NSP

NETWORK SECURITY POLICY
07 08 2018

GENERAL
The Firm maintains a secure network infrastructure through the following enumerated policies in order to
protect the integrity and confidentiality of client and Firm data and mitigate the risk of a security incident.
The purpose of this policy is to establish the guidelines for IT security, and to communicate the controls
necessary for a secure network infrastructure. The network security policy will provide the practical
mechanisms to support the Firm's comprehensive set of security policies. This policy covers all IT
systems and devices that comprise the Firm network or that are otherwise controlled by Firm personnel
directly or through third parties.


AUTHORIZED PERSONNEL
The creation and management of all accounts, including system and user accounts, must be authorized in
advance in writing by the Systems Manager in consultation with the firm’s contracted IT support
personnel.
Access and maintenance of applications systems, network components (including routers, firewalls, voice
communications servers, voice recording servers, etc.), operating systems, virtualization components,
hypervisors, or other information objects is restricted to authorized personnel only.
Access to and maintenance of applications, systems, network components (including routers, firewalls,
voice communications servers, voice recording servers, etc.), operating systems, virtualization
components, hypervisors, or other information objects shall be granted based upon job function.
Privileged accounts (e.g., system or security administrator) must be logged and reviewed on at least a
quarterly basis.
Inactive user and privileged accounts (e.g., system administrator or security administrator) will be
disabled or locked after 90 days or less.


NETWORK DEVICE PASSWORDS
Default system accounts (e.g., guest, administrator) will always be disabled or renamed upon initial
system builds.

PASSWORD CONSTRUCTION
The following statements apply to the construction of passwords for network devices:
 Passwords must be at least twelve characters.
Passwords must be comprised of a mix of letters, numbers and special characters
(punctuation marks and symbols), including a mix of upper and lowercase characters.
Passwords must not be comprised of an obvious keyboard sequence (i.e., QWERTY).
Passwords must not include "guessable" data such as personal information like birthdays,
addresses, firm public information, phone numbers, locations, etc.

FAILED LOGONS
Repeated logon failures can indicate an attempt to 'crack' a password and surreptitiously access a network
account. In order to guard against password-guessing and brute-force attempts, the Firm will lock a user's
account after 5 unsuccessful logins. The locked account shall remain locked for a minimum duration of
on hour or until the IT Department manually resets and unlocks the account via personal support request
of the user.
In order to protect against account guessing, when logon failures occur the error message transmitted to
the user must not indicate specifically whether the account name or password were incorrect. The error
can be as simple as "the username and/or password you supplied were incorrect."
Change Requirements
User and privileged account (e.g., system or security administrator) passwords, with the exception of the
Domain Administrator password and passwords used in conjunction with Windows services, must be
changed at least every 90 days by enforcement of group policies. In order to mitigate any security risk
associated with the Domain Administrator account and any accounts used for Windows services, the
following will be implemented:

The Domain Administrator password has been changed to a highly complex password and is stored in a locked cabinet to which only the Firm Partners have access to.
All users requiring privileged account (e.g., system or security administrator access) have been provided with separate administrative credentials.
Where feasible, any account used in conjunction with a Windows service has been denied the right to logon locally or through Terminal Services through the implementation of Group Policies.
Additionally, the following requirements apply to changing network device passwords:
If any network device password is suspected to have been compromised, all network device passwords must be changed promptly.
If a Firm network or system administrator leaves the Firm, all passwords to which the administrator could have had access must be changed promptly. This statement also applies to any consultant or contractor who has access to administrative passwords.


PASSWORD POLICY ENFORCEMENT
Where passwords are used, an application must be implemented that enforces the Firm's password
policies on construction, changes, re-use, lockout, etc.


ADMINISTRATIVE PASSWORD GUIDELINES
As a rule, administrative (also known as "root") access to systems should be limited to only those who
have a legitimate business need for this type of access. This is particularly important for network devices,
since administrative changes can have a major effect on the network, and, as such, network security.
Additionally, administrative access to network devices should be logged.


LOGGING
The following sections detail the Firm's requirements for logging and log review.

APPLICATION SERVERS
Logs from application servers are of interest since these servers often allow connections from a large
number of internal and/or external sources. These devices are often integral to smooth business
operations.
Examples: Web, email, database servers.
Requirement: Errors, faults, and login failures will be logged. No passwords should be contained in logs.

NETWORK DEVICES
Logs from network devices are of interest since these devices control all network traffic, and can have a
huge impact on the Firm's security.
Examples: Firewalls, network switches, routers
Requirement: Errors, faults, and login failures will be logged. No passwords should be contained in logs.

CRITICAL DEVICES
Critical devices are any systems that are critically important to business operations. These systems may
also fall under other categories above. In any cases where this occurs, this section shall supersede.
Examples: File servers, lab or manufacturing machines, systems storing intellectual property
Requirements: Errors, faults, and login failures will be logged. No passwords should be contained in
logs.


LOG REVIEW
The Systems Manager and/or the firm’s contracted IT support personnel, as appropriate, will review the
logs at least once per month.

LOG RETENTION
Audit logs may be modified or deleted only upon the approval of the Firm’s Systems Manager.
Production system audit logs must be retained for a minimum of 6 months.


FIREWALLS
Firewalls are one of the most important components of the Firm’s security strategy. Internet connections
and other unsecured networks must be separated from the Firm network through the use of a firewall.
Configuration
The following statements apply to the Firm's implementation of firewall technology:

Firewalls must provide secure administrative access (through the use of encryption) with management access limited, if possible, to only networks where management connections would be expected to originate.
No unnecessary services or applications should be enabled on firewalls. The Firm should use 'hardened' systems for firewall platforms, or appliances.
Clocks on firewalls should be synchronized with the Firm's other networking hardware using NTP or another means. Among other benefits, this will aid in problem resolution and security incident investigation.
All firewall rules must be reviewed annually and approved by the Systems Manager in concert with the firm’s contracted IT support personnel.
All firewall and router rules must be reviewed at least annually. Audits must cover each rule, what it is for, if it is still necessary, and if it can be improved.
Changes to firewall rules must be logged and the logs must identify the administrator performing the change and when the change occurred.
For its own protection, the firewall rule set must include a "stealth rule," which forbids connections to the firewall itself.
The firewall must log dropped or rejected packets.

OUTBOUND TRAFFIC FILTERING
Firewalls must be configured to filter outbound connections from the network. Blocking outbound traffic
prevents users from accessing unnecessary or dangerous services. By specifying exactly what outbound
traffic to allow, all other outbound traffic is blocked. This type of filtering would block root kits, viruses,
and other malicious tools if a host were to become compromised.
The Firm requires that permitted outbound traffic be limited to only known "good" services, which are the
following ports: 21, 25, 53, 80, 110, 443, and 995. All other outbound traffic must be blocked at the
firewall unless an exception is granted from the Systems Manager.
All outbound connections (e.g., HTTP, HTTPS, FTP, and Telnet) must be authenticated by a proxy
device. Network Security Manager approval is required for the establishment of encrypted protocol
communications that cannot be authenticated by a proxy device.


DATA LEAKAGE CONTROLS
Data leakage controls (e.g., logging access to files and folders designated at confidential on shared drives,
disabling the ability to use removable drives, disabling of unapproved CD/DVD burners and hard drives)
will be established to ensure that confidential Firm or client data can’t be physically or electronically
removed without management authorization.


NETWORKING HARDWARE
The following policy statements apply to the Firm's implementation of networking hardware:


HARDENING STANDARDS

The Firm recognizes that certain steps must be taken to prepare new hardware and software for
deployment.

Platform hardening should be benchmarked against industry/vendor standards and best practice. (e.g., SANS, VISA, NSA, etc.)
Current security updates, patches and anti-virus definitions will be applied.
Unused protocols and services must be disabled prior to deployment into production.
Unneeded user accounts must be disabled and default accounts (e.g. Administrator, Guest etc.) should be renamed.
Sample programs and scripts must be deleted.
Password parameters must be reconfigured to comply with Firm standards set forth in this policy.
Logging and audit trails must be activated.
Networking hardware must provide secure administrative access (through the use of encryption) with
management access limited, if possible, to only networks where management connections would be
expected to originate.
Clocks on all network hardware should be synchronized using NTP or another means. This requirement
will aid in problem resolution and security incident investigation.
The Firm will restrict access to the administrative ports of networking hardware with a firewall or access
control list.


NETWORK SERVERS

The following statements apply to the Firm's network servers:
Unnecessary files, services, and ports will be removed or blocked. 

Network servers, even those meant to accept public connections, must be protected by a firewall or access control list.
A standard installation process will be developed for the Firm's network servers.
Clocks on network servers should be synchronized with the Firm's other networking hardware using NTP or another means. This will aid in problem resolution and security incident investigation.

INTRUSION DETECTION/INTRUSION PREVENTION

The Firm requires the use of either a network intrusion detection system (NIDS) or a network intrusion
protection system (NIPS) on critical or high-risk network segments.
The Firm will install a network intruder detection system (NIDS) or a network intruder prevention system
(NIPS) to monitor all external network connections.
The network intruder detection systems (NIDS) or network intruder prevention systems (NIPS) will also
monitor the internal network.
Data Loss Prevention Technologies.
services clients who may provide personal or private information that requires extra care and
protections against accidental disclosure or misuse. As a result of this, the firm has deployed technologies
that will help protect sensitive information, (such as date of birth, social security number, etc…). These
systems will generate alerts that will be monitored in real time to members of the firm appointed by firm
administration. Every alert should be reviewed for accuracy and responded to accordingly.


SECURITY TESTING
The following sections detail the Firm's requirements for security testing.

The Firm will conduct an annual internal and external vulnerability scan that encompasses all networks and hosts.
The findings from vulnerability scans will be tracked and rescans will be performed until no findings are identified.
INTERNAL SECURITY TESTING
Performance of internal security testing by members of the Firm's IT team or contracted IT support
personnel is required annually. Internal security testing is allowable only with permission of the Systems
Manager in consultation with the firms contracted IT support personnel. Such testing must have no
measurable negative impact on the Firm's systems or network performance.

DISPOSAL OF INFORMATION TECHNOLOGY ASSETS
IT assets, such as network servers and routers, often contain sensitive data about the Firm's network
communications. When such assets are decommissioned, the following guidelines must be followed:

Any asset tags or stickers that identify the Firm must be removed before disposal.
Electronic media (e.g., tapes, disk drives, multifunction devices, copiers, etc.) will be destroyed by physical destruction.
Destruction will be recorded in logs.
NETWORK COMPARTMENTALIZATION & REDUCED EXPOSURE
Good network design is integral to network security. By implementing network compartmentalization,
which is separating the network into different segments, the Firm will reduce its network-wide risk from
an attack or virus outbreak. Further, security can be increased if traffic must traverse additional
enforcement/inspection points.
Following a network best practice, all VOIP networks should be separated either physical or logically, by
the use of vLANs, from the data network.
In order reduce the exposure of the network and possibly have unauthorized devices connect while being
undetected, all physical data ports in the office space or conference rooms are to unplugged as to prohibit
access. VOIP phones that have a data port are to be configured to have the data port disabled or the data
ports configured for a non-usable configuration such as a “Blackhole vLAN”.


NETWORK DOCUMENTATION
Network documentation, specifically as it relates to security, is important for efficient and successful
network management. Further, the process of regularly documenting the network ensures that the Firm's
IT Staff has a firm understanding of the network architecture at any given time.
Network documentation should include:

Network diagram(s)
System configurations
Firewall rule set
IP Addresses
Access Control Lists

Network devices must bear a sticker or tag indicating essential information, such as the device name, IP
address, Mac address, asset information, and any additional data that may be helpful, such as information
about cabling.
Only authorized individual of the firm shall have access to any network diagrams. Therefore all network
diagrams and related documentation must be secured at all times. Unauthorized access to any firm
network documentation may result in disciplinary actions up to and including termination of employment