Intrusion Detection and/or Advanced Threat solutions shall monitor all
firewall devices owned or managed by Ensono.
Firewall configurations shall implement secure configurations including but
not limited to the following:
Authentication through centralized directory services and restriction on
local accounts
© 2016 Ensono, LP. All Rights Reserved.
56
Consistent, standard, and centrally managed build configurations
Backup and restoration procedures
Logging of all “Accepts” and “Denies”
Implementation of advanced features, such as Layer 7 controls or Intrusion
Detection/Prevention features
Firewall configurations will be reviewed and approved by Security.
6.7 .4 .4 FIREWALL A DMINISTRATION
Appropriate firewall documentation shall be maintained in offline storage.
This includes, but is not limited to, diagrams, IP addresses and
configurations.
Firewall documentation shall not be stored on the firewall device.
All changes to a firewall device shall be consistent with Ensono’s change
management practices as specified within the ISP.
All firewall devices shall be tested for vulnerabilities and configuration
problems prior to introduction into a production environment.
Administrative access to firewall devices shall be limited to authorized and
approved firewall administrators.
Administrative access to firewall devices shall be restricted to only allow
access through an internal network connection or through physical access.
Remote access to a firewall over a public network shall require encryption
and strong authentication.
Whenever applicable, all firewall administrators shall receive periodic
training on firewalls and network security practices.
In the event that access through a firewall includes authentication based
on source address, authentication shall be combined with other security
schemes to protect against IP spoofing attacks.
All firewall devices shall have security patches and updates implemented in
a timely manner.
All employees tasked with monitoring firewall devices shall subscribe to
external advisories.
6.7 .4 .5 PHYS ICAL SECURITY
All firewall devices shall be located in physically-secured rooms.
All locations that house firewall devices shall have monitoring and logging
capabilities.
Access to rooms which house firewall devices shall be restricted to
authorized personnel whose access is necessary to conduct a business
function.
6.7 .4 .6 LOGGING AND AUDIT ING
Log files shall be enabled on all firewall devices and centrally stored and
monitored by Security.
All log files shall comply with the standards specified within the ISP.
All log files for all firewall devices shall be maintained and stored for
review for a minimum of one (1) years.
© 2016 Ensono, LP. All Rights Reserved.
57
6.7.5 Router and Switch Security Standards
6.7 .5 .1 ROUTER AND S WITCH GENERAL SECURI TY CONTROLS
All routers shall be required to use a centralized access control system for
all user authentications.
Local user accounts shall be restricted on all routers managed or owned by
Ensono, and shall be used only when TACACS is not available.
Local user accounts shall adhere to Ensono’s password requirements.
IP directed broadcasts shall be disallowed.
Incoming packets sourced with invalid addresses shall be disallowed.
TCP small services shall be disallowed.
UDP small services shall be disallowed.
Source routing shall be disallowed.
Web services running on a router shall be disallowed.
SNMP community strings shall adhere to Ensono’s password requirements.
Routers and switches shall apply secure configurations and be managed
centrally.
Configurations will be reviewed and approved by Security or Audit &
Compliance teams.
6.7.6 Wi-Fi Networks and Devices
6.7 .6 .1 RESTRICTIONS ON USE OF WI-FI DEVICES
Ensono prohibits the operation of Wi-Fi networks and devices that have
not been approved or implemented by Ensono Service Operations teams.
This includes implementation at any location or facility managed, owned or
leased by Ensono.
All Wi-Fi networks and associated configurations shall be reviewed and
approved by Security.
Security or designee shall be authorized to use scanners and other similar
tools to monitor for rogue access points, networks, and other wireless
devices. Wireless Intrusion Detection/Prevention and other monitoring
tools shall be implemented.
Any unauthorized device detected by scanning or identified through
physical means as being used while on Ensono premises shall be
deactivated and can be removed or confiscated by an authorized security
administrator.
6.7 .6 .2 WI-F I SECURITY REQUIREM ENTS FOR EMPLOYEE AC CESS
Where it is deemed appropriate by senior management, Ensono Service
Operations teams may deploy secured Wi-Fi networks for employee access to
internal Ensono networks. Such networks should always be configured and
managed to current industry best practices and should at a minimum meet the
following requirements:
© 2016 Ensono, LP. All Rights Reserved.
58
Unless prohibited by job function, duties, or contractual/regulatory
requirements all Ensono employees with a valid and functional Ensono
Active Directory account shall be permitted to use these approved
networks.
All users connecting to Wi-Fi networks must be authenticated and the
ability to track each device to a user must be maintained.
Individuals who are not Ensono employees shall not be permitted to access
these Wi-Fi networks.
All approved devices configurations will be reviewed by Security or Audit &
Compliance teams on a periodic basis to maintain adherence to industry
best practices.
All access to such Wi-Fi networks must be validated by at least two-factor
authentication methods.
The strongest industry standard Wi-Fi authentication and encryption
protocols must be used at all times. Devices and networks that cannot are
not permitted.
6.7 .6 .3 WI-F I SECURITY REQUIREM ENTS FOR GUEST ACCES S
Where it is deemed appropriate by senior management, Ensono Service
Operations teams may deploy secured Wi-Fi networks for guest access to the
internet. Such networks should always be configured and managed to current
industry best practices and should at a minimum meet the following
requirements:
Unless prohibited by job function, duties, or contractual/regulatory
requirements all Ensono employees with a valid and functional Ensono
Active Directory account shall be permitted to use these approved
networks.
Devices permitted to access such networks must be identifiable to the
individual owner.
Guest access permission must be revoked after 24 hours.
Access for periods of time longer than 24 hours may be granted to
individuals with long-term contractor status. Such access shall not exceed
the term of the contract or 90 days, whichever is shorter.
The strongest industry standard Wi-Fi authentication and encryption
protocols must be used at all times. Devices and networks that cannot are
not permitted.
Guest networks may never allow direct connectivity to Ensono’s internal
networks.
6.7.7 Remote Access Standard 6.7 .7 .1 GENERAL CONTROLS FOR CENTRALIZED REMOTE A CCESS
SOLUTIONS
© 2016 Ensono, LP. All Rights Reserved.
59
Remote access to Ensono’s network, or any device contained on Ensono’s
network shall be provided through a secured system or through a VPN
connection and shall require at least two-factor authentication.
Remote access connections to Ensono’s network or individual network
devices which do not pass through approved firewalls or secure
authentication servers shall be strictly prohibited and, prior to
implementation or use, shall require approval from Security through the
ISP Exception Request Process.
All inbound remote access connections shall require, at a minimum, the
use of a dynamic password system, which is approved by relevant security
teams and Security.
Auditing and logging of significant events shall be enabled, stored centrally
by Security, and monitored for all remote access connections.
6.7 .7 .2 GENERAL CONTROLS FOR DIRECT INWARD DIAL
SOLUTIONS (NON -CENTRALIZED)
Information Owners shall maintain responsibility for identifying and
documenting all modems or similar devices that allow remote access to
devices or systems that are within their area of responsibility.
Externally connected modems or modem-like devices shall be labeled with
the appropriate Information Owner’s contact information.
Information Owners shall maintain an updated list of all accounts that
access a direct inward dial system connected to, or allowing access to,
devices or systems within their area of responsibility.
6.7 .7 .3 SECURITY OF DIRECT I NWARD DIAL SOLUTIONS (NON-
CENTRAL IZED)
User accounts used to remotely access Ensono resources shall be
approved, in writing or electronic format, prior to use of a dial-in account.
Password for user accounts used to remotely connect to Ensono’s
information resources shall comply with Ensono’s password policy.
Auditing and logging of significant events shall be enabled and monitored
for all systems and devices configured to allow dial-in capabilities.
Access to a dial-in solution shall require, at a minimum, UserID/password
authentication.
Direct inward dial shall be disabled when not in use. This includes
hardware and/or software disabling.
Systems administrators shall be notified prior to remote connectivity
occurring on Ensono systems or devices.
6.8 SYSTEM CONFIGURATIONS
6.8.1 Server and Mainframe Security Standard
6.8 .1 .1 SERVER AND MAINFRAME GENERAL SECURITY CON TROLS
© 2016 Ensono, LP. All Rights Reserved.
60
Naming conventions for servers and mainframes shall be subject to
approval from relevant Information Custodians and Security.
Asset management records shall include, at a minimum, hostname, IP
address, owner, description, and security classification.
All software installed on centrally managed servers and mainframes shall
be maintained at a level supported by the vendor.
Each server and mainframe shall have an identified and documented
Information Owner.
The Information Custodian shall be responsible for providing relevant
technical information to the NOC, EOC, Security, Audit and Compliance
team, and other relevant teams.
The Information Custodian shall be responsible for ensuring that systems
within their area of responsibility are placed within Ensono’s vulnerability
detection process.
The Information Custodian shall be responsible for ensuring systems within
their area of responsibility are part of an accurate inventory.
All implemented systems shall meet or exceed vendor-recommended
minimum hardware requirements.
Detailed information pertaining to the configuration of a server or
mainframe, to include information received from vulnerability scans, shall
be classified as INTERNAL USE ONLY, and shall require appropriate
authorization prior to any disclosure.
All systems, within both production and development environments, shall
be designed, commissioned, implemented, maintained, modified and
decommissioned in a standardized, documented fashion designed to
protect and secure Ensono information resources.
All system access shall be explicitly denied unless specifically allowed.
All TCP/UDP ports shall be explicitly disabled unless specifically needed.
All user access to a system shall require, at a minimum, a user
account/password pair for authentication.
System audit logs shall be enabled and reviewed on all systems in a
centrally managed system monitored by E-SEC.
User access logs shall be enabled and reviewed on all systems.
All systems used to conduct business processes shall be maintained within
an identified Ensono data center.
All systems shall be hardened as specified by industry standards or legal
agreements.
Externally facing systems or systems designated as RESTRICTED are
required to implement secure configurations as provided by the Center for
Internet Security (e.g. CIS Benchmarks).
All systems shall be maintained to industry standards, where applicable,
based on business need.
All systems shall be configured to restrict the chances of, or opportunities
to use an alternate boot device.
All systems shall be verified to be free of unacceptable vulnerabilities prior
to implementation into Ensono’s environment.
© 2016 Ensono, LP. All Rights Reserved.
61
6.8 .1 .2 SERVER AND MAINFRAME MALWARE PROTECTION A ND
PATCH CONTROLS
All systems, where applicable, shall have centrally managed malware
protection software loaded, active and enabled.
All systems that have centrally managed malware protection software
installed shall comply with Ensono’s malware protection controls.
All systems shall be subject to scans by Ensono’s internal vulnerability
detection scanner.
All systems shall have patches and updates applied in a timely manner.
6.8 .1 .3 SERVER AND MAINFRAME CHANGE MANAGEMENT
All changes to systems, both in production and development, shall be part
of an identified change management program.
6.8 .1 .4 SERVER AND MAINFRAME SYSTEM DIAGNOSTIC DA TA
When system diagnostic data must be shared with a 3rd party vendor, it
must be transported by secure means approved by E-SEC
When diagnostic data is written to an external USB storage device, the USB
storage device must be an approved device and such device must be
tracked using a chain of custody methodology or other such process that is
tracked and maintains and audit trail.
All diagnostic data shall be deleted from USB storage devices once no
longer needed
6.8.2 Workstation Security Standard 6.8 .2 .1 WORKSTATION GENERAL SECURITY CONTROLS
Workstations will apply secure configurations which will be reviewed and
approved by the Security, Audit, and/or Compliance teams.
All software installed on workstations shall be maintained at a level
supported by the vendor.
All workstation access shall be restricted to authorized users.
All workstations will be tracked in a centrally managed asset management
solution.
All workstations shall have malware protection software loaded, enabled
and active.
All workstations shall apply operating system and third-party patches on a
timely basis.
All workstations shall be designed, commissioned, implemented,
maintained, modified and decommissioned in a standardized, documented
fashion, designed to protect and secure Ensono information resources.
All workstations shall be updated and maintained to industry standards
where applicable, based on business need.
© 2016 Ensono, LP. All Rights Reserved.
62
All users shall be prohibited from modifying, changing, removing or
circumventing security controls implemented by designated workstation
administrators, network system administrators or domain administrators.
All workstations shall have a logon banner specifying that unauthorized
use is prohibited.
All Information Custodians shall maintain an accurate inventory of
workstations within their area of responsibility.
All workstations shall be configured with password protected BIOS.
All workstations shall be configured to restrict the chance of, or
opportunity to use an alternate boot device.
Any end user system used to connect to Ensono’s network infrastructure
shall be required to have the latest updates and security patches applied,
as well as malware protection software loaded, enabled, active and
updated prior to connecting to Ensono’s network assets.
All Ensono-provided workstations shall be a member of an Ensono’s
corporate domain.
6.8.3 Email Standard
6.8 .3 .1 EMAIL GENERAL SECURI TY CONTROLS
Use of Ensono corporate email systems shall be considered “pre-
approved” for all employees.
The use of non-Ensono email systems (e.g., Hotmail®, Yahoo!®, AOL®, etc.)
for business-related correspondence shall be strictly prohibited, due to the
inherent security vulnerabilities of those systems as well as a lack of
adequate retention capabilities. The use of a non-Ensono email system
shall be permitted only when Ensono’s system is not readily available, and
the business issue is too urgent to wait until the corporate system
becomes available. Whenever a non-Ensono email system is used for
business related purposes, there must be no RESTRICTED or CONFIDENTIAL
contents unless it is encrypted prior to transmission.
Ensono shall protect, maintain and retain corporate email systems
including, but not limited to, all corporate relevant data, mailboxes or any
other information contained within corporate email systems.
Ensono’s email systems shall be protected as deemed necessary by
Ensono’s identified administrators.
All external communications with clients shall be encrypted using TLS 2.0
or later.
6.8 .3 .2 USER MAILBOX CONFIGU RATION
All user mailboxes shall have a valid x.400 address.
Users shall be restricted to two (2) valid SMTP addresses, of which one
must conform to the identified standard naming convention.
The mailbox alias shall be the domain user ID.
Identification fields shall adhere to standard naming conventions.
The global address list shall have only one address entry per Ensono user.
© 2016 Ensono, LP. All Rights Reserved.
63
6.8 .3 .3 EMAIL DISTRIBUTION L ISTS
Email administrators shall be responsible for creating, renaming and
deleting distribution lists.
Each distribution list shall have an identified owner who is solely
responsible for the distribution list memberships.
The display names for a distribution list shall adhere to the following:
Alias – short description
6.8 .3 .4 RESOURCE MAILBOXES
Exchange administrators shall be responsible for creating, renaming and
deleting resource mailboxes to include calendar resources, team
mailboxes, etc.
Each resource mailbox shall have an identified owner who is solely
responsible for permissions to any and all folders contained within their
resource mailbox.
The display name for a resource mailbox shall adhere to the following:
Alias – short description
6.8 .3 .5 EMAIL CUSTOM RECIP IE NTS
In the event it is necessary to add a customer’s email address to an Ensono
global distribution list the following shall be followed:
Display names for custom recipients shall be added using the following
format:
Last_First – Last First (Company)
These display names shall be created within the Customer Addresses
container of the Exchange Administrator.
6.9 EXCHANGES OF INFORMATION AND SOFTWARE
6.9.1 Information Confidentiality Information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED, either implied
as such or specifically identified as such by contract or other means, should be protected
from unauthorized or unintended release or disclosure. All users shall adhere to the
following:
Information classified as or known to be CONFIDENTIAL or RESTRICTED, either formally or
informally, shall be restricted from disclosure, transferal or sale to any non-Ensono party.
Ensono’s Marketing team shall maintain responsibility for final approval of disclosure of any
information formally or informally classified as PUBLIC.
All exchanges of software and/or data between Ensono and any third party, not strictly
related to a business purpose, shall be prohibited unless a written agreement has been
signed.
All written agreements for the exchange of software and/or data shall, at a minimum,
contain the following:
Terms of the exchange
© 2016 Ensono, LP. All Rights Reserved.
64
Date/Period of the agreement
Software/Data handling agreements
Software/Data protection agreements
Information classified, either formally or informally, as RESTRICTED or CONFIDENTIAL shall
be restricted from transport or transfer across any public network unless appropriately
encrypted.
All encryption solutions used to transport or transfer information classified as RESTRICTED or
CONFIDENTIAL shall comply with the ISP.
6.9.2 Information Reliability All information received, downloaded or acquired from a public network source should be
considered suspect until verified and authenticated by a second source. To that extent, the
following should be adhered to when accessing information from a public network:
All non-text files downloaded from a non-Ensono source via the Internet or a public network
shall be screened with Ensono -approved malware protection software prior to being used
or installed on Ensono -owned or managed information resources.
Information, software or programs downloaded from a non-trusted source shall be tested on
a standalone, non-production machine prior to introduction into Ensono’s corporate
network.
Downloaded files that are compressed and/or encrypted shall be uncompressed and/or
decrypted prior to screening with malware detection software.
Automatic updating of software or information on Ensono computers via “background push”
internet technology shall be prohibited on all Ensono information resources unless Security
has approved the vendor.
The identity of individuals and/or organizations shall be verified prior to being engaged for
business purposes.
All users shall be prohibited from misrepresenting, obscuring, suppressing or replacing
another Ensono user’s identity on the Internet or any Ensono information resource.
All users shall be prohibited from establishing new Internet Web pages dealing with Ensono
business or making modifications to existing Web pages dealing with Ensono business unless
done in compliance with Ensono policies and applicable contract requirements.
All users shall be prohibited from modifying, hot linking to, updating, altering or otherwise
changing existing web pages that deal with Ensono business without approval from Ensono’s
Marketing team.
6.9.3 Public Representation Ensono employees shall be allowed to indicate their affiliation with Ensono when conducting
personal business online, to the extent that:
Opinions or statements, including but not limited to, political advocacy statements and
product/server endorsement presented in conjunction with an affiliation with Ensono shall
also contain notification that the opinions or statements presented do not necessarily reflect
Ensono’s position.
All representations on behalf of Ensono, with the exception of ordinary marketing and
customer service activities, shall be approved by Ensono’s Marketing team prior to release to
the public.
© 2016 Ensono, LP. All Rights Reserved.
65
Ensono employees shall be prohibited from performing libel, defamation of character, other
legal problems, flaming or other similar written attacks whenever an affiliation with Ensono
is associated with the post.
Ensono employees shall be prohibited from making threats against, harassing, annoying or
alarming another user or organization over the Internet.
Ensono shall reserve the right to require the removal of inappropriate Internet postings or
messages created by Ensono employees, which include an affiliation with Ensono.
Inappropriate postings are as follows:
Cursing or other foul language
Statements that contain non-business related information or that could be viewed as
harassing others based on:
Race
Creed
Color
Age
Sex
Physical or mental disability
Sexual orientation
Political statements
Religious statements
National origin
Military status
Public posting of Ensono or client confidential information on public forums is strictly
prohibited.
The decision to remove a posting shall be the responsibility of Ensono management
and/or Human Resources.
© 2016 Ensono, LP. All Rights Reserved.
66
7 Firewall General Security Controls Firewall devices shall be stationed at all points of entry into Ensono’s network.
Firewall devices shall be established between any trusted and non-trusted network.
Firewalls shall exist as a dedicated system or device and shall be prohibited from performing any
other function other than firewall-related tasks.
Firewall devices shall, at a minimum, meet or exceed all vendor hardware specifications.
All firewall devices which are in production shall have a backup device or system fully capable of
fulfilling the obligations of the primary firewall in case of an emergency or failure.
Firewalls shall be configured as “default deny.”
Firewall policies and perimeter protection device configurations will be reviewed quarterly by
Security and Audit & Compliance teams.
7.1 .1 .1 IDENTIF IED RESPONSIB IL ITY
Ensono Network teams are responsible for all management of, changes to,
updates to, or modifications of all firewall devices managed or owned by
Ensono. Security and Audit & Compliance teams will review and approve
all significant modifications that may affect Ensono assets.
Ensono Network Teams shall be responsible for working with relevant
teams to identify and document all necessary technical standards for
firewall devices. This includes both devices currently in use, as well as
devices that are under consideration for use.
Ensono Network Teams shall be responsible for working with relevant
teams for creation, maintenance and administration of any procedure or
relevant documentation related to firewall devices.
7.1 .1 .2 FIREWALL CONFIGURATI ON
All firewall devices shall be configured to explicitly deny all traffic and
services on all ports not specifically authorized.
All openings through a firewall device shall have documentation
supporting the opening and will contain the following information:
Business unit requesting change
User requesting change
Business reason supporting change
Managerial approval
All firewall devices, in the event of a failure, shall be configured to “default
deny” for all network traffic until such a time the appropriate
administrator re-enables all services.
All firewall devices shall deny all traffic on an external connection that
appears to have originated from an internal network address.
Intrusion Detection and/or Advanced Threat solutions shall monitor all
firewall devices owned or managed by Ensono.
Firewall configurations shall implement secure configurations including but
not limited to the following:
Authentication through centralized directory services and restriction on
local accounts
© 2016 Ensono, LP. All Rights Reserved.
67
Consistent, standard, and centrally managed build configurations
Backup and restoration procedures
Logging of all “Accepts” and “Denies”
Implementation of advanced features, such as Layer 7 controls or Intrusion
Detection/Prevention features
Firewall configurations will be reviewed and approved by Security
7.1 .1 .3 FIREWALL ADMINISTRAT ION
Appropriate firewall documentation shall be maintained in offline storage.
This includes, but is not limited to, diagrams, IP addresses and
configurations.
Firewall documentation shall not be stored on the firewall device.
All changes to a firewall device shall be consistent with Ensono’s change
management practices as specified within the ISP.
All firewall devices shall be tested for vulnerabilities and configuration
problems prior to introduction into a production environment.
Administrative access to firewall devices shall be limited to authorized and
approved firewall administrators.
Administrative access to firewall devices shall be restricted to only allow
access through an internal network connection or through physical access.
Remote access to a firewall over a public network shall require encryption
and strong authentication.
Whenever applicable, all firewall administrators shall receive periodic
training on firewalls and network security practices.
In the event that access through a firewall includes authentication based
on source address, authentication shall be combined with other security
schemes to protect against IP spoofing attacks.
All firewall devices shall have security patches and updates implemented in
a timely manner.
All employees tasked with monitoring firewall devices shall subscribe to
external advisories.
7.1 .1 .4 PHYS ICAL SECURITY
All firewall devices shall be located in physically-secured rooms.
All locations that house firewall devices shall have monitoring and logging
capabilities.
Access to rooms which house firewall devices shall be restricted to
authorized personnel whose access is necessary to conduct a business
function.
7.1 .1 .5 LOGGING AND AUDIT ING
Log files shall be enabled on all firewall devices and centrally stored and
monitored by Security.
All log files shall comply with the standards specified within the ISP.
All log files for all firewall devices shall be maintained and stored for
review for a minimum of one (1) years.
© 2016 Ensono, LP. All Rights Reserved.
68
7.1.2 Router and Switch Security Standards
7.1 .2 .1 ROUTER AND SWITCH GE NERAL SECURITY CONTR OLS
All routers shall be required to use a centralized access control system for
all user authentications.
Local user accounts shall be restricted on all routers managed or owned by
Ensono, and shall be used only when TACACS is not available.
Local user accounts shall adhere to Ensono’s password requirements.
IP directed broadcasts shall be disallowed.
Incoming packets sourced with invalid addresses shall be disallowed.
TCP small services shall be disallowed.
UDP small services shall be disallowed.
Source routing shall be disallowed.
Web services running on a router shall be disallowed.
SNMP community strings shall adhere to Ensono’s password requirements.
Routers and switches shall apply secure configurations and be managed
centrally.
Configurations will be reviewed and approved by Security or Audit &
Compliance teams.
7.1.3 Wi-Fi Networks and Devices
7.1 .3 .1 RESTRICTIONS ON USE OF WI-FI DEVICES
Ensono prohibits the operation of Wi-Fi networks and devices that have
not been approved or implemented by Ensono Service Operations teams.
This includes implementation at any location or facility managed, owned or
leased by Ensono.
All Wi-Fi networks and associated configurations shall be reviewed and
approved by Security.
Security or designee shall be authorized to use scanners and other similar
tools to monitor for rogue access points, networks, and other wireless
devices. Wireless Intrusion Detection/Prevention and other monitoring
tools shall be implemented.
Any unauthorized device detected by scanning or identified through
physical means as being used while on Ensono premises shall be
deactivated and can be removed or confiscated by an authorized security
administrator.
7.1 .3 .2 WI-F I SECURITY REQUIREM ENTS FOR EMPLOYEE AC CESS
Where it is deemed appropriate by senior management, Ensono Service
Operations teams may deploy secured Wi-Fi networks for employee access to
internal Ensono networks. Such networks should always be configured and
managed to current industry best practices and should at a minimum meet the
following requirements:
© 2016 Ensono, LP. All Rights Reserved.
69
Unless prohibited by job function, duties, or contractual/regulatory
requirements all Ensono employees with a valid and functional Ensono
Active Directory account shall be permitted to use these approved
networks.
All users connecting to Wi-Fi networks must be authenticated and the
ability to track each device to a user must be maintained.
Individuals who are not Ensono employees shall not be permitted to access
these Wi-Fi networks.
All approved devices configurations will be reviewed by Security or Audit &
Compliance teams on a periodic basis to maintain adherence to industry
best practices.
All access to such Wi-Fi networks must be validated by at least two-factor
authentication methods.
The strongest industry standard Wi-Fi authentication and encryption
protocols must be used at all times. Devices and networks that cannot are
not permitted.
7.1 .3 .3 WI-F I SECURITY REQUIREM ENTS FOR GUEST ACCES S
Where it is deemed appropriate by senior management, Ensono Service
Operations teams may deploy secured Wi-Fi networks for guest access to the
internet. Such networks should always be configured and managed to current
industry best practices and should at a minimum meet the following
requirements:
Unless prohibited by job function, duties, or contractual/regulatory
requirements all Ensono employees with a valid and functional Ensono
Active Directory account shall be permitted to use these approved
networks.
Devices permitted to access such networks must be identifiable to the
individual owner.
Guest access permission must be revoked after 24 hours.
Access for periods of time longer than 24 hours may be granted to
individuals with long-term contractor status. Such access shall not exceed
the term of the contract or 90 days, whichever is shorter.
The strongest industry standard Wi-Fi authentication and encryption
protocols must be used at all times. Devices and networks that cannot are
not permitted.
Guest networks may never allow direct connectivity to Ensono’s internal
networks.
7.1.4 Remote Access Standard 7.1 .4 .1 GENERAL CONTROLS FOR CENTRALIZED REMOTE A CCESS
SOLUTIONS
© 2016 Ensono, LP. All Rights Reserved.
70
Remote access to Ensono’s network, or any device contained on Ensono’s
network shall be provided through a secured system or through a VPN
connection and shall require at least two-factor authentication.
Remote access connections to Ensono’s network or individual network
devices which do not pass through approved firewalls or secure
authentication servers shall be strictly prohibited and, prior to
implementation or use, shall require approval from Security through the
ISP Exception Request Process.
All inbound remote access connections shall require, at a minimum, the
use of a dynamic password system, which is approved by relevant security
teams and Security.
Auditing and logging of significant events shall be enabled, stored centrally
by Security, and monitored for all remote access connections.
7.1 .4 .2 GENERAL CONTROLS FOR DIRECT INWARD DIAL
SOLUTIONS (NON -CENTRALIZED)
Information Owners shall maintain responsibility for identifying and
documenting all modems or similar devices that allow remote access to
devices or systems that are within their area of responsibility.
Externally connected modems or modem-like devices shall be labeled with
the appropriate Information Owner’s contact information.
Information Owners shall maintain an updated list of all accounts that
access a direct inward dial system connected to, or allowing access to,
devices or systems within their area of responsibility.
7.1 .4 .3 SECURITY OF DIRECT I NWARD DIAL SOLUTIONS (NON-
CENTRAL IZED)
User accounts used to remotely access Ensono resources shall be
approved, in writing or electronic format, prior to use of a dial-in account.
Password for user accounts used to remotely connect to Ensono’s
information resources shall comply with Ensono’s password policy.
Auditing and logging of significant events shall be enabled and monitored
for all systems and devices configured to allow dial-in capabilities.
Access to a dial-in solution shall require, at a minimum, UserID/password
authentication.
Direct inward dial shall be disabled when not in use. This includes
hardware and/or software disabling.
Systems administrators shall be notified prior to remote connectivity
occurring on Ensono systems or devices.
7.2 SYSTEM CONFIGURATIONS
7.2.1 Server and Mainframe Security Standard
7.2 .1 .1 SERVER AND MAINFRAME GENERAL SECURITY CON TROLS
© 2016 Ensono, LP. All Rights Reserved.
71
Naming conventions for servers and mainframes shall be subject to
approval from relevant Information Custodians and Security.
Asset management records shall include, at a minimum, hostname, IP
address, owner, description, and security classification.
All software installed on centrally managed servers and mainframes shall
be maintained at a level supported by the vendor.
Each server and mainframe shall have an identified and documented
Information Owner.
The Information Custodian shall be responsible for providing relevant
technical information to the NOC, EOC, Security, Audit and Compliance
team, and other relevant teams.
The Information Custodian shall be responsible for ensuring that systems
within their area of responsibility are placed within Ensono’s vulnerability
detection process.
The Information Custodian shall be responsible for ensuring systems within
their area of responsibility are part of an accurate inventory.
All implemented systems shall meet or exceed vendor-recommended
minimum hardware requirements.
Detailed information pertaining to the configuration of a server or
mainframe, to include information received from vulnerability scans, shall
be classified as INTERNAL USE ONLY, and shall require appropriate
authorization prior to any disclosure.
All systems, within both production and development environments, shall
be designed, commissioned, implemented, maintained, modified and
decommissioned in a standardized, documented fashion designed to
protect and secure Ensono information resources.
All system access shall be explicitly denied unless specifically allowed.
All TCP/UDP ports shall be explicitly disabled unless specifically needed.
All user access to a system shall require, at a minimum, a user
account/password pair for authentication.
System audit logs shall be enabled and reviewed on all systems in a
centrally managed system monitored by E-SEC.
User access logs shall be enabled and reviewed on all systems.
All systems used to conduct business processes shall be maintained within
an identified Ensono data center.
All systems shall be hardened as specified by industry standards or legal
agreements.
Externally facing systems or systems designated as RESTRICTED are
required to implement secure configurations as provided by the Center for
Internet Security (e.g. CIS Benchmarks).
All systems shall be maintained to industry standards, where applicable,
based on business need.
All systems shall be configured to restrict the chances of, or opportunities
to use an alternate boot device.
All systems shall be verified to be free of unacceptable vulnerabilities prior
to implementation into Ensono’s environment.
© 2016 Ensono, LP. All Rights Reserved.
72
7.2 .1 .2 SERVER AND MAINFRAME MALWARE PROTECTION A ND
PATCH CONTROLS
All systems, where applicable, shall have centrally managed malware
protection software loaded, active and enabled.
All systems that have centrally managed malware protection software
installed shall comply with Ensono’s malware protection controls.
All systems shall be subject to scans by Ensono’s internal vulnerability
detection scanner.
All systems shall have patches and updates applied in a timely manner.
7.2 .1 .3 SERVER AND MAINFRAME CHANGE MANAGEMENT
All changes to systems, both in production and development, shall be part
of an identified change management program.
7.2 .1 .4 SERVER AND MAINFRAME SYSTEM DIAGNOSTIC DA TA
When system diagnostic data must be shared with a 3rd party vendor, it
must be transported by secure means approved by E-SEC
When diagnostic data is written to an external USB storage device, the USB
storage device must be an approved device and such device must be
tracked using a chain of custody methodology or other such process that is
tracked and maintains and audit trail.
All diagnostic data shall be deleted from USB storage devices once no
longer needed
7.2.2 Workstation Security Standard 7.2 .2 .1 WORKSTATION GEN ERAL SECURITY CONTRO LS
Workstations will apply secure configurations which will be reviewed and
approved by the Security, Audit, and/or Compliance teams.
All software installed on workstations shall be maintained at a level
supported by the vendor.
All workstation access shall be restricted to authorized users.
All workstations will be tracked in a centrally managed asset management
solution.
All workstations shall have malware protection software loaded, enabled
and active.
All workstations shall apply operating system and third-party patches on a
timely basis.
All workstations shall be designed, commissioned, implemented,
maintained, modified and decommissioned in a standardized, documented
fashion, designed to protect and secure Ensono information resources.
All workstations shall be updated and maintained to industry standards
where applicable, based on business need.
© 2016 Ensono, LP. All Rights Reserved.
73
All users shall be prohibited from modifying, changing, removing or
circumventing security controls implemented by designated workstation
administrators, network system administrators or domain administrators.
All workstations shall have a logon banner specifying that unauthorized
use is prohibited.
All Information Custodians shall maintain an accurate inventory of
workstations within their area of responsibility.
All workstations shall be configured with password protected BIOS.
All workstations shall be configured to restrict the chance of, or
opportunity to use an alternate boot device.
Any end user system used to connect to Ensono’s network infrastructure
shall be required to have the latest updates and security patches applied,
as well as malware protection software loaded, enabled, active and
updated prior to connecting to Ensono’s network assets.
All Ensono-provided workstations shall be a member of an Ensono’s
corporate domain.
7.2.3 Email Standard
7.2 .3 .1 EMAIL GENERAL SECURI TY CONTROLS
Use of Ensono corporate email systems shall be considered “pre-
approved” for all employees.
The use of non-Ensono email systems (e.g., Hotmail®, Yahoo!®, AOL®, etc.)
for business-related correspondence shall be strictly prohibited, due to the
inherent security vulnerabilities of those systems as well as a lack of
adequate retention capabilities. The use of a non-Ensono email system
shall be permitted only when Ensono’s system is not readily available, and
the business issue is too urgent to wait until the corporate system
becomes available. Whenever a non-Ensono email system is used for
business related purposes, there must be no RESTRICTED or CONFIDENTIAL
contents unless it is encrypted prior to transmission.
Ensono shall protect, maintain and retain corporate email systems
including, but not limited to, all corporate relevant data, mailboxes or any
other information contained within corporate email systems.
Ensono’s email systems shall be protected as deemed necessary by
Ensono’s identified administrators.
All external communications with clients shall be encrypted using TLS 2.0
or later.
7.2 .3 .2 USER MAILBOX CONFIGU RATION
All user mailboxes shall have a valid x.400 address.
Users shall be restricted to two (2) valid SMTP addresses, of which one
must conform to the identified standard naming convention.
The mailbox alias shall be the domain user ID.
Identification fields shall adhere to standard naming conventions.
The global address list shall have only one address entry per Ensono user.
© 2016 Ensono, LP. All Rights Reserved.
74
7.2 .3 .3 EMAIL DISTRIBUTION L ISTS
Email administrators shall be responsible for creating, renaming and
deleting distribution lists.
Each distribution list shall have an identified owner who is solely
responsible for the distribution list memberships.
The display names for a distribution list shall adhere to the following:
Alias – short description
7.2 .3 .4 RESOURCE MAILBOXES
Exchange administrators shall be responsible for creating, renaming and
deleting resource mailboxes to include calendar resources, team
mailboxes, etc.
Each resource mailbox shall have an identified owner who is solely
responsible for permissions to any and all folders contained within their
resource mailbox.
The display name for a resource mailbox shall adhere to the following:
Alias – short description
7.2 .3 .5 EMAIL CUSTOM RECIP IE NTS
In the event it is necessary to add a customer’s email address to an Ensono
global distribution list the following shall be followed:
Display names for custom recipients shall be added using the following
format:
Last_First – Last First (Company)
These display names shall be created within the Customer Addresses
container of the Exchange Administrator.
7.3 EXCHANGES OF INFORMATION AND SOFTWARE
7.3.1 Information Confidentiality Information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED, either implied
as such or specifically identified as such by contract or other means, should be protected
from unauthorized or unintended release or disclosure. All users shall adhere to the
following:
Information classified as or known to be CONFIDENTIAL or RESTRICTED, either formally or
informally, shall be restricted from disclosure, transferal or sale to any non-Ensono party.
Ensono’s Marketing team shall maintain responsibility for final approval of disclosure of any
information formally or informally classified as PUBLIC.
All exchanges of software and/or data between Ensono and any third party, not strictly
related to a business purpose, shall be prohibited unless a written agreement has been
signed.
All written agreements for the exchange of software and/or data shall, at a minimum,
contain the following:
Terms of the exchange
© 2016 Ensono, LP. All Rights Reserved.
75
Date/Period of the agreement
Software/Data handling agreements
Software/Data protection agreements
Information classified, either formally or informally, as RESTRICTED or CONFIDENTIAL shall
be restricted from transport or transfer across any public network unless appropriately
encrypted.
All encryption solutions used to transport or transfer information classified as RESTRICTED or
CONFIDENTIAL shall comply with the ISP.
7.3.2 Information Reliability All information received, downloaded or acquired from a public network source should be
considered suspect until verified and authenticated by a second source. To that extent, the
following should be adhered to when accessing information from a public network:
All non-text files downloaded from a non-Ensono source via the Internet or a public network
shall be screened with Ensono -approved malware protection software prior to being used
or installed on Ensono -owned or managed information resources.
Information, software or programs downloaded from a non-trusted source shall be tested on
a standalone, non-production machine prior to introduction into Ensono’s corporate
network.
Downloaded files that are compressed and/or encrypted shall be uncompressed and/or
decrypted prior to screening with malware detection software.
Automatic updating of software or information on Ensono computers via “background push”
Internet technology shall be prohibited on all Ensono information resources unless Security
has approved the vendor.
The identity of individuals and/or organizations shall be verified prior to being engaged for
business purposes.
All users shall be prohibited from misrepresenting, obscuring, suppressing or replacing
another Ensono user’s identity on the Internet or any Ensono information resource.
All users shall be prohibited from establishing new Internet Web pages dealing with Ensono
business or making modifications to existing Web pages dealing with Ensono business unless
done in compliance with Ensono policies and applicable contract requirements.
All users shall be prohibited from modifying, hot linking to, updating, altering or otherwise
changing existing web pages that deal with Ensono business without approval from Ensono’s
Marketing team.
7.3.3 Public Representation Ensono employees shall be allowed to indicate their affiliation with Ensono when conducting
personal business online, to the extent that:
Opinions or statements, including but not limited to, political advocacy statements and
product/server endorsement presented in conjunction with an affiliation with Ensono shall
also contain notification that the opinions or statements presented do not necessarily reflect
Ensono’s position.
All representations on behalf of Ensono, with the exception of ordinary marketing and
customer service activities, shall be approved by Ensono’s Marketing team prior to release to
the public.
© 2016 Ensono, LP. All Rights Reserved.
76
Ensono employees shall be prohibited from performing libel, defamation of character, other
legal problems, flaming or other similar written attacks whenever an affiliation with Ensono
is associated with the post.
Ensono employees shall be prohibited from making threats against, harassing, annoying or
alarming another user or organization over the Internet.
Ensono shall reserve the right to require the removal of inappropriate Internet postings or
messages created by Ensono employees, which include an affiliation with Ensono.
Inappropriate postings are as follows:
Cursing or other foul language
Statements that contain non-business related information or that could be viewed as
harassing others based on:
Race
Creed
Color
Age
Sex
Physical or mental disability
Sexual orientation
Political statements
Religious statements
National origin
Military status
Public posting of Ensono or client confidential information on public forums is strictly
prohibited.
The decision to remove a posting shall be the responsibility of Ensono management
and/or Human Resources.
© 2016 Ensono, LP. All Rights Reserved.
77
8 Personnel Security
8.1 PERSONNEL SECURITY OBJECTIVES To reduce the risks of human error, theft or fraud.
To ensure that users are aware of Information Security threats and to help them support Ensono’s
Information Security practices.
To minimize the damage from security incidents and malfunctions, and to monitor and learn from
such incidents.
8.2 SECURITY INCLUDED IN JOB ROLES
8.2.1 Including Security in Job Role Definition All job role definitions shall include appropriate language identifying the correlating
Information Security responsibilities for said job role.
Management shall be responsible for working with HR and Security to identify job role
specific security concerns for job roles.
8.2.2 Personnel Screening Policy Employment screening checks, as specified by Ensono’s Legal, HR, and the Risk Management
Committee, shall be conducted for all permanent staff, contractors, temporary staff, and
third party users prior to beginning work at Ensono or being granted access to Ensono
information assets.
Employment screening checks shall be successfully passed prior to beginning work at Ensono
or being granted access to Ensono information assets.
All employees shall be required to have on file a signed consent allowing Ensono to conduct
background screening checks.
All employees granted security related roles shall be required to satisfactorily pass
supplemental employment screening checks on a periodic basis.
8.2.3 Terms and Conditions of Employment All employees, who are given access to Ensono owned or managed information assets, shall
sign Ensono’s confidentiality or non-disclosure agreement prior to being granted access to
any Ensono owned or managed information asset.
All employees shall be responsible for working with Ensono’s identified security teams to
support the implementation of a corporate-wide security environment.
Full compliance with the ISP is a condition of employment. Violation of the ISP may result in
disciplinary action up to and including immediate termination.
8.3 PERSONNEL EDUCATION, TRAINING, AND AWARENESS
8.3.1 Security Training and Awareness All new Ensono associates are granted access to Ensono’s information resources to facilitate
completion of new hire training curriculum, which includes required security awareness
© 2016 Ensono, LP. All Rights Reserved.
78
training. New hire security awareness training must be completed within ten (10) business
days of start date.
All employees shall be required to complete security awareness training at least annually, to
ensure that all personnel are aware of the importance of Information Security.
Failure to complete Ensono’s mandatory security awareness training will be deemed a
violation of the Employee Standards of Conduct, which may result in disciplinary action up to
and including termination of employment.
Security shall be responsible for working with training organizations, legal and compliance
teams to develop relevant security training material.
8.4 RESPONDING TO SECURITY INCIDENTS
8.4.1 Security Incident Handling Priorities Priorities for handling Information Security incidents are as follows:
Protection of human life and safety.
Protection of INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information.
Collection and analysis of information to determine if a violation of the ISP or the
commission of a computer crime has occurred.
Prevention of damage to systems and restoration of systems to routine operation as quickly
as possible.
8.4.2 Security Incident Reporting Security, Audit & Compliance, Physical Security, Legal, and/or HR teams will collaborate to
respond to the following types of incidents as appropriate:
Information Security
Property Loss and Protection
Employee Safety
Drugs
Financial Violations
Other as identified by senior management
All users of Ensono information assets have the responsibility to report any security incident.
Anonymous reporting of security incidents shall be permitted.
When requested and in accordance with policy, security incident inquiries will remain
confidential.
All users have an obligation to report security weaknesses in a timely manner.
8.4.3 Security Incident Response Procedures Security incident response procedures shall be conducted and carried out as specified within
Ensono’s Security Incident Response Plan.
8.4.4 Reportable Information Security Incidents Standard The sections below outline examples of potential Information Security incidents.
8.4 .4 .1 UNAUTHORIZED DISCLOS URE
© 2016 Ensono, LP. All Rights Reserved.
79
INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information is
disclosed without authorization.
8.4 .4 .2 SYSTEM INCAPACITATIO N
A system’s ability to function is impaired by a high volume of activity from
various sources.
A resource such as power, network access or routing tables is modified,
degrading the system’s ability to perform normal functions.
Malicious code interferes with a system’s operation.
An asset is stolen, damaged or destroyed.
8.4 .4 .3 SYSTEM TAMPERING
A user ID is employed to gain access to system administrative functions
without prior authorization.
A system weakness allows access to system administrative functions by
non-authorized users.
A valid user ID is permitted to gain access to system administrative
functions without authorization.
Non-administrative personnel are allowed to perform administrative
system functions.
8.4 .4 .4 INFORMATION TAMPERIN G
A user ID is employed without authorization to gain access to password
files, protected or restricted data, licensed applications, software, or
restricted applications, software and/or code.
A system weakness allows unauthorized access to password files,
protected or restricted data, licensed applications, software, or restricted
applications, software and/or code.
A theft of information resources provides access to passwords files,
protected or restricted data, licensed applications, software, or restricted
applications, software or code.
8.4 .4 .5 MISUSE OF INFORMATIO N TECHNOLOGY
A user installs unlicensed software.
A user downloads, copies or distributes unlicensed software.
A user’s account is employed in violation of legal statutes, regulations or
organization policies.
8.4 .4 .6 UNAUTHORIZED ACCESS
A valid user ID or user account is employed without authorization.
A valid user ID or user account is used to access areas outside of the user’s
account authorization.
A system weakness is exploited, but no access is gained outside the
account’s authorization.
A user’s privilege to access information is higher than that which was
authorized.
© 2016 Ensono, LP. All Rights Reserved.
80
Access to facilities (buildings, rooms, secure areas) is gained without
authorization.
8.4 .4 .7 UNAUTHORIZED USE
INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED information is used for
a purpose not specifically permitted based on the user’s need-to-know or
the identified disclosure classifications.
Any Ensono information asset is used in such a way as to violate the ISP.
8.4 .4 .8 ATTEMPTED EXPLORATIO N OF INFORMATION RES OURCES
Illegal data gathering is directed against a system (port scanning, sniffing,
net scanning, etc.).
Actions are attempted that could impair a system’s ability to function.
Actions are attempted that could result in a system or information
compromise.
8.4 .4 .9 NON-SYSTEM INCIDENTS
Unauthorized access to facilities results in information resource exposure
or compromise.
Unauthorized parties gain access to INTERNAL USE ONLY, CONFIDENTIAL,
or RESTRICTED information.
Ensono information resources are exposed or compromised due to lack of
control over computing equipment or media.
Ensono information resources are exposed or compromised due to an
environmental hazard.
8.4 .4 .10 INDIV IDUAL USER REPO RTING RESPONSIBIL IT I ES
Security shall be notified of all offensive communications. Ensono
users shall not respond directly to the originator of offensive email
messages, telephone calls and/or other communications.
Users shall retain copies of messages, notes or voice mail entries of this
nature and turn them over to Security.
8.4.5 Security Incident Information Retention and Classification Information related to or gleaned from a security incident shall be maintained and retained
until such a time as the Chief Security Officer deems the information no longer relevant.
Information related to or gleaned from a security incident shall be classified RESTRICTED.
8.5 PROBLEM MANAGEMENT
8.5.1 Reporting Software Malfunctions Where applicable, Information Custodians shall identify and document problem management
procedures for all information assets within their area of responsibility.
Any attempt to interfere
with, preve
nt, obstruct or
dissuade a user
in their efforts to
report a
suspected
security
incident or
violation is strictl
y prohib
ited and
cause for
disciplinary
© 2016 Ensono, LP. All Rights Reserved.
81
9 Application Development and Maintenance
9.1 APPLICATION DEVELOPMENT AND MAINTENANCE OBJECTIVES To ensure security is included in the commission, design and operational phases of system
development.
To prevent loss, modification or misuse of data in applications.
To ensure that IT projects are conducted in a secure manner.
To maintain the security of application and system software and information.
9.2 SECURITY INCLUSION IN APPLICATION DEVELOPMENT
9.2.1 Application Development General Security Controls All developed software solutions shall include appropriate security, access and audit
controls.
All software development shall follow standardized and documented procedures that
include design, implementation, testing, hardening and modification.
All internally-developed software code shall be required to successfully pass Security
approved code level testing and review prior to implementation.
9.2.2 Application Development Design and Planning Security requirements shall be identified and agreed upon prior to the development of any
system or solution.
Security requirements shall be identified during the planning phase of any project, and shall
be included as part of the overall business case.
To speed the development process and enhance Ensono’s security stance, where applicable,
existing approved security architecture shall be included in new projects.
9.2.3 Creation of New Security Architecture or Design System and application development teams shall be prohibited from creating new security
architecture, composing new security schemes, developing new encryption solutions or
otherwise deviate from existing identified security controls without expressed approval from
Security.
9.3 SOFTWARE CODING AND TESTING REQUIREMENTS
9.3.1 Input Data Validation Data input to application systems should be validated to ensure it is correct and appropriate. The
following controls and/or checks shall be implemented and tested where appropriate:
Dual input or other input checks to detect the following errors:
Out of range values
Invalid characters in data fields
Missing or incomplete data
Exceeding upper and lower data volume limits
© 2016 Ensono, LP. All Rights Reserved.
82
Unauthorized or inconsistent control data
Periodic review of the content of key fields or data files to confirm their validity and
integrity.
Procedures for responding to validation errors.
Procedures for testing the plausibility of the input data.
Defining the responsibilities of all personnel involved in the data input process.
9.3.2 Control of Internal Processing The following controls and/or checks shall be implemented and tested where appropriate:
Limit the use and locations in programs of add and delete functions to implement changes to
data.
Define procedures to prevent instances of programs or processes executing or running in the
wrong order, or running after failure of prior processing.
Require the use of correct processes to recover from failures to ensure the correct
processing of data.
Validate of system-generated data.
Check on the integrity of data or software downloaded/uploaded between central and
remote systems.
Perform integrity checking of records or files.
9.3.3 Output Data Validation Data output should be tested and validated to ensure that processing is occurring correctly. As
such, the following controls and/or checks shall be implemented and tested where appropriate:
Plausibility checks to test whether the output data is reasonable.
Reconciliation control counts to ensure processing of all data.
Procedures for responding to output validation tests.
Defining the responsibilities of all personnel involved in the data output process.
9.4 CRYPTOGRAPHIC CONTROLS
9.4.1 Key Management All key management solutions devised and maintained by Ensono shall be implemented and
maintained as specified within Ensono’s PKI Certificate Policy (CP) and Ensono’s PKI
Certification Practice Statement (CPS).
All key management and information privacy practices shall be disclosed and provided as
governed and specified within Ensono’s PKI CP and Ensono’s PKI CPS.
All certificate management and information privacy practices shall be disclosed and provided
as governed and specified within Ensono’s PKI CP and Ensono’s PKI CPS.
All Certificate Authority (CA) subscriber information shall be properly authenticated.
CA key and certificate integrity shall be established and protected throughout the life cycle
of use.
CA subscriber and relying party information shall be protected from uses not specified within
the CA.
CA subscriber and relying party information shall be restricted to authorized users.
Continuity of CA key and certificate life cycle management operations shall be maintained.
© 2016 Ensono, LP. All Rights Reserved.
83
CA systems development, maintenance, and operation shall be properly authorized and
performed in such a manner that it maintains system integrity.
Encryption keys shall not be disclosed to non-Ensono users unless approved by the key
owner or Registration Authority.
Private encryption keys and single key solution keys shall be encrypted when transmitted
over a communication network.
Automated key management solutions shall be preferred over manual key management
solutions and shall be the chosen over manual key management solutions unless approved
by Security.
Ensono’s identified PKI solution shall be used to encrypt and manage keys for all data that is
stored in an encrypted format (i.e. persistent) at Ensono.
9.4.2 Encryption Ensono requires that information classified as CONFIDENTIAL or RESTRICTED, which is
received by Ensono or sent by Ensono, be encrypted. This includes information classified as
CONFIDENTIAL by a client, as well as information classified as SENSITIVE by clients or
regulatory agencies.
All information classified as CONFIDENTIAL, or RESTRICTED by Ensono, clients or regulatory
agencies, which is transmitted to or from Ensono via any public network shall be encrypted.
All information classified as CONFIDENTIAL, or RESTRICTED by Ensono, clients or regulatory
agencies, which is stored on physical media and transported to or from Ensono via any
physical delivery method shall be encrypted.
All encryption solutions shall use the Ensono standard toolset, comply with the x.509
standard, or be a solution agreed upon between Security and the customer and have the
following minimum requirements:
Uses public/private key pairs
Uses a minimum of 256-bit encryption
Encryption of data at rest should be employed as deemed necessary by regulatory,
contractual, or Risk Management Committee requirements.
9.5 SECURITY OF SYSTEM FILES
9.5.1 Control of Operational Software The following controls and/or changes shall be implemented and tested where necessary:
Only appropriately identified and authorized librarians shall update production program
libraries.
Where possible, operational systems shall only hold executable code.
Executable code shall not be implemented on a production system until evidence of
successful testing and user acceptance is obtained, and the corresponding source libraries
have been updated.
Audit logs shall be maintained for all updates to production program libraries.
Previous versions of software shall be retained for contingency purposes.
Vendor supplied software used in production systems shall be maintained at a level
supported by the vendor.
© 2016 Ensono, LP. All Rights Reserved.
84
Security concerns shall be included in any decision related to upgrading to a newer release
of an application.
Software patches shall be applied when application of such patches removes or reduces a
security weakness.
Physical or logical access provided to third party users for access to production software
shall only be provided for support purposes, and shall be monitored.
All software configurations and secure configurations should be centrally managed by a
configuration management solution.
9.5.2 Protection of System Test Data Test data shall be protected and controlled.
System and acceptance testing shall use data that is as close as possible to production data.
Personal information shall be prohibited from use within a testing capacity, unless approved
by the Information Owner.
Test environments shall have security and access controls that match the production
environment for which testing is being conducted.
Production information shall be removed from test environments once testing is complete.
The copying and use of production information within a test environment shall be logged for
auditing purposes.
9.5.3 Access Control to Program Source Library Where possible, source libraries shall not be held on production systems.
Development and support staff shall be prohibited from unrestricted access to source
libraries.
Programs under development or maintenance shall not be held in operational source
libraries.
Updates to source libraries shall be conducted by an authorized librarian.
Program listings shall be held in a secure environment.
Audit logs shall be maintained for all access to program source libraries.
Older version(s) of software shall be archived with clear indications of precise dates and
times when they were operational. Supporting software, job control, data definitions and
procedures shall be maintained with archived software.
Maintenance and copying of program source libraries shall be restricted and shall follow
identified and documented change control procedures.
9.6 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES
9.6.1 Change Control Procedures The Information Custodian over a test/development environment shall be identified and
documented.
The identified Information Custodian shall be responsible for working with relevant teams to
identify and document specific change control procedures for environments within their
area of responsibility.
Formal change control procedures shall be documented that:
Ensure security and control procedures are not compromised.
© 2016 Ensono, LP. All Rights Reserved.
85
Ensure that support programmers are granted access only to those parts of the system
necessary for their work.
Ensure that formal agreement and approval for a change is obtained.
Wherever possible, application and operational change control procedures shall be
integrated to include:
A record of agreed to authorization levels.
Ensure changes are submitted by authorized users.
The review of controls and integrity procedures to ensure they will not be compromised by
authorized changes.
The identification of all computer software, information, database entities and hardware
that require amendment.
Formal approval for detailed proposals before work commences.
Ensure the user or customer accepts changes prior to any implementation.
Ensure any implementation of a change is conducted in such a way as to minimize business
disruptions.
Ensure system documentation is updated at the completion of each change, and that old
documentation is archived or disposed of properly.
Version control for all software updates.
An audit trail for all change requests.
Ensure operating documents and user procedures are updated and changed as needed.
9.6.2 Technical Review of Operating System Changes Periodically, it is necessary to change an operating system. The following shall be adhered
to:
Adequate testing of all software updates and patches must occur within a test
environment prior to implementation on a production system. This includes, but is not
limited to:
Appropriate testing of the operating system for potential problems.
Appropriate testing of all relevant applications for potential problems.
Review of all application controls and integrity procedures to ensure that updates or
patches have not compromised existing security controls.
Notification of operating system changes shall be provided to allow time for all
appropriate reviews of the update/patch to occur.
Appropriate changes shall be made to all relevant BC/DR documentation.
9.6.3 Covert Channels and Trojan Code All software developers shall be prohibited from creating code which contains:
Undocumented code
Programs that can be considered a backdoor
Programs that allow for the bypassing of security controls
Once installed, modification of and access to code shall be strictly limited and shall be
controlled and audited.
Software and code must only be downloaded in accordance with Ensono’s Malware
Protection Policy, particularly the requirement that only trusted sources shall be used.
Software agreements for solutions that are externally and client facing shall include
requirements for maintaining software that is free from secure coding flaws.
© 2016 Ensono, LP. All Rights Reserved.
86
© 2016 Ensono, LP. All Rights Reserved.
87
10 Business Continuity/Disaster Recovery (BC/DR)
10.1 BUSINESS CONTINUITY/DISASTER RECOVERY OBJECTIVES To ensure the continuation of Ensono and to expedite a resumption of business processes in the event that a
disruption occurs due to disaster or security failure.
10.2 BC/DR MANAGEMENT OVERSIGHT
10.2.1 BC/DR Management Controls Senior Management shall identify and designate a team that has the sole responsibility for
the commission, design, implementation, maintenance, administration and testing of all
corporate Business Continuity and Disaster Recovery (BC/DR) plans. This team shall be
identified by Executive Leadership.
The BC/DR team shall maintain responsibility for all aspects of BC/DR for Ensono. This
includes design, commission, implementation, administration, maintenance, decommission,
documentation and testing.
The BC/DR team shall ensure the appropriate level of security controls are maintained during a
business interruption in accordance with business requirements, the Information Security Policy,
input from E-SEC, and the Risk Management Committee.
© 2016 Ensono, LP. All Rights Reserved.
88
11 Physical and Environmental Security
11.1 PHYSICAL AND ENVIRONMENTAL SECURITY OBJECTIVES To prevent unauthorized access, damage and interference to business premises.
To prevent loss, damage or compromise of assets and interruptions to business activities.
To prevent compromise or theft of information and information processing facilities.
11.2 PHYSICAL SECURITY GENERAL CONTROLS
11.2.1 General Physical Security Notification Ensono reserves the right to inspect and search the personal effects of any person entering
or leaving Ensono owned, managed or leased facilities. This includes, but is not limited to
purses, packages or vehicles.
Ensono shall prohibit any user from carrying a firearm or prohibited weapon of any kind onto
any property owned, managed or leased by Ensono. This includes, but is not limited to,
persons who are licensed to carry a weapon.
11.2.2 Clean Desk Policy Ensono users must be aware of the need to maintain the confidentiality of CONFIDENTIAL,
RESTRICTED, and INTERNAL USE ONLY information, and take steps that are reasonable under the
circumstances to maintain the confidentiality of that information.
11.2 .2.1 PROCEDURES
Users must adhere to Ensono’s Information Handling requirements to
ensure that all information is appropriately secured, as determined by
criticality and classification of the information and/or contractual
obligations, when unattended during and after work hours.
Users shall take appropriate steps to prevent the disclosure of
CONFIDENTIAL, RESTRICTED, and INTERNAL USE ONLY information to
unauthorized persons. This includes information that might be disclosed
verbally, physically, and/or electronically.
Keys, security badges, tokens, and other means used to lock information in
a required secure manner shall not be left unattended during and after
work hours.
11.2 .2.2 AUDIT ING PROCESS
On a periodic basis, authorized personnel will conduct a physical walk through
of Ensono office space looking for potentially sensitive data, as defined in the
Clean Desk Policy, which is in the clear and unattended. The authorized
personnel will then:
Document any discrepancies discovered with regards to sensitive client
information, to include:
Ensono desk and/or office number
What data was found
© 2016 Ensono, LP. All Rights Reserved.
89
Ensono employee’s identity
Address the infraction with the affected employee(s).
Follow up within five (5) business days to ensure the issue has been
resolved satisfactorily.
11.2.3 Removal of Property Users shall be prohibited from taking equipment, information, or software off-site without
authorization from their manager.
Where necessary, equipment shall be logged out and logged in to reduce chances for theft.
All owners of an Ensono physical resource shall be required to relinquish said resource upon
an appropriately-authorized request.
Physical assets containing or possibly containing information assets shall not be removed
from their appropriate locations without the approval of Security.
11.3 SECURE AREAS
11.3.1 Physical Security Perimeter Where deemed necessary by the physical security organization, physical security barriers
shall be erected to protect Ensono -owned, managed or leased facilities and information
assets.
Users shall be informed of the following approved options for providing a physical security
perimeter:
Receptionists
Security guards
Metal key locks
Magnetic card door locks
Other, as determined by the physical security organization
11.3.2 Physical Entry Controls All users shall be required to retain and display their Ensono -provided identification at all
times while within a facility or location that is owned, managed or leased by Ensono.
All users shall be required to use their Ensono -provided identification to gain physical access
to any Ensono owned, managed or leased facility or location.
Unless approved by management, all visitors shall be escorted at all times while within a
facility or location that is owned, managed or leased by Ensono.
All users shall be fully responsible for the use of their Ensono -provided identification, and
are prohibited from giving/loaning their identification to another person.
The physical security organization shall be responsible for review of access to secured
locations on a periodic basis.
11.3.3 Securing Offices, Rooms and Facilities Access to offices, computer machine rooms or other areas that contain INTERNAL USE ONLY,
CONFIDENTIAL or RESTRICTED information shall be physically restricted from access to only
users with a business need-to-know.
© 2016 Ensono, LP. All Rights Reserved.
90
Telecommunication systems and network equipment shall be secured with antitheft devices
when located in an open environment/not a limited access environment.
Servers used to conduct Ensono or client business shall be maintained within an identified
data center.
Access to systems development offices, telephone wiring closets, computer machine rooms,
network switch rooms or other work areas containing Ensono non-public information shall
be physically restricted.
The Information Custodian shall maintain responsibility for working with Ensono’s security
organization to determine appropriate access control methods.
When deemed appropriate by the physical security organization, facilities or locations
managed, owned or leased by Ensono shall be unobtrusive and provide minimum indication
of their purpose.
BC/DR equipment and backup media shall be maintained in an offsite location.
11.3.4 Working in Secure Areas Physical access to Ensono data centers and other secured locations shall be restricted to
authorized personnel only.
Third party and vendor service personnel shall be restricted from secure locations unless
appropriately authorized and supervised or monitored.
11.4 EQUIPMENT SECURITY
11.4.1 Equipment Protection Equipment used for Ensono’s core business shall be sited or protected to reduce the risks from
environmental threats, hazards, and opportunities for unauthorized access.
11.4.2 Power Supplies Equipment used for Ensono’s core business shall be protected from power failures and other
electrical anomalies.
11.4.3 Cabling Security Power and telecommunications cabling carrying data or supporting Ensono’s core business shall
be protected from interception or damage.
11.4.4 Security of Offsite Equipment Users shall be fully responsible for the security of equipment within their possession when
being used offsite.
Portable devices that contain unencrypted CONFIDENTIAL or RESTRICTED information shall
not be checked as airline luggage, left with hotel porters or left in the possession of an
individual or entity which does not have a need-to-know.
Users in the possession of a portable computing device shall physically secure said device
when not in use. For example, the device should be in a locked office, locked desk, locked
vehicle or in the person's physical possession. This includes, but is not limited to, the
following:
Laptops
© 2016 Ensono, LP. All Rights Reserved.
91
Notebooks
PDA’s
Other portable devices
CONFIDENTIAL or RESTRICTED information contained on a portable device shall be
encrypted prior to leaving the device unattended.
11.4.5 Secure Disposal or Re-use of Equipment The preparation of any electronic storage media or devices to be disposed, reused, or
otherwise discarded must adhere to Ensono’s Information Handling requirements to ensure
that all INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED has been securely removed.
All storage devices or media shall be checked and verified to be free of INTERNAL USE ONLY,
CONFIDENTIAL or RESTRICTED information or licensed software prior to being discarded or
disposal.
All storage devices or media that contain INTERNAL USE ONLY, CONFIDENTIAL or
RESTRICTED information or licensed software shall be physically destroyed or securely
overwritten prior to being discarded or disposal.
All storage devices or media shall be checked and verified to be free of INTERNAL USE ONLY,
CONFIDENTIAL or RESTRICTED information or licensed software prior to reuse in any device
other than the device it originally came from.
© 2016 Ensono, LP. All Rights Reserved.
92
12 Compliance
12.1 COMPLIANCE OBJECTIVES To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations.
To ensure compliance with the ISP and related security documentation.
12.2 COMPLIANCE WITH LEGAL REQUIREMENTS AND ENSONO POLICY
12.2.1 Identification of Applicable Legislation Relevant statutory, regulatory, legislative and contractual requirements shall be explicitly
identified and documented.
Relevant statutory, regulatory, legislative and contractual requirements shall be broadly
communicated to users to assist in ensuring user compliance with Ensono’s obligations.
12.2.2 Intellectual Property Rights Users shall be prohibited from using any Ensono information resources to download, copy,
redistribute, share, upload, store or otherwise access music, software, data or intellectual
property in a manner inconsistent with the associated license agreement.
Users shall be prohibited from using any Ensono information resource to circumvent an
existing security device in an unauthorized manner, or in a manner inconsistent with the
license agreement.
Users shall be prohibited from disclosure of Ensono’s Intellectual Property without
appropriate approval.
12.2.3 Safeguarding of Organizational Records Relevant and important organizational records shall be protected from loss, destruction and
falsification.
Appropriate security controls shall be implemented to insure the safety of important
organizational records.
12.2.4 Legal Conflicts All users shall be responsible for providing immediate notification to members of Security in the
event that any section of the ISP is identified as being in conflict with existing laws or regulations.
12.2.5 Prevention of Misuse of Information Assets The use of Ensono’s information assets shall be primarily for business purposes and must be
authorized for each user prior to receiving access.
Use of Ensono’s information assets requires all users comply with the ISP at all times.
Violation of the ISP is subject to disciplinary action, up to and including immediate
termination of employment and immediate termination of client, partner, and/or vendor
relationships.
Ensono’s non-enforcement of any policy requirement does not constitute its consent.
Ensono reserves the right to revoke logical or physical access for any user at any time
without prior notification.
© 2016 Ensono, LP. All Rights Reserved.
93
12.2.6 Collection of Evidence Evidence provided for external legal proceedings shall conform to the rules of evidence as
laid down in the relevant law or in rules of the specific court in which the case will be heard.
To achieve admissibility of evidence in court, Ensono shall ensure that information systems
comply with any published standard or code of practice for the production of admissible
evidence.
12.2.7 Reviews of Security Policy Compliance Information owners shall be responsible for ensuring all information assets and processes
within their realm or responsibility comply with the ISP.
Information owners shall be responsible for ensuring adequate security standards and
procedures are identified and documented for all information assets and processes within
their realm of responsibility.
Information Custodians shall be responsible for ensuring all security procedures related to
their areas of responsibility are carried out correctly.
All areas of Ensono shall be subject to regular compliance reviews by Ensono’s identified
internal audit team.
12.3 SYSTEM AUDIT CONSIDERATIONS
12.3.1 System Audit Controls System and process audit controls shall be formally identified and documented.
Notification of system and process audits shall be fully communicated in a timely manner,
prior to the audit taking place.
System and process audits shall be controlled and scope limited to areas as specified within
the associated notification.
All access shall be monitored and logged to produce a reference trail.
All audit procedures, requirements and responsibilities shall be documented.
12.3.2 Protection and Use of System Audit Tools The use of system audit tools, on Ensono’s network and information assets, shall be strictly
controlled. These tools include, but are not limited to, the following:
Password cracking utilities
Port scanning utilities
Network sniffing utilities
Vulnerability scanners
Use of system audit tools shall be restricted to those users whose documented job
function requires the periodic use of such tools.
Use of system audit tools shall require approval from Security prior to use of such tools.
The use of a system audit tool shall be monitored at all times, and shall be audited on a
periodic basis.
© 2016 Ensono, LP. All Rights Reserved.
94
This page intentionally left blank.