Ensono, LP Information Security Policyda.ks.gov/purch/Contracts/Default.aspx?getfile=...2016/12/08...

Ensono, LP Information Security Policy

January 20, 2016

© 2016 Ensono, LP. All Rights Reserved.

2

Document Version Control

Data Classification: Internal Use Only

Intended Distribution: All Ensono, LP Associates and authorized business partners

Issue Date: January 20, 2016

Revision: FINAL v1.0

Last Revision Date: Initial Release

Approved By: Ensono Security Director

REVIEW HISTORY

VERSION NUMBER DATE REVIEWED BY

DRAFT v1.1 January 19, 2016 HR; Legal; Audit and Compliance

APPROVAL HISTORY

VERSION NUMBER DATE APPROVED BY TITLE

DRAFT v1.1 December 18, 2015 Peter Bazil Chief Legal Officer &

Corporate Secretary

DRAFT v1.1 January 6, 2016 Jens Teagan Chief Financial Officer

DRAFT v1.1 January 7, 2016 Jeff Von Deylen Chief Executive Officer

DRAFT v1.1 January 8, 2016 Brian Klingbeil Chief Operating Officer

FINAL v1.0 January 20, 2016 Elizabeth Martin Director, Security

REVISION HISTORY

VERSION NUMBER DATE CHANGES MADE MADE BY

FINAL v1.0 January 20, 2016 N/A – Initial Release Elizabeth Martin


3

Support Information

INFORMATION SECURITY POLICY SUPPORT

Contact Ensono Security (E-SEC) for Information Security support:

[email protected]

mailto:[email protected]


4

Legal Notices

COPYRIGHT

Copyright 2016 by Ensono, LP. All rights reserved.

Reproduction of all or any portion of this document without the prior written consent of Ensono, LP is expressly

prohibited.

Users may copy this document only for the express purpose(s) for which the product(s) were designed. Any and all

copies of the materials must contain appropriate Ensono copyright statements and acknowledgments.


5

TABLE OF CONTENTS

1 Information Security Policy ..................................................................... 12

1.1 Purpose .................................................................................................................... 12

1.2 Scope ....................................................................................................................... 12

1.3 Policy Communication .............................................................................................. 13

1.3.1 Creation and Distribution .............................................................................................................. 13

1.3.2 Security Communication and Training ........................................................................................... 13

1.3.3 Enforcement and Compliance ....................................................................................................... 14

1.3.4 Review, Update, and Maintenance................................................................................................ 14

1.3.5 Exception Request Process ............................................................................................................ 14

2 Organizational Security ........................................................................... 16

2.1 Organizational Security Objectives ........................................................................... 16

2.2 Information Security Governance ............................................................................. 16

2.3 Roles and Responsibilities ........................................................................................ 16

2.3.1 Executive Leadership ..................................................................................................................... 16

2.3.2 Risk Management Committee ....................................................................................................... 17

2.3.3 Information Owners ....................................................................................................................... 17

2.3.4 Audit & Compliance ....................................................................................................................... 18

2.3.5 Security Director ............................................................................................................................ 18

2.3.6 Ensono Security (E-SEC) ................................................................................................................. 19

2.3.7 Physical Security............................................................................................................................. 19

2.3.8 Legal Organization ......................................................................................................................... 19

2.3.9 Human Resources Organization (HR) ............................................................................................. 20

2.3.10 Chief Technology Office (CTO) ................................................................................................... 21

2.3.11 Ensono Service Operations ........................................................................................................ 21

2.3.12 Enterprise Operations Center (EOC) .......................................................................................... 22

2.3.13 End Users ................................................................................................................................... 22

2.4 Authorization Process for New Information Assets ................................................... 22

2.5 Cooperation between Organizations ......................................................................... 23

2.6 Independent Review of Information Security ............................................................ 23

2.7 Security Requirements for Third Party Access ........................................................... 23


6

2.7.1 Requirements in Third Party Contracts.......................................................................................... 23

2.7.2 Requirements for Outsourcing to 3rd Parties ................................................................................. 23

2.7.3 Requirements for Ensono Delivered Services ................................................................................ 24

2.7.4 Confidentiality Agreements for Non-Employees ........................................................................... 24

3 Acceptable Use Policy ............................................................................. 25

3.1 General Acceptable Use Policy .................................................................................. 25

3.2 Electronic Communications and Online Systems Acceptable Use Policy ..................... 25

3.3 Workstation Acceptable Use Policy ........................................................................... 26

3.4 Authorized Use Banner ............................................................................................. 27

4 Access Control ......................................................................................... 28

4.1 Access Control Objectives ......................................................................................... 28

4.2 User Access Controls ................................................................................................ 28

4.2.1 General Requirements for User Access ......................................................................................... 28

4.2.2 General Requirements for Account Registration ........................................................................... 29

4.2.3 Requirements for User Account Creation ...................................................................................... 29

4.2.4 Management of User Accounts and Access ................................................................................... 29

4.2.5 Requirements for Privileged Access .............................................................................................. 30

4.2.6 Review of User Access ................................................................................................................... 31

4.2.7 User Account Lock-Out and Suspension ........................................................................................ 31

4.2.8 Suspension of Active Accounts ...................................................................................................... 31

4.2.9 User Account Termination ............................................................................................................. 31

4.3 User Conduct Policy .................................................................................................. 32

4.3.1 User Responsibilities ...................................................................................................................... 32

4.3.2 Prohibition against Harassment ..................................................................................................... 33

4.3.3 Restriction on Possession or Solicitation of Non-Public Data ........................................................ 33

4.4 Password Policy ....................................................................................................... 33

4.5 Concurrent Sessions and Session Timeouts ............................................................... 33

4.5.1 Session Timeout ............................................................................................................................. 33

4.5.2 Concurrent Sessions ....................................................................................................................... 34

4.6 Auditing and Logging Standard ................................................................................. 34

4.6.1 Activity Logs and Audit Trails ......................................................................................................... 34

4.6.2 Clock Synchronization .................................................................................................................... 34

4.6.3 Architecture for Logging Activities ................................................................................................. 34

4.6.4 Backup, Archive, and Protection .................................................................................................... 35


7

4.6.5 Deactivation, Modification, or Deletion ........................................................................................ 35

4.6.6 Activity Auditing ............................................................................................................................. 35

4.6.7 Incident Reporting and Notification .............................................................................................. 36

4.7 Mobile Computing .................................................................................................... 36

4.7.1 Modems, Remote Access Devices, and Remote Access Software ................................................. 36

4.7.2 Remote Access ............................................................................................................................... 36

4.7.3 Mobile Devices ............................................................................................................................... 36

5 Asset Classification and Control .............................................................. 37

5.1 Asset Classification and Control Objectives ............................................................... 37

5.2 Accountability for Assets .......................................................................................... 37

5.2.1 Inventory of Assets ........................................................................................................................ 37

5.2.2 Documentation .............................................................................................................................. 37

5.2.3 Hardware Assets ............................................................................................................................ 37

5.2.4 Software Assets .............................................................................................................................. 38

5.3 Information Classification ......................................................................................... 38

5.3.1 Ensono’s Classification Levels ........................................................................................................ 38

5.3.2 Ensono’s Classification Guidelines ................................................................................................. 39

5.3.3 Classification and Release of Security Related Documentation .................................................... 39

5.4 Information Labeling ................................................................................................ 40

5.4.1 General Labeling Requirements ..................................................................................................... 40

5.5 Information Handling ............................................................................................... 40

5.5.1 General Controls ............................................................................................................................ 40

5.5.2 Reproduction ................................................................................................................................. 41

5.5.3 Remote Printing ............................................................................................................................. 41

5.5.4 Storage ........................................................................................................................................... 41

5.5.5 Transport ........................................................................................................................................ 41

5.5.6 Electronic Transmission ................................................................................................................. 42

5.5.7 Verbal Communication .................................................................................................................. 42

5.5.8 Destruction .................................................................................................................................... 42

6 Communications and Operations Management ...................................... 44

6.1 Communications and Operations Management Objectives ....................................... 44

6.2 Operational Procedures and Responsibilities ............................................................ 44

6.2.1 General Controls ............................................................................................................................ 44

6.2.2 Documented Operating Procedures .............................................................................................. 44

6.2.3 Change Management ..................................................................................................................... 45


8

6.2.4 Security Incident Management ...................................................................................................... 45

6.2.5 Segregation of Duties ..................................................................................................................... 45

6.2.6 Separation of Development and Production Environments .......................................................... 45

6.3 System Planning and Acceptance .............................................................................. 46

6.3.1 Capacity Planning ........................................................................................................................... 46

6.3.2 System Acceptance ........................................................................................................................ 46

6.4 Protection against Malicious Software ...................................................................... 46

6.4.1 Controls against Malicious Code .................................................................................................... 46

6.4.2 Malware Protection Policy ............................................................................................................. 47

6.4.3 Vulnerability Management Program ............................................................................................. 48

6.4.4 Configuration and Patch Management Policy ............................................................................... 51

6.4.5 Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS) .......................................... 51

6.5 Backup and Restoration ........................................................................................... 52

6.5.1 Information Backup ....................................................................................................................... 52

6.6 Media Handling and Security .................................................................................... 52

6.6.1 Management of Removable Computer Media .............................................................................. 52

6.6.2 Disposal of Media .......................................................................................................................... 53

6.6.3 Security of System Documentation ............................................................................................... 53

6.7 Network Security and Management ......................................................................... 53

6.7.1 Restriction on Physical Access to Ensono’s Network ..................................................................... 53

6.7.2 Requirements for the Security of Ensono’s Network .................................................................... 53

6.7.3 Requirements for Network Management ..................................................................................... 54

6.7.4 Network Firewall Standard ............................................................................................................ 54

6.7.5 Router and Switch Security Standards ........................................................................................... 57

6.7.6 Wi-Fi Networks and Devices .......................................................................................................... 57

6.7.7 Remote Access Standard ............................................................................................................... 58

6.8 System Configurations .............................................................................................. 59

6.8.1 Server and Mainframe Security Standard ...................................................................................... 59

6.8.2 Workstation Security Standard ...................................................................................................... 61

6.8.3 Email Standard ............................................................................................................................... 62

6.9 Exchanges of Information and Software ................................................................... 63

6.9.1 Information Confidentiality ........................................................................................................... 63

6.9.2 Information Reliability ................................................................................................................... 64

6.9.3 Public Representation .................................................................................................................... 64

7 Firewall General Security Controls .......................................................... 66

7.1.2 Router and Switch Security Standards ........................................................................................... 68


9

7.1.3 Wi-Fi Networks and Devices .......................................................................................................... 68

7.1.4 Remote Access Standard ............................................................................................................... 69

7.2 System Configurations .............................................................................................. 70

7.2.1 Server and Mainframe Security Standard ...................................................................................... 70

7.2.2 Workstation Security Standard ...................................................................................................... 72

7.2.3 Email Standard ............................................................................................................................... 73

7.3 Exchanges of Information and Software ................................................................... 74

7.3.1 Information Confidentiality ........................................................................................................... 74

7.3.2 Information Reliability ................................................................................................................... 75

7.3.3 Public Representation .................................................................................................................... 75

8 Personnel Security .................................................................................. 77

8.1 Personnel Security Objectives ................................................................................... 77

8.2 Security Included in Job Roles ................................................................................... 77

8.2.1 Including Security in Job Role Definition ....................................................................................... 77

8.2.2 Personnel Screening Policy ............................................................................................................ 77

8.2.3 Terms and Conditions of Employment .......................................................................................... 77

8.3 Personnel Education, Training, and Awareness ......................................................... 77

8.3.1 Security Training and Awareness ................................................................................................... 77

8.4 Responding to Security Incidents .............................................................................. 78

8.4.1 Security Incident Handling Priorities ............................................................................................. 78

8.4.2 Security Incident Reporting ........................................................................................................... 78

8.4.3 Security Incident Response Procedures ......................................................................................... 78

8.4.4 Reportable Information Security Incidents Standard .................................................................... 78

8.4.5 Security Incident Information Retention and Classification .......................................................... 80

8.5 Problem Management .............................................................................................. 80

8.5.1 Reporting Software Malfunctions .................................................................................................. 80

9 Application Development and Maintenance ........................................... 81

9.1 Application Development and Maintenance Objectives ............................................ 81

9.2 Security Inclusion in Application Development ......................................................... 81

9.2.1 Application Development General Security Controls .................................................................... 81

9.2.2 Application Development Design and Planning ............................................................................. 81

9.2.3 Creation of New Security Architecture or Design .......................................................................... 81

9.3 Software Coding and Testing Requirements .............................................................. 81

9.3.1 Input Data Validation ..................................................................................................................... 81


10

9.3.2 Control of Internal Processing ....................................................................................................... 82

9.3.3 Output Data Validation .................................................................................................................. 82

9.4 Cryptographic Controls ............................................................................................. 82

9.4.1 Key Management ........................................................................................................................... 82

9.4.2 Encryption ...................................................................................................................................... 83

9.5 Security of System Files ............................................................................................ 83

9.5.1 Control of Operational Software ................................................................................................... 83

9.5.2 Protection of System Test Data ..................................................................................................... 84

9.5.3 Access Control to Program Source Library .................................................................................... 84

9.6 Security in Development and Support Processes ....................................................... 84

9.6.1 Change Control Procedures ........................................................................................................... 84

9.6.2 Technical Review of Operating System Changes ........................................................................... 85

9.6.3 Covert Channels and Trojan Code ................................................................................................. 85

10 Business Continuity/Disaster Recovery (BC/DR) ...................................... 87

10.1 Business Continuity/Disaster Recovery Objectives .................................................... 87

10.2 BC/DR Management Oversight ................................................................................. 87

10.2.1 BC/DR Management Controls ................................................................................................... 87

11 Physical and Environmental Security ....................................................... 88

11.1 Physical and Environmental Security Objectives ....................................................... 88

11.2 Physical Security General Controls ............................................................................ 88

11.2.1 General Physical Security Notification ...................................................................................... 88

11.2.2 Clean Desk Policy ....................................................................................................................... 88

11.2.3 Removal of Property .................................................................................................................. 89

11.3 Secure Areas ............................................................................................................ 89

11.3.1 Physical Security Perimeter ....................................................................................................... 89

11.3.2 Physical Entry Controls .............................................................................................................. 89

11.3.3 Securing Offices, Rooms and Facilities ...................................................................................... 89

11.3.4 Working in Secure Areas ........................................................................................................... 90

11.4 Equipment Security .................................................................................................. 90

11.4.1 Equipment Protection ............................................................................................................... 90

11.4.2 Power Supplies .......................................................................................................................... 90

11.4.3 Cabling Security ......................................................................................................................... 90

11.4.4 Security of Offsite Equipment ................................................................................................... 90

11.4.5 Secure Disposal or Re-use of Equipment................................................................................... 91


11

12 Compliance ............................................................................................. 92

12.1 Compliance Objectives ............................................................................................. 92

12.2 Compliance with Legal Requirements and Ensono Policy .......................................... 92

12.2.1 Identification of Applicable Legislation ..................................................................................... 92

12.2.2 Intellectual Property Rights ....................................................................................................... 92

12.2.3 Safeguarding of Organizational Records ................................................................................... 92

12.2.4 Legal Conflicts ............................................................................................................................ 92

12.2.5 Prevention of Misuse of Information Assets ............................................................................. 92

12.2.6 Collection of Evidence ............................................................................................................... 93

12.2.7 Reviews of Security Policy Compliance ..................................................................................... 93

12.3 System Audit Considerations .................................................................................... 93

12.3.1 System Audit Controls ............................................................................................................... 93

12.3.2 Protection and Use of System Audit Tools ................................................................................ 93


12

1 Information Security Policy

1.1 PURPOSE This document, along with any subordinate policies, standards, procedures, and guidelines, collectively, the

Ensono, LP (Ensono) Information Security Policy (ISP), establishes a risk-oriented Information Security governance

framework through which comprehensive confidentiality, integrity, and availability controls are defined for the

protection of information, systems, and solutions owned or managed by Ensono.

Ensono’s business model is such that this policy represents the objectives of a new security program to be

implemented as the Ensono business matures in accordance with the significant event of an acquisition of

Ensono’s business.

The Information Security Policy is provided to outline those controls Ensono feels should be present in an

appropriately secured environment. To be effective, an Information Security governance program must be a team

effort involving the participation and support of Ensono users at all levels and locations within the organization. It

is the intent of the ISP to define the means by which Ensono can effectively identify and respond to a variety of

threats to information and information resources. These threats include unauthorized access, disclosure,

duplication, modification, appropriation, destruction, loss, misuse, and denial of service.

The ISP outlines Ensono’s directives for Information Security. These directives include:

Communicating expectations concerning Information Security to members of Ensono’s board and all

employees, contractors, consultants, clients, potential clients, vendors, business partners and other

users of information, systems, or solutions managed by Ensono.

Promoting Information Security awareness.

Establishing responsibility and accountability for overseeing Information Security issues.

Establishing a mechanism to notify the appropriate personnel in case of an Information Security

incident.

Establishing guidelines to assess security and protection techniques applied to information, systems,

and solutions.

Protecting Ensono’s information, systems, and solutions; as well as those entrusted to Ensono by

clients, by safeguarding its Confidentiality, Integrity, and Availability (CIA).

Establishing effective security controls designed to protect the organization’s information, systems,

or solutions from theft, abuse, misuse, or any other form of damage.

Encouraging employees at all levels within the company to maintain an appropriate level of

awareness, knowledge, and skill such that they can assist in minimizing the occurrence and severity of

Information Security incidents.

Ensuring that Ensono is able to continue its commercial activities in the event of significant

Information Security incidents.

Providing a suitable baseline that facilitates conformance with ISO 27002:2013 and other industry

recognized Information Security frameworks.

1.2 SCOPE


13

The scope of this document encompasses Ensono’s enterprise-wide Information Security management system

framework, which defines specific policies to protect the confidentiality, integrity, and availability of the company’s

information assets. The security domains include but are not limited to:

Organizational Security

Access Control

Asset Classification and Control

Communications and Operations Management

Personnel Security

Application Development and Maintenance

Business Continuity/Disaster Recovery Management

Physical and Environmental Security

Compliance

Internal Audit

This document applies to the following:

All users of Ensono’s information assets which may include, but are not limited to, employees,

contractors, consultants, clients, vendors, temporary personnel and business partners. These

individuals are collectively referred to as “users”

All users working at Ensono sites remotely or in any other situation where Ensono information or

information assets are used or accessed

All Ensono information assets including, but not limited to, computing devices, networks, telephones,

magnetic or optical media and paper regardless of the location, organizational unit, or controlling

entity where these information assets are being generated, created, accessed, viewed, processed,

stored, used, acquired, purchased, obtained, manipulated, modified, deleted, or disposed.

Ensono assets delivering client services in a multi-tenanted, shared resource manner.

This policy does not apply to dedicated client environments managed by Ensono, nor does it govern

the manner in which Ensono clients use Ensono assets. Dedicated client environments will be

governed by policies specified by the client.

1.3 POLICY COMMUNICATION

1.3.1 Creation and Distribution Ensono’s Security Director has overall responsibility for the creation and distribution of the ISP.

The ISP is distributed for viewing by all associates and authorized third parties through Ensono’s

associate portal.

This document is classified INTERNAL USE ONLY. It is releasable to clients, customers, vendors, or

other individuals or organizations with a need-to-know that have executed a Non-Disclosure

Agreement.

1.3.2 Security Communication and Training Associates are kept aware of policy changes via the following communication methods:


14

Emails

Intranet (e.g., Ensono’s associate portal)

Staff meetings

Annual security awareness training

Security awareness training is conducted for all associates at least annually, to ensure that all

personnel are aware of the importance of Information Security. New hires are required to

complete security awareness training within ten (10) business days of start date as part of the

required new hire training curriculum.

Ensono ensures that all authorized third parties covered by the ISP are familiar with its

requirements.

1.3.3 Enforcement and Compliance Ensono’s Security Director maintains primary responsibility for enforcing compliance with the ISP

and any subordinate policies, standards, procedures. The Security Director may authorize specific

teams to assist in managing these responsibilities. To be effective, Information Security must be

supported by management and is a team effort involving the participation and support of every

user. All users of Ensono information assets are responsible for properly using the security

controls Ensono makes available including technical, administrative, or other appropriate

measures to protect information assets.

All users of Ensono information assets shall fully comply with this policy and all related security

documents. Users who are found in violation of policy are subject to disciplinary action up to and

including immediate termination of employment, or immediate termination of client, partner,

and/or vendor relationship.

1.3.4 Review, Update, and Maintenance Ensono’s Security Director, as set forth within Ensono’s Security Charter, is responsible for

maintaining the ISP as necessary to ensure Ensono’s security practices contain the controls

required to offset new security threats and vulnerabilities as they arise. The ISP is reviewed and

approved at least annually by the Executive Leadership and the Risk Management Committee.

The ISP is considered a living document and as such is subject to the changes and modifications,

with or without notification, as necessary to protect Ensono business objectives. When business

requirements may require a policy change within the ISP, users are encouraged to request the

change by contacting the Ensono Security team (E-SEC) via email at [email protected].

1.3.5 Exception Request Process As necessary for business continuity, Ensono allows for exceptions to the ISP or subordinate

policies, standards, and procedures.

Exceptions are a deviation from Ensono’s identified security stance and are granted with the

expectation that the requesting party will expeditiously devise and implement a solution that

allows for a return to normal security operations. Exceptions should be submitted to E-SEC by

sending the request via email to [email protected].




15

Exception requests can be granted up to a maximum of one year. Failure to abide by the

documented Exception Request is considered a security violation and may be subject to

disciplinary action up to and including immediate termination of employment or immediate

termination of client, partner, and/or vendor relationship.


16

2 Organizational Security

2.1 ORGANIZATIONAL SECURITY OBJECTIVES To identify and document specific roles and responsibilities to ensure that Information Security is

consistently reinforced throughout Ensono and that security controls are successfully implemented.

To provide guidance for cooperation with external entities.

To ensure proper authorization for integration of new assets into Ensono’s environment.

To ensure adequate security of information and information assets when accessed and used by third

parties.

To maintain the security of information when outsourced to another organization.

2.2 INFORMATION SECURITY GOVERNANCE The ISP provides governance and structure for Ensono as it relates to all Information Security. This document takes

precedence over documentation of similar content and has the following objectives:

To protect Ensono’s information and information assets against accidental or deliberate modification

or destruction through the use of a continuous program of risk assessment and management.

To prevent the unauthorized (accidental or deliberate) disclosure, misuse, or misappropriation of

information.

To detect unauthorized access or misuse of information and information assets.

To perform damage assessments in a timely and accurate manner following the detection of

unauthorized disclosure of information or the unauthorized penetration or misuse of information

assets.

To identify, report and correct vulnerabilities and exposures within Ensono’s information assets.

To identify and document specific roles and responsibilities to ensure that Information Security is

consistently reinforced throughout Ensono and that security controls are successfully implemented.

2.3 ROLES AND RESPONSIBILITIES This section outlines the primary roles within Ensono’s Information Security framework as well as the

responsibilities and expectations associated with these roles.

2.3.1 Executive Leadership Ensono’s Executive Leadership fulfills the following responsibilities:

Establish accountability for Information Security and Enterprise Risk Management within the

Ensono organization

Define and communicate the overall vision, direction, and business objectives necessary for

the organization to be successful

Maintain strategic responsibility, knowledge, and awareness of the risk posture of Ensono’s

business

Provide continuous and visible support of the organizations’ Information Security program

Maintain accountability to the Ensono Board of Directors for overall risk to the Ensono

business; provide Risk Management reports to the Board of Directors quarterly or as

required by the Board of Directors


17

2.3.2 Risk Management Committee Ensono’s Risk Management Committee fulfills the following responsibilities:

Provide on-going oversight of permissible risk for all business engagements

Provide guidance, oversight, education, and consultative services to those teams chartered

with limiting risk within Ensono

Oversee the quarterly Risk Management reporting process and where appropriate report

risks to Executive Leadership

Oversee implementation maintenance of the Enterprise Risk Management Program

Require quarterly reporting of Information Security related risks from the Security and

Compliance teams

The Risk Management Committee will be chaired by the following positions:

Security Director

Sr. Manager, Audit & Compliance

The Risk Management Committee participants will include functional areas such as Legal,

Human Resources, Service Operations, and other teams as appropriate.

2.3.3 Information Owners Information Owners are the identified and authorized individuals that have been tasked by

Ensono’s Senior Management with the responsibility for controlling the production,

development, maintenance, use, and security of information, systems, and solutions.

Information Owners fulfill the following responsibilities:

Serve as the business owner for the data being supported by all systems and solutions under

their purview

Assist in providing compliance with this policy for their designated area of responsibility

Assist Security and Ensono Service Operations teams in implementing relevant security

controls purposed to minimize identified risk to their information, systems, and solutions,

and Ensono’s business objectives.

Participate in the Security Incident Response Plan and act as liaison to all relevant Ensono

teams or third parties

Fulfill the role of primary point of contact for all information, systems, and solutions within

their purview

Identify and document classifications for all information within their purview.

Identify and document the criticality of systems and solutions to support business objectives

Define roles and responsibilities for access to information, systems, and solutions.

Authorize user access to information, systems, and solutions

Identify and document all processes required to support business objectives

Collaborate with Ensono Service Operations teams to ensure that systems and solutions

meet or exceed requirements outlined with the ISP

Designate a backup Information Owner in the event the primary is unavailable.

Assist Ensono Operations teams in reviewing user access to systems and solutions on at least

a quarterly basis

Assist in improving Ensono’s Information Security governance framework through feedback

to Security

Recommend policy and control enhancements to Security


18

Participate in the Risk Management Committee as requested

Participate in the Security Incident Response Plan as requested

2.3.4 Audit & Compliance Ensono’s Audit & Compliance function is responsible for overseeing the implementation and

enforcement of all governance requirements. They are responsible for the following:

Contribute to the Enterprise Risk Management Program and chair the Risk Management

Committee

Conduct regular oversight activities to ensure all security controls are reasonable, effective,

and enforced where appropriate

Assist operational and technical teams in interpreting security compliance requirements

Communicate necessary enhancements to the ISP as a result of policy review or legislative

and regulatory changes

Facilitate the execution of both internal and external audits of Ensono controls and

processes

Facilitate the execution of Ensono customer audits and security assessments

Develop and communicate an audit schedule in advance to ensure participation by all

affected areas

Maintain a separation of duties from Ensono operations and Security teams

Determine the appropriate scope and objectives of internal audits covering risk areas as

identified in a prioritized approach based on the Risk Committee’s direction

Conduct internal audits of Ensono’s security and controls and report audit results to

management

Perform review of new/revised processes and provide input on audit controls

2.3.5 Security Director Ensono’s Security Director manages the Security organization. The Security Director fulfills the

following responsibilities:

Contribute to the Enterprise Risk Management Program and chair the Risk Management

Committee

Defines Ensono’s Information Security governance framework

Maintains the primary responsibility for enforcing compliance with the ISP, Information

Security governance framework and any subordinate policies, standards, procedures

Serves as custodian of the ISP facilitating approval from Executive Leadership and the Risk

Management Committee, or acts as delegated approver

Identifies those security requirements necessary to effectively limit the risk associated with

the identified business objectives as defined by Ensono’s executives and senior management

Provides oversight of the Ensono Information Security Program

Provides oversight of Information Security threat monitoring, management, and response

activities

Approves all ISP Exception Requests


19

2.3.6 Ensono Security (E-SEC) The Ensono Security team (E-SEC) is the Security Director’s organizational unit that is comprised

of various security focused teams. Security staff members have the general responsibilities of

managing risks and Information Security at Ensono, the specifics of which vary by team, scope of

work, and area of expertise. These responsibilities may include, but are not limited to, the

following:

E-SEC will continuously update protection mechanisms and technologies to provide Ensono

the highest degree of service and protection.

Identify and assess risks that are associated with business objectives as defined by Ensono’s

corporate executives and senior management

Determine the risk management requirements necessary to effectively limit, mitigate,

monitor, and/or control identified risks in a way that aligns with and supports the associated

business objectives

Ensure that the selected risk management requirements are implemented and used

appropriately

Perform Information Security related threat monitoring, management, and response

activities

Assist the Security Director in identifying those security requirements necessary to

effectively limit the risk associated with the identified business objectives as defined by

Ensono’s corporate executives and senior management

Manage and facilitate all ISP Exception Requests

Maintains the Ensono Information Security Policy (ISP), as the foundation of Ensono’s

Information Security governance framework and any subordinate policies, standards,

procedures

Provide interpretation of the ISP and the Information Security governance framework when

necessary

Provide general information for security training, education, and awareness

Provide definitions for Information Security classifications

Provide management of the Security Incident Response Team (SIRT).

Act as the primary contact for and lead all investigative activities.

2.3.7 Physical Security Ensono’s Physical Security provides protection oversight and implementation of physical

safeguards within Ensono’s facilities. Physical Security fulfills the following responsibilities:

Define, enforce, and monitor compliance with identified physical safeguards

Define, maintain, and monitor all video surveillance, card readers, biometric controls, and

building access

Collaborate with E-SEC to develop, implement, and monitor a comprehensive security

education, training, and awareness program


Participate in the Incident Response Program as requested

2.3.8 Legal Organization Ensono’s Legal Organization fulfills the following responsibilities:


20

Protect Ensono’s intellectual property rights such as copyrights and patents

Advise Security regarding legal matters

Communicate necessary enhancements to the ISP as a result of policy review and legal,

regulatory, or contractual changes

Serve as Privacy Officer and maintain and enforce privacy policies in accordance with legal,

regulatory, and contractual requirements

Counsel Ensono account management and delivery teams on customer contractual

obligations

Review, amend and approve all customer and vendor contracts



2.3.9 Human Resources Organization (HR) Ensono’s HR organization fulfills the following responsibilities:

Inform all employees, contractors and third party users of their Information Security roles

and responsibilities, prior to granting access to sensitive information or information systems

Ensure all employees, contractors and third parties are provided with guidelines/rules that

state the security expectations of their roles within the organization

Achieve an appropriate level of awareness of security controls among all employees,

contractors and third parties, relevant to their roles and responsibilities

Assure conformity to the terms and conditions of employment related to privacy and

security

Motivate adherence to the privacy and security policies of the organization, such as with an

appropriate sanctions policy

Mitigate the risks of a failure to adhere to policies by facilitating role based access to the

organization's information

Conduct pre-employment screening by ensuring appropriate background verification checks

(“screening”) for all candidates for employment, contractor status, or third party user status

or those that will have access to Ensono

Implement and maintain terms and conditions of employment by ensuring all employees,

contractors, and third party users agree to and sign a statement of rights and responsibilities

for their affiliation with the organization, including rights and responsibilities with respect to

information privacy and security.

Facilitate Information Security awareness, education and training by ensuring all employees

of the organization, and, where relevant, contractors and third party users, receive

appropriate awareness training and regular updates of organizational policies and

procedures relevant to their job functions.

Implement a formal disciplinary process for employees who have committed a policy

violation

Maintain responsibilities and practices for performing employment termination or change of

employment including the following:

Removal of access to all information resources


21

Changes of responsibilities and duties within the organization are processed as a termination

(of the old position) and re-hire (to the new position), using standard controls for those

processes unless otherwise indicated

Facilitating the return of all information and physical assets upon termination of the

employment relationship or contract



2.3.10 Chief Technology Office (CTO) Ensono’s Chief Technology Office is responsible for the following:

Maintain knowledge and awareness of industry related security, privacy, and regulatory

requirements

Serve in an evangelist role for promoting security and risk management related practices

within Ensono products, services, and technologies

Ensure Information Owners and Data Classifications are appointed for all new products,

services, systems, and assets under the CTO purview

Ensure security, privacy, and regulatory requirements are incorporated into Ensono

products, services, and technologies

Set guidelines and standards for incorporation of security and risk management practices

into Ensono products, services, and technologies



2.3.11 Ensono Service Operations Ensono Service Operations provides the day-to-day administrative and operational aspects of all

technologies supporting both Ensono’s business as well as clients. This organization fulfills the

following responsibilities as it relates to the areas of responsibility:

Serve as Information Custodian and support the day to day operational tasks associated with

implementing the Information Owners’ and Security requirements

Review and understand the information classification level for the information with which

they are responsible

Review and understand the handling requirements for the various classifications of

information present at Ensono

Notify the Information Owner, their chain of management, or Security in the event they feel

a security incident has occurred

Ensure Information Security controls are present and consistent with the intent and

direction of the Information Security governance framework

Recommend policy and control enhancements to Security

Provide detailed subject matter expertise to assist with the development and maintenance

of the ISP

Identify potential Information Security vulnerabilities and gaps

Monitor Ensono’s environment, where appropriate, to identify, contain, or eliminate

unauthorized activity


22

Collaborate with E-SEC to investigate unauthorized activities and Information Security

incidents

Execute the day-to-day security management of information, systems, and solutions through

the application of controls as defined within the ISP

Serve in the role of subject matter expert for all technical and developmental issues

regarding Information Security within the area of responsibility



2.3.12 Enterprise Operations Center (EOC) The EOC serves as Ensono’s single point of contact for all data center operations’ and support

activities. This organization fulfills the following responsibilities:

Provide 24x7x365 operational support

Facilitate triage calls on behalf of Ensono or clients

Escalate critical issues to appropriate Ensono or client teams

Facilitate communication and status updates to Ensono and client teams

Provide broadcast messaging

Identify and contact Ensono support teams

Provide support and participate in the Incident Response Program as requested



2.3.13 End Users Ensono defines an End User as any individual that interacts with information, systems, or

solutions owned or managed by Ensono. End users fulfill the following responsibilities:

Conduct day-to-day business practices in such a way as to support intent of the ISP

Review and understand the information classification level for the information with which

they are working.

Review and understand the handling requirements for the various classifications of

information present at Ensono

Notify the Information Owner, their chain of management, or Security in the event they feel

a security incident has occurred

Comply with Ensono’s security and privacy policies related to data handling

2.4 AUTHORIZATION PROCESS FOR NEW INFORMATION ASSETS The acquisition and use of any new information assets shall have appropriate managerial approval.

Prior to implementation or integration into any environment, all hardware/software assets shall be

evaluated for to ensure it supports business and security requirements.

Ensono’s Mobile Handheld Usage Standard establishes the requirements for the approved use of

personal mobile devices (such as smartphones and tablet computers) to connect to the Ensono

infrastructure and/or to access Ensono -owned or managed data.

For personal assets not addressed by Ensono’s Mobile Handheld Usage Standard:


23

Use of such personal assets to conduct Ensono business and/or to connect to Ensono information

resources shall be strictly limited and shall be approved by the appropriate manager and Security

prior to use.

All such devices shall adhere to all of Ensono’s security practices prior to integration into Ensono’s

environment.

2.5 COOPERATION BETWEEN ORGANIZATIONS Ensono shall maintain appropriate contacts with outside organizations to ensure that appropriate

actions can be quickly taken and advice obtained in the event of a security incident. This should

include, but is not limited to, the following:

Law enforcement authorities

Regulatory agencies

Information service providers

Telecommunications operators

Others, as necessary, to protect Ensono’s information assets.

Exchanges of security information shall be restricted to ensure that confidential information is not

inadvertently provided during a security incident.

2.6 INDEPENDENT REVIEW OF INFORMATION SECURITY Ensono Audit & Compliance shall conduct independent reviews of Ensono’s Information Security practices.

2.7 SECURITY REQUIREMENTS FOR THIRD PARTY ACCESS

2.7.1 Requirements in Third Party Contracts All contracts between Ensono and a third party shall include language protecting Ensono’s

information assets and requiring compliance with the ISP and Information Security practices,

where necessary and applicable.

Non-Disclosure Agreements shall be completed prior to engaging any third-party, including

clients or potential clients, in any business endeavor that discloses information beyond that

designated as “Public,” regardless of the format.

Security shall be engaged whenever a legal contract includes Information Security concerns

or security controls.

The customer waiver shall be used whenever a third party requests a practice that

introduced unnecessary or unacceptable risk to Ensono. The need for the waiver will be

determined by Ensono Legal, Audit & Compliance, or Security.

2.7.2 Requirements for Outsourcing to 3rd Parties Outsourcing contracts shall contain appropriate language identifying which organizations’

security practices will govern the controls within the specified environment

When governing security practices have not been identified the ISP shall be the governing

document.

Ensono 3rd Party contracts shall contain language that provides Ensono with the right to

audit in the event that Ensono so chooses


24

Outsourcing contracts shall, where necessary, contain provisions for compliance with

international, federal, state and local requirements.

2.7.3 Requirements for Ensono Delivered Services Security requirements within customer environments are defined by clients’ written

specifications.

Clients are responsible for managing their compliance program(s), protecting regulated data,

and ensuring compliance by formally specifying Ensono’s responsibilities.

Where security and compliance requirements have not been specified by the customer the

degree of security controls implemented will be at Ensono’s discretion.

Ensono will track all environment changes within the Ensono ticketing system as well as

ensure approvals are received by all appropriate parties.

All security related administration activities provided by Ensono will require written

procedures provided by the client.

Client environments that do not conform to a minimum set of security controls may be

asked to sign a liability waiver.

2.7.4 Confidentiality Agreements for Non-Employees Non-employee users shall be required to complete Ensono’s Non-Disclosure Agreement

prior to being granted access to information resources owned or managed by Ensono.

Violations of Ensono’s Non-Disclosure Agreement are considered breach of contract, and

may be subject to immediate termination of client, partner, or vendor relationship.


25

3 Acceptable Use Policy

3.1 GENERAL ACCEPTABLE USE POLICY Use of Ensono information assets or facilities either owned, managed or leased, are limited to authorized users.

Users of Ensono information assets or facilities shall not assume their actions are private, privileged or protected.

Where permissible by law, Ensono reserves the right to monitor users in any manner the company deems

appropriate. This may include video, audio or electronic monitoring of activities including, but not limited to, the

following:

Telephone conversations

Email content and destinations

Instant messaging communications

Social media/networking communications

Cloud service usage

Internet access and downloading

Data access

Key strokes

Work habits

In the event that monitoring reveals criminal activities, the evidence and related information may be turned over

to law enforcement officials at the sole discretion of Ensono without consent or notice to involved individuals.

Violations of the ISP, unauthorized use of information assets or inappropriate use of information assets are cause

for disciplinary action up to and including immediate termination of employment or access.

3.2 ELECTRONIC COMMUNICATIONS AND ONLINE SYSTEMS ACCEPTABLE USE

POLICY Ensono’s electronic communications and online systems are provided to employees for business purposes, but

Ensono does recognize that employees may, on occasion, wish to use these systems for personal use. Employees

should keep in mind that use during company time and use that interferes with the performance of company

business or an employee’s assigned duties is not permitted, and may be cause for disciplinary action and/or

termination. Examples of personal use include, but are not limited to: personal communications, game playing,

chat rooms, job searching, online merchandising, sports, personal pages and other entertainment.

In all situations, Ensono reserves the right to monitor the user’s electronic communications and online activity.

Ensono has the right and the ability to track, review, audit or disclose any records originating and/or accessed by a

user ID, as well as from Ensono equipment or non-Ensono owned equipment that is using Ensono resources.

Accordingly, users should not have an expectation of privacy in electronic communications or online systems and

should not consider such activities to be private or confidential. All electronic communications and online records

are considered company property and are subject to inspection and disclosure to certain Ensono employees, law

enforcement, and government officials or to other third parties as deemed appropriate by Ensono.


26

Ensono’s electronic communications and online systems shall not be utilized to:

Create any discriminatory, defamatory, offensive, disruptive or otherwise inappropriate or

unprofessional communications. Among those communications considered inappropriate or

unprofessional are any communications which contain sexual implications, racial slurs, gender

specific comments or any other comments that inappropriately or unprofessionally address

someone’s age, race, gender, color, national origin, religion, sexual orientation, disability or veteran

status.

Access any discriminatory, defamatory, offensive, disruptive or otherwise inappropriate or

unprofessional websites including, but not limited to, sites that contain information related to the

communications described above, pornography, hate speech, illegal drugs, other illegal activities or

gambling.

Divulge or secure copyrighted materials, confidential information, trade secrets, proprietary financial

information or similar materials without prior authorization.

Load unapproved applications on computer/workstation that periodically and automatically

download data from the Internet. These applications, when widely installed, can be detrimental to

the performance of Ensono’s networking systems.

Perform any act that is illegal or otherwise in violation of any applicable federal, state or local laws,

regulations or ordinances.

Conduct private business activities.

Cause Ensono to incur any additional unauthorized costs.

Misrepresent, obscure, suppress or replace a user’s identity.

Establish new Internet Web pages dealing with Ensono business or make modifications to existing

Web pages dealing with Ensono business unless done in compliance with Ensono policies and

applicable contract requirements.

Download, copy, distribute or share copyrighted, illegal or illicit material.

Duplicate or use unauthorized computer software for any purpose.

Download content in violation of copyright laws. In addition, users shall be prohibited from using file

sharing or “peer to peer sharing” applications or software for the purpose of acquiring or distributing

music in violation of copyright laws.

3.3 WORKSTATION ACCEPTABLE USE POLICY Workstations provided by Ensono to conduct Ensono-related business are property of Ensono and are

subject to removal or reallocation at any time.

Ensono-provided workstations are provided for the primary purpose of conducting Ensono business.

Users are prohibited from using Ensono-provided workstations to negatively impact Ensono business

processes.

Users are prohibited from altering or changing workstation hardware configurations without approval

from Ensono Desktop team.

Users are prohibited from altering or changing workstation software configurations that modify or

disable administrative controls implemented by Ensono support personnel.

Installation of user-provided software is restricted and shall adhere to software installation

requirements as specified within the ISP.

USB drives shall be disabled on user workstations unless specifically authorized in accordance with

the established security exception process.


27

Permitted external storage devices conforming to Ensono’s standards will be distributed to

authorized users.

Only Ensono issued devices are permitted for use with Ensono workstations. Mobile devices are

permitted in accordance with the Mobile Device Standard.

Ensono associates should make every effort to store company data on shared drives and avoid

storage on local hard drive.

The use of cloud based services with Ensono assets is prohibited unless sanctioned by Ensono.

The use of cloud or other such services to transfer Ensono data under personal accounts, credit cards,

or other such manners is strictly prohibited.

3.4 AUTHORIZED USE BANNER The following banner, or similar language, shall be displayed wherever user logon occurs:

This system is for authorized use only. Any use of the system is subject to monitoring and recording by systems

personnel. Anyone using this system expressly consents to such monitoring and recording and is advised that if

such monitoring and/or recording reveals possible criminal or unethical activity, system personnel may, in addition

to other actions, provide the evidence of such monitoring to law enforcement officials.


28

4 Access Control

4.1 ACCESS CONTROL OBJECTIVES To control access to information and information assets

To protect network services

To detect unauthorized activities

To ensure effective Information Security practices when using mobile computers and telecommuting

4.2 USER ACCESS CONTROLS

4.2.1 General Requirements for User Access Access to information in the possession of or under the control of Ensono must be provided only

to people who have a legitimate business need for the information. The access levels of

individuals and groups are to be determined by comparing the classification of the data to the

business requirements. User access management must be implemented to prevent unauthorized

access to systems and/or data.

The process of granting user access shall be standardized and documented for all types of

access granted.

Each user’s access privileges shall be authorized by their appropriate manager according to

business needs.

All user access shall be restricted based on Ensono’s information classifications.

Privileged user attributes must be restricted to users with a job function requiring that level

of access

The process for creating user accounts shall be standardized and documented for all types of

user accounts.

All individual Ensono users shall be uniquely identified.

Anonymous access to any Ensono resource shall be strictly prohibited unless the system is

designed for all users to be anonymous. This includes, but is not limited to, electronic

bulletin boards, Internet web sites and intranet web sites.

All users shall sign documentation stating they understand the appropriate use of their

assigned user accounts and they understand they are solely responsible for use of their user

account.

All accounts used to access Ensono’s information and/or information assets shall be required

to have a password, or other solution approved by Security, for authentication of that

account.

All passwords shall comply with the Ensono’s password standard.

Ensono user access shall not compromise the confidentiality, integrity or availability of

Ensono resources.

Generic or shared user accounts shall be generally prohibited on all Ensono resources unless

authorized by Security through the ISP Exception Request Process.

All Ensono user accounts shall be reviewed on a regular basis as defined in the ISP and

associated standards.

Ensono user access shall be updated, when necessary, in a timely manner.


29

Ensono user access shall be implemented in such a way as to support the concept of

separation of duties.” This includes the separation of security administration job roles from

any system administration job roles, and software development job roles from change

management controls.

All Ensono users shall protect confidentiality, integrity and availability of Ensono information

assets.

Wherever feasible a centralized user account administration shall be implemented for all

Ensono systems

Development environments shall leverage a centralized user authentication structure

Multi-factor authentication shall be implemented for all remote access and wherever

technically feasible.

Privileged accounts will adhere to an elevated level of security standards

4.2.2 General Requirements for Account Registration User access to multi-user information systems including, but not limited to, workstations,

servers, network resources, production environments, development environments and

mainframes shall be controlled through the following formal user registration process:

The creation of an individual user account shall require a written or electronic request from

an appropriately authorized manager.

Redundant or duplicate user IDs shall be prohibited on all Ensono information resources.

All user registration shall be administered by a limited and controlled group of

administrators.

The Information Owner shall be responsible for review of the creation of each user account

to ensure that creation of each account was conducted as appropriate.

4.2.3 Requirements for User Account Creation User accounts should be created in such a way as to facilitate their periodic review by

Information Custodians. To that extent, user account creation shall adhere to the following:

When the system permits, the user account name shall match the user’s full name as

specified within Ensono’s payroll system. Creation of user accounts for non-Ensono users

shall follow the same format.

For systems that are incapable of implementing user account names that match payroll, all

user account names shall follow a standardized format that has been identified and

documented.

Whenever the system permits, user account information shall contain the following:

Owner or user’s full name

Business unit or customer name

Business purpose for shared, group and anonymous user accounts.

User details including physical location, email address, and phone number

For systems that are incapable of implementing all user account identification information,

identifying information shall be provided to the extent possible.

4.2.4 Management of User Accounts and Access


30

Access to information systems including, but not limited to, workstations, servers, network

resources, production environments, development environments and mainframes shall be

controlled through the following formal user management process:

Access to information systems shall require a unique user ID.

Access to information systems by an individual user ID shall require approval by the

appropriate Information Custodian or designee.

Information Custodians shall ensure the level of access granted for each user ID and/or

group ID is appropriate for the business purpose.

Access to information systems shall be prohibited unless explicitly granted by the

Information Custodian or designee.

Information Custodians shall maintain an accurate record of all users registered to use their

information resource.

Information Custodians or designees shall periodically review the information resources,

checking for and removing terminated user IDs, generic/anonymous user IDs, and

redundant/duplicate user IDs.

Information Custodians or designees shall immediately notify the appropriate personnel

when a user is transferred or has been terminated.

Upon notification of user transferal or termination, security administrators shall immediately

remove, revoke or change user account access rights as appropriate.

4.2.5 Requirements for Privileged Access The allocation and use of privileged user accounts shall be restricted and controlled as follows:

The privileges associated with each information resource shall be identified and

documented. This includes, but is not limited to:

Operating Systems

Database Management Systems

Applications

Categories of staff for which privileged access should be granted shall be identified and

documented. This includes, but is not limited to:

Operating Systems

Database Management Systems

Applications

The allocation of privileged access shall be provided on a need-to-use basis.

The process for granting privileged access shall follow the same requirements as the user

registration process.

The Information Custodian shall maintain documentation for all users provided with

privileged access.

Wherever possible, system routines and automated processes shall be used to conduct

privileged tasks.

Privileged access shall be audited and logged at all times. Logs shall be maintained in a

centralized solution and monitored by Security teams.

Privileged access shall be protected and granted in such a way as to ensure that actions

conducted while using privileged access can be traced to a unique user account.


31

4.2.6 Review of User Access To maintain effective controls over user access to data and information resources, a formal

process shall be implemented to review user access on a regular basis. To maintain these

effective controls the following shall be adhered to:

Information Custodians or their designees shall review user access to resources on a

quarterly basis. The review should specifically identify and revoke access for, or remove the

following:

Active User IDs that are no longer needed.

User IDs assigned to terminated users with active access.

Generic or anonymous user IDs.

Redundant or duplicate user IDs.

User IDs with excessive privileges which are no longer necessary and/or are not approved by

the Information Custodian.

4.2.7 User Account Lock-Out and Suspension In order to reduce the risk of a malicious user or program using a brute force attack or a

continuous process to access Ensono resources, the following shall be adhered to:

Inactive user IDs shall be suspended after sixty (60) days of non-use.

All user accounts shall be suspended and/or locked out after five (5) or fewer unsuccessful

access attempts.

Suspended and/or locked user accounts shall require a system administrator to unlock the

account, or;

Users with the appropriate access may use the password maintenance application to unlock

their account using either a personalized Q&A system or a hard key (such as a RADIUS card),

or;

Users with the appropriate access may utilize a system that provides a process to

automatically unlock an account after a predetermined period of time. Systems of this

nature must be authorized by the appropriate Information Custodian.

Ensono’s Mobile Handheld Usage establishes the requirements for user account lock-out and

suspension on mobile devices (such as smartphones and tablet computers) that connect to

the Ensono corporate infrastructure and/or that access Ensono -owned or managed data.

4.2.8 Suspension of Active Accounts In certain instances, it may be necessary to temporarily suspend access for Ensono employees

that have active status. In those instances, access shall be suspended unless the employee’s

manager authorizes in writing or electronic form that the employee’s access should be

maintained. Those instances include, but are not limited to, the following:

Leave of absence

Short-term disability

Long-term disability

4.2.9 User Account Termination User terminations are divided into the following three (3) categories:


32

Voluntary termination

Involuntary termination

Third-party or non-employee termination

In the event of a termination, the following shall be adhered to:

For terminations, both voluntary and involuntary, HR shall be involved in the notification

process.

For terminations, both voluntary and involuntary, HR shall notify all appropriate parties in a

timely manner.

Upon appropriate notification, all appropriate administrators shall immediately disable

access to Ensono resources on systems within their control.

Administrators are responsible for notifying the appropriate client or delivery teams for

termination of access within client environments.

For non-Ensono user terminations, the client organization or other sponsoring organization

shall be responsible for timely notification to Ensono.

The organization, business unit or individual sponsoring a non-Ensono user shall be

responsible for informing the client of the client’s responsibility for timely notification of

terminated users.

4.3 USER CONDUCT POLICY

4.3.1 User Responsibilities Compliance with the ISP standards, procedures and guidelines on a daily basis is an important

aspect of the overall Information Security structure. Users should be aware of the following

responsibilities:

Users shall be responsible for the use of their personal user account.

Users who own a group, shared or anonymous account shall be responsible for use of that

account.

Users shall not use their authorized access to negatively impact, modify or compromise

Ensono information resources.

Users shall not engage in the subversion of existing security controls unless appropriately

authorized by the Security Director. This includes, but is not limited to, the following:

Password cracking.

Network, computer or device hacking.

Brute force attacks.

Unauthorized file decryption.

Bootleg software copying, downloading or sharing.

Unauthorized network, computer or device scanning.

Users shall be diligent in regard to protecting Ensono’s information resources and the overall

Information Security of Ensono.

Users shall report suspected or identified Information Security incidents as required by the

ISP.


33

Unauthorized attempts to circumvent an existing security measure may be unlawful and will be

considered serious violations of the ISP standards, procedures and guidelines. Violations may

result in disciplinary actions up to and including termination.

4.3.2 Prohibition against Harassment Ensono strives to maintain a workplace that is free of harassment and is sensitive to the diversity

of its users. Ensono prohibits the use of any information resource including, but not limited to

voicemail, computers, e-mail and Internet systems in ways that are disruptive, offensive to

others, or harmful to morale. Examples of inappropriate use of such information systems include,

but are not limited to, the following:

Threatening or harassing other users.

Using obscene or abusive language.

Creating, displaying or transmitting inappropriate images, messages or cartoons regarding

sex, race, religion, color, national origin, marital status, age, physical or mental disability,

medical condition, or sexual orientation, or which in any way violate Ensono’s policy

prohibiting employment discrimination and harassment in employment.

Creating, displaying or transmitting inappropriate “junk mail” such as inappropriate

cartoons, inappropriate gossip or inappropriate “joke of the day” messages.

Creating, displaying or transmitting inappropriate “chain letters.”

Users are expressly prohibited from abusing Ensono’s information systems.

4.3.3 Restriction on Possession or Solicitation of Non-Public Data Users shall not solicit, possess, receive or in any way try to gain access to another company’s

non-public data.

Employees shall not coerce new employees to disclose information from their former

employer that might be beneficial to Ensono or detrimental to their former employer.

4.4 PASSWORD POLICY Access to Ensono information, systems, or solutions shall be secured by appropriate authentication methods to

verify the identity of the users. All passwords must adhere to requirements published in the Ensono Password

Standard. Exceeding those requirements is strongly encouraged.

The Ensono Password Standard provides details on the use and communication of passwords. All users are

required to read and follow those restrictions.

4.5 CONCURRENT SESSIONS AND SESSION TIMEOUTS

4.5.1 Session Timeout Whenever permitted by system software, a computer terminal, workstation, communication

device/system, or microcomputer will automatically blank the screen and suspend the session

after the recommended ten (10) minutes of system inactivity. Reestablishment of the session

must take place only after the user has provided a valid password.


34

4.5.2 Concurrent Sessions Whenever required by contractual obligations, or by the Information Owner, concurrent sessions

may be limited.

4.6 AUDITING AND LOGGING STANDARD Administrators of Ensono information assets shall perform a review of logging activity and audit trails using the

following:

4.6.1 Activity Logs and Audit Trails There are certain activities that occur on networks, systems and applications that shall be logged.

These include activities such as data requests, data transfers, changes to configuration files, the

addition, deletion or modification of user IDs, etc.

Logs of security events shall provide sufficient data to support the comprehensive audits of the

effectiveness and compliance with the ISP and associated standards. Audit logs will be collected

by all Ensono systems. Logs should be stored in a centralized manner and the Security Risk

Management team is responsible for log monitoring and oversight.

File integrity monitoring tools or change detection software on logs must be used to ensure that

existing log data cannot be changed (except when new data is added) without generating alerts.

4.6.2 Clock Synchronization The internal clocks on systems that generate activity on Ensono-owned or managed networks

shall accurately reflect the current time and date for the geographic location of the equipment.

The accurate time and date shall be recorded in all log activity.

4.6.3 Architecture for Logging Activities Logs shall be created in such a manner that individual events are attributed to individual user IDs.

Network devices, systems and applications that generate logs shall record the following where

applicable:

Intrusion Activity

Attempts to use privileges that have not been authorized

Failed login attempts with a valid user ID (password guessing attempts)

Failed login attempts with an invalid user ID

Failed password change attempts

IP Address

User Activity

Application invoked

Attempted access to unauthorized data

Changes to critical application system files

Logoff date/time

Logon date/time


35

Password date/time

Use of authorized advanced privileges (security bypass, etc.).

User IDs

IP address

UserID Administration Activity

Additions

Changes to the privileges of users

Deletions

Disabling

Modifications

Re-enabling

System Activity

Shutdown

Startup

Hardware

Hardware and disk media errors

Maintenance activity

4.6.4 Backup, Archive, and Protection Log files shall be archived to external media and secured in offsite or other appropriate storage.

Log files shall be backed up as follows:

Logs shall be rolled (a new log file activated, the old file log saved) rather than overwritten

(the same log file is used again, losing data).

In general, unless a specific retention period is documented; all logs containing security-

relevant events shall be retained for a minimum of one (1) year. Retention beyond this will

be governed by the data backup and retention policy.

Log files are classified as CONFIDENTIAL and shall be protected such that no individual can

modify or delete the logs.

Individuals authorized to view logs include E-SEC, information owners, and Information

Custodians.

In the event persons require access to log files, approval shall be obtained from Security

and/or the Information Owner.

4.6.5 Deactivation, Modification, or Deletion Mechanisms to detect and record significant computer security events shall be resistant to

attacks. These attacks include attempts to deactivate, modify, or delete the logging software

and/or the logs themselves.

4.6.6 Activity Auditing System administrators shall monitor the event logs created by information assets to ensure that

inappropriate behavior or potential intrusions are recognized and addressed.

At a minimum, activity logs shall be examined on a routine basis (daily is recommended) for

the following:

Failed logon attempts


36

Attempts to use unauthorized privileges

All administration activity

Other significant events

A centralized logging solution shall be in place and monitoring conducted by E-SEC.

Automated systems that are capable of identifying and reporting on significant events shall

be preferred for use over manual review of logs.

4.6.7 Incident Reporting and Notification System administrators shall be responsible for following Ensono’s Security Incident Response

Plan when a security incident is identified.

Information Custodians shall be responsible for following Ensono’s Security Incident Response

Plan when a security incident is identified.

4.7 MOBILE COMPUTING

4.7.1 Modems, Remote Access Devices, and Remote Access Software Unauthorized network devices, such as modems or Wireless Access Points, shall not be

connected to PCs, workstations, or laptops. When modem or out of band devices are

authorized:

Modems or out of band devices are prohibited except when explicitly approved

Modems may not be used in the auto answer mode such that they are able to receive

incoming dialup calls.

The use of devices and software that permits remote access to Ensono workstations from

anywhere except from Ensono systems located on the internal Ensono network is

prohibited.

Remotely connecting to Ensono owned devices from home computers or non-Ensono owned

devices is prohibited.

4.7.2 Remote Access All Ensono employees will be provided with remote access capability unless explicitly prohibited

by their management. This privilege may be revoked at any time.

4.7.3 Mobile Devices Ensono’s Mobile Handheld Usage Standard establishes the requirements for the approved use of

mobile devices (including, but not limited to, smartphones, PDAs, and tablet computers) to

connect to the Ensono corporate infrastructure and/or to access Ensono-owned or Ensono-

managed data.


37

5 Asset Classification and Control

5.1 ASSET CLASSIFICATION AND CONTROL OBJECTIVES To maintain appropriate protection of Ensono’s assets.

To ensure appropriate responsibility is identified.

To ensure an information classification level is assigned to all information assets.

To ensure all users understand Ensono’s classification levels.

To identify the default classification level for all information assets.

5.2 ACCOUNTABILITY FOR ASSETS

5.2.1 Inventory of Assets Ensono shall maintain an accurate inventory of all information assets including, but not limited to

documentation, hardware and software. This inventory shall include all information necessary to

recover from a disaster, including the following:

Asset identification

Hostname

IP address

Information Owner

Asset type

Tenant (where appropriate)

Location

Backup information

License information

Other information deemed necessary by Ensono leadership.

Each information asset shall have an identified Information Owner who is accountable for

classification of the information asset, responsible for ensuring that the asset is part of

documented inventory, and maintenance of related security controls as specified within the ISP.

5.2.2 Documentation An inventory of all documentation including, but not limited to system documentation, user

manuals, training manuals, operational procedures, support procedures, continuity plans,

fallback arrangements and archived information shall be maintained and documented by the

identified Information Owner or Information Custodian and shall include the following:

Information Owner

Client Tenant (where appropriate)

Associated responsible Service Operations team

Classification

Physical location

5.2.3 Hardware Assets


38

An inventory of all hardware assets, including but not limited to computer equipment,

communication equipment, network equipment, magnetic media, and optical media shall be

maintained and documented by the identified Information Owner and shall include a minimum

of the following:

Information Owner

Configuration Item (CI) Owner

Host name

IP Address

Client Tenant ( where appropriate)


Classification

Device Type

Vendor (where applicable)

Physical location

5.2.4 Software Assets An inventory of all physical assets including, but not limited to application software, system

software, development tools, software utilities, and development code shall be maintained and

documented by the identified Information Owner and/or the designated shall include the

following:

Information Owner

Configuration Item (CI) Owner

Client Tenant ( where appropriate)


Classification

Vendor (where applicable)

Software license (where applicable)

5.3 INFORMATION CLASSIFICATION

5.3.1 Ensono’s Classification Levels Due to relationships with a large number of clients and the nature of our business environment,

Ensono identifies classifications for information assets based in part on the type of disclosure

allowed (e.g., no disclosure, limited disclosure, full disclosure, etc.).

There are four (4) primary levels of as identified in Table A as follows:

ENSONO INFORMATION CLASSIFICATION LEVELS

Classification Level Description

PUBLIC This classification applies to that has been deemed appropriate for wide distribution by legal and marketing. Disclosure is supported and often encouraged.


39

Information that has been designated by Legal and/or Marketing as PUBLIC can be disclosed to anyone without formal management approval.

INTERNAL USE ONLY This classification applies to information which cannot be considered PUBLIC due to the nature of the information, but is not of a sensitive nature that would harm Ensono should it be disclosed in an unauthorized manner (e.g. security standards, internal service offering documents, company practices such as PDO policy, etc.) For this type of information, encryption is preferred but not required. Disclosure of INTERNAL USE ONLY information requires a Non-Disclosure Agreement on file.

CONFIDENTIAL This classification applies to information that is releasable to a limited number of employees and can be provided to a limited number of clients or customers who have a legitimate business need, and with whom Ensono has a Non-Disclosure Agreement (NDA) on file. Its unauthorized disclosure could seriously and adversely impact Ensono, its employees, and/or clients. The Information Owner must define who is authorized to access CONFIDENTIAL information by job role and/or account team.

RESTRICTED This classification applies to information that is specific to Ensono, Ensono employees, or Ensono clients and is regulated or private and sensitive in nature (e.g., Protected Health Information, Personally Identifiable Information, or Ensono financial data). Unauthorized disclosure could result in harm to an individual; legal action against Ensono; regulatory fines; or breach of contract. Access to this information should be strictly controlled, provided only on a need-to-know basis, encrypted in transit and at rest, and protected by the highest level of security controls available.

5.3.2 Ensono’s Classification Guidelines The following is provided to assist Information Owners when classifying information within their

realm of responsibility:

All information assets shall be classified strictly according to their level of confidentiality,

sensitivity, value and criticality.

All information assets shall be protected in a manner to commensurate with their

confidentiality, sensitivity, value and criticality.

Information Owners shall review their information and information assets annually to

determine if the classification level has changed.

Information Owners shall work with members of the Audit & Compliance and Security teams

to help educate users about classification levels.

5.3.3 Classification and Release of Security Related Documentation Ensono security related documentation including, but not limited to policies, standards,

procedures and guidelines shall be classified as INTERNAL USE ONLY. Disclosure of such

documents to any non-Ensono person shall require 1) completion of Ensono’s Non-Disclosure

Agreement and 2) approval by Legal, Audit & Compliance and/or Security teams at each of these

team’s discretion.

All users, unless appropriately authorized, shall be prohibited from disclosing information related

to Ensono’s security posture or security practices.


40

5.4 INFORMATION LABELING

5.4.1 General Labeling Requirements The default classification for any data (physical or logical) that is not officially labeled shall be

CONFIDENTIAL as specified in Section 5.3.1, Table A.

Data housed within Ensono shall be labeled only as appropriate to support business

processes, needs, or client requirements.

When information of different classifications is combined, the resulting information shall

have a classification equal to the most restrictive classification.

The Information Owner, with guidance from the Audit & Compliance

and Security teams, shall be responsible for identifying and designating the appropriate

classification level for all information assets within their realm of responsibility.

All users that create, compile, alter or procure a new type of production information shall

assign a classification consistent with the prior classification as specified by the Information

Custodian.

The Audit & Compliance and Security teams shall be available to assist all Information

Owners when appropriately classifying information assets.

With the exception of general business correspondence and copyrighted software, all

externally-provided information which is not clearly in the public domain shall receive an

Ensono classification level.

Department specific data classifications are permissible, but shall remain consistent with

classification standards.

Client names and acronyms are prohibited for use, either directly or inferred, when labeling

systems or devices unless the client specifically permits or requests such labeling of their

dedicated systems or devices.

Inappropriate or vulgar labels, as defined by Ensono HR, are prohibited for use on Ensono

owned or managed information systems.

5.5 INFORMATION HANDLING

5.5.1 General Controls All information must be appropriately secured, as determined by criticality and classification

of the information and/or contractual obligations, particularly when unattended during and

after work hours.

Users handling INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information shall be

vigilant to make sure the information is not inadvertently disclosed to people who do not

have a need to know.

Users shall cover or otherwise obscure INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED

information on their desks or working areas when unauthorized persons are in the

immediate area.

All Ensono employees that travel or work in public areas are required to use privacy screens

to prevent unauthorized viewing of protected information.


41

Users shall enable screensavers to logoff/lock their workstation or take similar action if

unauthorized persons are in a position to see their computer screen.

Information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED shall be

protected from unauthorized disclosure at all times including times when the information is

not in use.

5.5.2 Reproduction Reproduction of INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information, including

printing additional copies and making additional electronic copies, shall be prohibited unless

specifically authorized by the Information Custodian.

Extracts, summaries, translations or derivatives of INTERNAL USE ONLY, CONFIDENTIAL, or

RESTRICTED information shall be strictly prohibited unless specifically authorized by the

Information Custodian.

Information Custodians shall be authorized to make backup copies of information within the

realm of their responsibility.

5.5.3 Remote Printing Users shall not leave INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information

unattended on printers, copiers, or fax machines, unless the physical location of the device is

physically protected such that unauthorized persons are not permitted to enter. This includes

during and after work hours.

5.5.4 Storage Information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED, shall be

securely stored physically when unattended during and after work hours to avoid

unauthorized disclosure. This includes printed information, as well as information stored on

laptops, removable electronic media, or mobile devices.

Currently, Ensono does not require that INTERNAL USE ONLY or CONFIDENTIAL information

at rest be encrypted unless specified by legal, regulatory, or contractual requirements.

RESTRICTED data must be encrypted at rest in all scenarios except where it is not technically

possible. Exceptions to this policy require Security approval.

5.5.5 Transport Physical transport of INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED hard data shall require

the use of a trusted courier as follows:

Ensono internal mail staff

U.S. Postal Service

UPS©

Federal Express©

Physical transport of INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED data shall require

the information be enclosed within an opaque and sealed envelope or container.

All information classified as INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED which is

stored on physical media, and transported to or from Ensono must be encrypted.

In cases where transportation of unencrypted devices, such as servers or network devices, is

required a secure transport solution that conforms to a higher degree of security controls


42

should be employed. This solution must be approved by the Audit & Compliance and/or E-

SEC.

5.5.6 Electronic Transmission All information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED transmitted to

or from Ensono via any public network must be encrypted.

5.5.7 Verbal Communication All Ensono users shall be required to maintain confidentiality with regards to client data and

information.

All communication related to a client or a client’s business shall be confined within an

appropriate business environment and will not be accessible to users who are not

specifically authorized to access communication regarding the client.

Ensono associates shall take extra care when travelling or in public spaces, to ensure that

confidential information is not discussed in an area that can be overheard by the public or

unauthorized individuals.

Users shall be prohibited from communicating INTERNAL USE ONLY, CONFIDENTIAL, or

RESTRICTED information is such a way or in such an environment that it is known that

inappropriate disclosure will occur.

5.5.8 Destruction

5.5 .8 .1 GENERAL DESTRUCTION REQUIREMENTS

All information shall be retained until such a time as it is no longer needed

and has exceeded the documented retention period.

Users shall always destroy INTERNAL USE ONLY, CONFIDENTIAL or

RESTRICTED information in such a way as to not compromise the

classification level.

INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED information shall be

destroyed according to approved methods as specified within the ISP.

5.5 .8 .2 DESTRUCTION OF PAPER INFORMATION

INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED information in paper

form shall be shredded when no longer needed. The use of an Ensono

approved shredding service (i.e. “shred bins”) is required.

Users shall be prohibited from disposing non-shredded INTERNAL USE

ONLY, CONFIDENTIAL or RESTRICTED information in standard trash cans or

recycle bins.

Remote workers are required to either shred documents in a manner that

provides a certificate of destruction or ship the paper to an Ensono office

for destruction. It is each associates responsibility to ensure paper is

destroyed in accordance with Ensono policies.

Ensono information in paper form classified as PUBLIC may be disposed of

at the associate’s discretion, but shredding is always preferred.

5.5 .8 .3 DESTRUCTION OF MEDIA INFORMATION


43

All Ensono information contained on USB drives, diskettes, magnetic tapes

or other computer-related magnetic media that is intended to be reused

for other purposes shall be permanently removed (e.g., degaussed or

securely overwritten) prior to reuse.

All Ensono information contained on USB drives, diskettes, magnetic tapes

or other computer-related magnetic media that is intended to be disposed

shall either be permanently removed prior to disposal (e.g., degaussed or

securely overwritten) or securely eradicated (e.g., shredded) in a manner

that ensures complete destruction of the classified information.

All computing devices and electronic storage media shall be checked and

verified to be free of 1) software licensed to Ensono and 2) any Ensono

information prior to being discarded, disposed, or otherwise permanently

removed from Ensono premises or permanently disconnected from

Ensono’s enterprise services.


44

6 Communications and Operations Management

6.1 COMMUNICATIONS AND OPERATIONS MANAGEMENT OBJECTIVES To ensure the correct and secure operation of business processes.

To minimize the risk of system failures.

To protect the integrity of software and information from damage by malicious software.

To maintain the integrity and availability of business processes and communication services.

To ensure the safeguarding of information in networks and the protection of the supporting

infrastructure.

To prevent damage to assets and interruptions to business processes.

To prevent loss, modification or misuse of information exchanged between entities.

To ensure correct and appropriately-documented Information Security procedures for all processes

related to Information Security identified at Ensono.

6.2 OPERATIONAL PROCEDURES AND RESPONSIBILITIES

6.2.1 General Controls Each member of the Service Operations teams shall serve in the role of Information

Custodian.

Each Information Custodian shall identify and document all processes within their area of

responsibility.

Each Information Owner shall ensure Information Custodians maintain the system

documentation for all processes within their area of responsibility.

Each Information Owner and custodian shall be responsible for working with E-SEC and the

Audit & Compliance team to develop appropriate Information Security standards and

procedures for all identified processes to include appropriate operating instructions, as well

as incident response procedures.

Information Custodians shall work with applicable security teams to identify those areas

within their realm of responsibility where segregation of duties should be implemented to

reduce the risk of negligent or deliberate system misuse.

6.2.2 Documented Operating Procedures Information Custodians shall be responsible for maintenance of Information Security related

documented procedures and operations within their realm of responsibility.

All Information Security procedures shall be treated as formal documents and shall adhere

to Ensono’s identified change management processes.

Information Security procedures shall include, to the extent possible, the following:

Instructions for handling errors or other unexpected conditions.

Support contacts.

Any special handling instructions.

System restart and recovery procedures.

Related information such as security standards, procedures and guidelines.

Information Custodians shall be responsible for documenting system maintenance

procedures where applicable.


45

6.2.3 Change Management Information Custodians shall be responsible for ensuring that all information assets within

their area of responsibility are part of an identified change management system.

Formal change management procedures shall be implemented to ensure satisfactory control

of all changes to equipment, software, code or applications.

For any change, audit logs containing relevant information shall be retained.

All significant changes shall be identified and recorded.

Any change to a controlled environment shall have a documented business reason prior to

any change being made.

The Information Custodian shall assess the potential impact for any change to an

information asset within their area of responsibility.

Changes shall always be communicated to all stakeholders.

All changes shall have documented procedures identifying responsibilities for aborting and

recovering from unsuccessful changes.

Problem Management Procedures

Information Custodians shall be responsible for ensuring all computers or computing devices

within their area of responsibility are part of an identified problem management system.

6.2.4 Security Incident Management Security incidents shall be addressed and handled as specified within Section 8.4 Responding to

Security Incidents.

6.2.5 Segregation of Duties In order to reduce opportunities for unauthorized modification or misuse of information or

information assets and maintain business operations, Ensono shall implement the concept of

“separation of duties” to the extent possible.

A separation of duties shall exist between those that set policy, those that implement

security controls, and those that oversee enforcement of security controls.

The separation of security administration and system administration shall be implemented

to the extent possible.

Information Custodians shall be responsible for ensuring that supervision and/or audit trails

exist for instances in which segregation cannot be achieved.

Individuals considered to be auditors or fulfilling auditing roles shall be independent from

the organization being audited.

All efforts should be made to avoid scenarios that create or advance excessive control of

environments by one individual.

6.2.6 Separation of Development and Production Environments Development and production environments shall be separated and shall adhere to the following:

Development teams shall be restricted from administrative level access to production

systems.

Development and production software shall be maintained on different systems where

possible.


46

Development and production software shall be maintained on a logically separated network

where possible.

Compilers, editors and other system utilities shall not be accessible from operational

systems when not required.

Production data should not be used in development environments wherever possible.

Should production data be required in a development environment all restricted data should

be masked, truncated, or otherwise obfuscated.

6.3 SYSTEM PLANNING AND ACCEPTANCE

6.3.1 Capacity Planning Information owners shall be responsible for working with Information Custodians to monitor and

plan for capacity limitations and bottlenecks.

6.3.2 System Acceptance Information Custodians responsible for production and development environments shall develop

and document acceptable standards for integration of new systems into areas of their

responsibility. Where applicable these standards shall include:

Error recovery, restart procedures and contingency plans.

Agreed set of security controls.

Effective manual procedures.

Business continuity arrangements.

Evidence that integration of a new system will not adversely affect existing systems.

Evidence that consideration has been given to the effect of the new system on overall

security of the environment.

All systems being considered for use within a production or development environment shall be

approved by the environment’s Information Owner as being acceptable prior to introduction or

integration into said environment.

6.4 PROTECTION AGAINST MALICIOUS SOFTWARE

6.4.1 Controls against Malicious Code Detection and prevention controls shall be implemented on Ensono’s information assets to

protect against malicious code.

Non-Ensono equipment that connects to Ensono resources shall be subject to the same patch

and endpoint (e.g., laptop, desktop, server, and other mobile and network devices or software)

protection requirements as Ensono owned or managed equipment.


47

6.4.2 Malware Protection Policy

6.4 .2 .1 DUTY TO PROTECT

The Security team shall maintain a duty to protect Ensono users and assets

from malicious code and threats. Updated and advanced technologies should

be implemented and malware protection policies, procedures, technologies,

and practices updated and renewed as the threat landscape changes and

technologies improve.

6.4 .2 .2 INTENTIONAL USER INVOLVE MENT WITH MALWARE

PROHIBITED

Any activity with the intention to create and/or distribute malicious programs

into Ensono’s network or onto any information asset shall be strictly

prohibited.

Users shall be strictly prohibited from writing, generating, compiling, copying,

collecting, propagating, executing or attempting to introduce any computer

code designed to self-replicate, damage or otherwise hinder the performance

of or access to any Ensono or Ensono client information asset.

6.4 .2 .3 MALWA RE PROTECTION FOR F I REWALLS , SERVERS, AN D

WORKSTATIONS

Centrally-managed malware protection software shall be loaded, enabled, and

active on all Ensono assets that support malware protection software.

6.4 .2 .4 NETWORK BASED MALWAR E PROTECTION

Wherever feasible network based malware protection controls should be

implemented to offer additional layers of protection against malicious code.

Technologies such as web and email content filtering, advanced threat

solutions, or other such protection mechanisms should be incorporated into

the overall malware protection strategy.

6.4 .2 .5 MALWARE PROTECTION F OR REMOTE WORKSTATIO NS

Malware protection software shall be loaded, enabled, and active on all

Ensono owned, managed, or supported workstations that remotely

connect to Ensono’s network resources.

Non-Ensono workstations shall have malware protection software loaded,

enabled and active prior to connecting to Ensono’s resources.

6.4 .2 .6 UPDATES FOR MALWARE PROTECTION SOFTWARE

Malware protection software and malware definition files shall be kept up-

to-date on all devices that are required to have malware protection

software.

Automatic updates of malware protection software and definitions shall be

the preferred method for updates.


48

Users shall be responsible for timely updates of malware protection

software and definitions on their workstations.

System administrators shall be responsible for timely updates of malware

protection software and definitions for devices within their area of

responsibility.

6.4 .2 .7 TRUSTED SOURCES

Software loaded on Ensono computers and networks shall come from

trusted sources. Trusted sources include:

Business partners

Industry-recognized vendors

Commercial software vendors

Software downloaded from forums, shareware, public domain software or

other software from untrusted sources shall be avoided and only

implemented under controlled scenarios.

Software should never be installed or run from USBs or external drives.

These sources should be considered untrusted at all times.

6.4 .2 .8 SCREENING OF SOFTWAR E PRIOR TO USE

Prior to installing or running executable programs provided by third parties

or by other Ensono departments, users shall scan those programs using

malware scanning software.

Software source code provided by third parties or other Ensono

departments shall be visually reviewed prior to compilation, and the

resulting executable program shall be scanned with malware-checking

software prior to installation or execution on any Ensono system.

Users shall be prohibited from bypassing a scanning process that could

arrest the transmission of malware.

6.4 .2 .9 DECRYPTION OF F ILES BEFORE CHECKING FOR MALWARE

All externally-supplied computer readable files (software programs, databases,

word processing documents, spreadsheets, etc.) shall be decrypted prior to

being subjected to the malware checking process.

6.4 .2 .10 REQUIRED USER RESPON SE TO SUSPECTED MALW ARE

INFECTION

All significant errors, incomplete processing and improper processing of

production applications shall be promptly reported to the Ensono Service

Desk, as they may be indicators of a malware infestation.

Users who become a victim of malware infection shall immediately report

the infection to Ensono’s Service Desk

Users shall be responsible for working with relevant members of Ensono’s

technical teams to resolve malware infestations on their workstations.

6.4.3 Vulnerability Management Program


49

Vulnerability management is a necessary part of the overall security framework at Ensono. For

the purposes of the ISP, Ensono defines a vulnerability detection solution as the automated

process of proactively identifying vulnerabilities of computing systems in a network in order to

determine if and where a system can be exploited or threatened. Ensono considers vulnerability

detection to be a part of a secured operating infrastructure, and as such, the following shall be

adhered to:

6.4 .3 .1 GENERAL CONTROLS

Ensono shall maintain centrally supported and administered vulnerability

detection solutions.

All network connected systems, and devices where applicable, shall be

required to participate in Ensono’s corporate vulnerability detection

solution.

All new systems shall be scanned and remediated prior to being used to

conduct Ensono related business.

All systems being moved or transferred, from their current environment to

a new environment, shall be scanned and remediated prior to being

connected to the new environment. This includes development, test, and

production environments.

Any system, connected to Ensono’s infrastructure shall be subject to

additional vulnerability scans, as warranted by security or operational

necessity, at the request of members of Ensono’s Security team.

No vulnerability detection scan shall be considered complete unless a

useable report has been provided to the information asset’s Information

Owner, Information Custodian, or their designees.

Information Custodians are welcome to and strongly encouraged to

conduct vulnerability scans on systems prior to deployment in production

in accordance with change control and other such relevant policies and

Ensono practices.

Vulnerability detection scans on all Ensono-owned or managed systems

and devices must adhere to Ensono’s Vulnerability Management Program

Standard. The minimum frequency of these vulnerability scans must be

approved by Security.

Users shall be permitted to run independent vulnerability testing against

systems for which they are responsible. However, this shall not be

considered sufficient to protect Ensono, and shall not exempt any system

or device from participating in Ensono’s Vulnerability Management

Program.

Third parties are prohibited from conducting vulnerability assessment

activities except when explicitly approved by Security.

6.4 .3 .2 ADMINISTRATIVE CONTR OLS

Security shall maintain overall responsibility for setup, administration, and

maintenance of all centrally managed vulnerability detection systems

deployed at Ensono locations.


50

Centrally managed vulnerability detection systems shall be updated on a

regular basis. This regular basis shall be no less than once a week, or as

new updates are available.

6.4 .3 .3 CONFIGURATION

All centrally supported vulnerability detection solutions shall be configured

as follows:

Shall provide for a minimal number of false positives.

Shall provide non-intrusive scans, unless an intrusive scan has been

requested by the system administrator and approved by the Information

Owner or designee.

Shall allow system administrators to conduct scans within their individually

identified timeframes.

Shall provide automation of scanning.

Shall provide adequate reporting mechanisms.

6.4 .3 .4 SECURITY AND USER IN TERACTION WI TH VULNERABIL ITY

MANAGEMENT SYSTEMS

Detailed vulnerability scan results shall be classified as RESTRCITED.

Users shall be prohibited from viewing or accessing detailed vulnerability

scan results for systems and/or devices for which they do not have a need

to know.

Users, who have not been designated by Security or Ensono Service

Operations teams, shall be prohibited from running vulnerability detection

applications on or against systems for which they have not been provided

permission by the information assets Information Owner.

6.4 .3 .5 REMEDIATION AND RESP ONSIBIL ITY

Information Owners shall be responsible for ensuring that all information

assets within their area of responsibility participate in Ensono’s identified

vulnerability detection solution.

Information Custodians shall be responsible for providing notification of

false positives to the vulnerability scanning administrators.

Upon notification of a vulnerability, Information Custodians are

responsible for providing resolution in the timeframes defined in the

documentation standards for the Ensono Vulnerability Management

Program.

Information Custodians shall be responsible for working with members of

Security and other appropriate technical resources to resolve identified

vulnerabilities.

Corrective action plans shall be reviewed and approved by Security or an

appropriate reviewer prior to implementation. Any review of a corrective

action plan must occur in a timely manner that does not negatively impact

the dates identified within the corrective action plan.


51

Security will oversee and report remediation status, at a minimum, on a

quarterly basis.

6.4 .3 .6 ENFORCEMENT

Security will maintain a duty to protect Ensono assets from exploitation of

vulnerabilities.

In order to protect Ensono’s business and clients, failure to resolve

relevant vulnerabilities within the identified time frames may result in

removal of a system or device from Ensono’s network without notification.

Compliance reviews of Ensono’s Vulnerability Management Program shall

be conducted as a joint effort between Ensono’s Security and Audit &

Compliance teams.

6.4 .3 .7 EXCEPTION PROCESS

Due to the nature of vulnerability detection systems, it is at times possible that

the scanning process will adversely affect a machine. To that extent exceptions

can be requested for systems that are impacted by the vulnerability detection

system. The exception process shall follow the standard process for all

exception requests. Exceptions are reviewed and granted based upon the

following:

Exception requests for a vulnerability detection scan shall be temporary.

All security and patch update controls shall be implemented as stated

within the ISP.

All granted exception requests shall be based on the fact that the team

requesting the exception will resolve all issues by a stated date.

All granted exception requests shall be based on the fact that the

Information Custodian will work diligently to return to a normal operating

environment, which includes recurring vulnerability detection scans.

The Information Owner will review, approve, and oversee exceptions

relevant to the environments for which they are responsible.

6.4.4 Configuration and Patch Management Policy All Ensono-owned or managed devices shall be periodically updated with vendor patches

and system upgrades, where applicable.

Appropriate testing of patches/upgrades and change management procedures shall be

followed for all applied patches and upgrades.

All Ensono-IT assets will be configured in a secure manner, centrally managed, and take

advantage of the latest technology for implementing secure configurations.

Systems classified as “RESTRICTED” shall follow an industry accepted hardening procedure,

such as the benchmarks provided by the Center for Internet Security (CIS).

In order to protect Ensono’s environment, failure to patch or update systems in a timely

manner may result in removal of a system from Ensono’s network without notification.

6.4.5 Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS)


52

Security will maintain a duty to protect Ensono assets from exploitation of vulnerabilities by

ensuring all detection solutions take advantage of the latest technology and offer multiple

layers of detection.

All Ensono systems and devices shall be monitored by a centrally managed IDS/IPS solution.

Management of Ensono’s IDS/IPS solution shall be maintained by Security.

Information Custodians shall be responsible for ensuring that devices within their realm of

responsibility, which are considered Ensono core business critical, participate in Ensono’s

IDS/IPS solution.

Ensono shall use both host-based and network-based IDS/IPS solutions, where applicable.

IDS/IPS solutions shall be implemented and maintained to the minimum industry standard

expectation.

6.5 BACKUP AND RESTORATION

6.5.1 Information Backup Backup copies of essential Ensono business information and software shall be taken on a

regular basis.

Adequate backup facilities shall be provided to ensure that all essential Ensono business

information and software can be recovered following a disaster or media failure.

Backup arrangements for individual systems shall be regularly tested to ensure that they

meet the requirements of the Business Continuity/Disaster Recovery (BC/DR) plans.

A minimum level of backup information, together with accurate and complete records of the

backup copies and documented restoration procedures, shall be stored in a remote location

at a sufficient distance to escape any damage from a disaster at the main site.

A minimum of at least three (3) cycles of backup information shall be retained for all

important business applications.

Backup information shall be given the appropriate level of physical and environmental

protections.

Backup media shall be regularly tested, where practicable, to ensure the media can be relied

upon for emergency use when necessary.

Restoration procedures shall be regularly checked and tested to ensure they are effective

and they can be completed within the time allotted.

Retention and archive standards shall be followed as specified in the ISP.

6.6 MEDIA HANDLING AND SECURITY

6.6.1 Management of Removable Computer Media Ensono prohibits the use of writeable removable media in Ensono workstations for the

general employee population.

Removable media includes but is not limited to: writable optical media, external portable

storage devices, flash memory devices, MP3 Players, Tablets, PDAs, mobile phones, etc.

Employees will be permitted to use writeable removable media when the frequent use of

such is required by their specific job responsibilities. All such cases must be individually


53

documented and approved by a senior manager and Security through the ISP Exception

Request Process.

6.6.2 Disposal of Media Media shall be disposed of securely and safely when no longer required for business processes.

6.6.3 Security of System Documentation Information Custodians shall be responsible for maintaining and securing all system

documentation for systems within their realm of responsibility.

Access to system documentation shall be kept to a minimum, and access shall be authorized

by the Information Custodian.

6.7 NETWORK SECURITY AND MANAGEMENT

6.7.1 Restriction on Physical Access to Ensono’s Network Access to Ensono’s network infrastructure shall be explicitly denied unless specifically

authorized.

All physical connections to Ensono’s network shall be managed and shall be disabled when

not in use.

Managers shall be responsible for notifying network personnel when physical connections

are no longer needed.

6.7.2 Requirements for the Security of Ensono’s Network All Ensono clients shall be segmented by stateful inspection firewalls and only the minimum

services permitted in and out of client environments.

All software installed on network-attached devices shall be maintained at a level supported

by the vendor.

Operational responsibility for network assets shall be separated from network security

operations where appropriate.

Personnel responsible for the management of network components must have defined roles

and responsibilities. All personnel must be made aware of the responsibility of securing

network components.

Security will maintain oversight of the secure operation of all network devices.

All assets connected to Ensono’s network shall have an identified and documented

Information Custodian. Information Custodians responsible for network assets shall work

with appropriate teams to identify and document relevant Information Security standards

for all network assets.

Information Custodians responsible for network assets shall implement and maintain

necessary security controls for Ensono’s network assets.

Where necessary and required by regulatory or contractual requirements, special controls

shall be implemented to safeguard the confidentiality and integrity of data passing over

public networks.

Network and network-related asset design, implementation, administration, maintenance

and decommission shall take security into consideration during all phases of each network

asset life cycle.


54

Detailed information related to Ensono’s network shall be classified as INTERNAL USE ONLY.

Access to or disclosure of network-related information shall be strictly prohibited and shall

require appropriate authorization prior to disclosure.

All information assets used to manage, pass or filter network traffic shall be maintained

within an appropriately physically secured location.

Firewalls, demilitarized zones (DMZs) and proxy servers shall be implemented where

necessary to protect Ensono business processes.

All users shall be required to authenticate themselves at a firewall prior to establishing a real

time connection with any Ensono internal information asset over the Internet.

With the exception of telecommuters and mobile computer users, all users shall be required

to authenticate to the Internet through Ensono proxy servers.

All users shall be prohibited from establishing Internet or other external network

connections to Ensono’s internal network, which could allow a non-Ensono user access to

Ensono systems.

All users shall be prohibited from using new or existing internet connections to establish new

business channels prior to approval from relevant security teams, Security, Marketing, and

the Chief Legal Officer.

The use of remote control software shall be strictly prohibited, and shall be prohibited from

connecting into Ensono’s network or to Ensono’s network assets from a public network

without approval from Security through the ISP Exception Request Process.

Ensono’s standard desktop firewall software shall be installed and active on all Ensono -

owned or managed workstations (e.g., desktops and laptops).

6.7.3 Requirements for Network Management Network Management teams will maintain a duty to innovate to provide Ensono the highest

degree of service and protection.

Naming conventions for devices located on Ensono’s network shall be subject to approval

from relevant information owners, custodians, and the Risk Management Committee.

An asset management process shall be in place that ensures an inventory of network devices

is maintained that includes, at a minimum, IP subnet designation, hostnames, owner, and

other relevant information.

Traffic present on Ensono’s network shall be restricted and shall originate or terminate on

assets that are authorized to be on Ensono’s network.

Information Custodians responsible for network assets shall work with appropriate teams to

document relevant operational procedures for all network assets.

Network device audit logs shall be enabled and stored in a centrally managed log

management solution and reviewed and/or monitored by E-SEC.

Network assets shall be, at a minimum, maintained to applicable industry standards.

Network diagrams must be kept current and describe how networks are configured as well

as identify the location of all network devices.

6.7.4 Network Firewall Standard 6.7 .4 .1 FIREWALL GENERAL SEC URITY CONTROLS

Firewall devices shall be stationed at all points of entry into Ensono’s

network.


55

Firewall devices shall be established between any trusted and non-trusted

network.

Firewalls shall exist as a dedicated system or device and shall be prohibited

from performing any other function other than firewall-related tasks.

Firewall devices shall, at a minimum, meet or exceed all vendor hardware

specifications.

All firewall devices which are in production shall have a backup device or

system fully capable of fulfilling the obligations of the primary firewall in

case of an emergency or failure.

Firewalls shall be configured as “default deny.”

Firewall policies and perimeter protection device configurations will be

reviewed quarterly by Security and Audit & Compliance teams.

6.7 .4 .2 IDENTIF IED RESPONSIB IL ITY

Ensono Network teams are responsible for all management of, changes to,

updates to, or modifications of all firewall devices managed or owned by

Ensono. Security and Audit & Compliance teams will review and approve

all significant modifications that may affect Ensono assets.

Ensono Network Teams shall be responsible for working with relevant

teams to identify and document all necessary technical standards for

firewall devices. This includes both devices currently in use, as well as

devices that are under consideration for use.


teams for creation, maintenance and administration of any procedure or

relevant documentation related to firewall devices.

6.7 .4 .3 FIREWALL CONFIGURATI ON

All firewall devices shall be configured to explicitly deny all traffic and

services on all ports not specifically authorized.

All openings through a firewall device shall have documentation

supporting the opening and will contain the following information:

Business unit requesting change

User requesting change

Business reason supporting change

Managerial approval

All firewall devices, in the event of a failure, shall be configured to “default

deny” for all network traffic until such a time the appropriate

administrator re-enables all services.

All firewall devices shall deny all traffic on an external connection that

appears to have originated from an internal network address.

Intrusion Detection and/or Advanced Threat solutions shall monitor all

firewall devices owned or managed by Ensono.

Firewall configurations shall implement secure configurations including but

not limited to the following:

Authentication through centralized directory services and restriction on

local accounts


56

Consistent, standard, and centrally managed build configurations

Backup and restoration procedures

Logging of all “Accepts” and “Denies”

Implementation of advanced features, such as Layer 7 controls or Intrusion

Detection/Prevention features

Firewall configurations will be reviewed and approved by Security.

6.7 .4 .4 FIREWALL A DMINISTRATION

Appropriate firewall documentation shall be maintained in offline storage.

This includes, but is not limited to, diagrams, IP addresses and

configurations.

Firewall documentation shall not be stored on the firewall device.

All changes to a firewall device shall be consistent with Ensono’s change

management practices as specified within the ISP.

All firewall devices shall be tested for vulnerabilities and configuration

problems prior to introduction into a production environment.

Administrative access to firewall devices shall be limited to authorized and

approved firewall administrators.

Administrative access to firewall devices shall be restricted to only allow

access through an internal network connection or through physical access.

Remote access to a firewall over a public network shall require encryption

and strong authentication.

Whenever applicable, all firewall administrators shall receive periodic

training on firewalls and network security practices.

In the event that access through a firewall includes authentication based

on source address, authentication shall be combined with other security

schemes to protect against IP spoofing attacks.

All firewall devices shall have security patches and updates implemented in

a timely manner.

All employees tasked with monitoring firewall devices shall subscribe to

external advisories.

6.7 .4 .5 PHYS ICAL SECURITY

All firewall devices shall be located in physically-secured rooms.

All locations that house firewall devices shall have monitoring and logging

capabilities.

Access to rooms which house firewall devices shall be restricted to

authorized personnel whose access is necessary to conduct a business

function.

6.7 .4 .6 LOGGING AND AUDIT ING

Log files shall be enabled on all firewall devices and centrally stored and

monitored by Security.

All log files shall comply with the standards specified within the ISP.

All log files for all firewall devices shall be maintained and stored for

review for a minimum of one (1) years.


57

6.7.5 Router and Switch Security Standards

6.7 .5 .1 ROUTER AND S WITCH GENERAL SECURI TY CONTROLS

All routers shall be required to use a centralized access control system for

all user authentications.

Local user accounts shall be restricted on all routers managed or owned by

Ensono, and shall be used only when TACACS is not available.

Local user accounts shall adhere to Ensono’s password requirements.

IP directed broadcasts shall be disallowed.

Incoming packets sourced with invalid addresses shall be disallowed.

TCP small services shall be disallowed.

UDP small services shall be disallowed.

Source routing shall be disallowed.

Web services running on a router shall be disallowed.

SNMP community strings shall adhere to Ensono’s password requirements.

Routers and switches shall apply secure configurations and be managed

centrally.

Configurations will be reviewed and approved by Security or Audit &

Compliance teams.

6.7.6 Wi-Fi Networks and Devices

6.7 .6 .1 RESTRICTIONS ON USE OF WI-FI DEVICES

Ensono prohibits the operation of Wi-Fi networks and devices that have

not been approved or implemented by Ensono Service Operations teams.

This includes implementation at any location or facility managed, owned or

leased by Ensono.

All Wi-Fi networks and associated configurations shall be reviewed and


Security or designee shall be authorized to use scanners and other similar

tools to monitor for rogue access points, networks, and other wireless

devices. Wireless Intrusion Detection/Prevention and other monitoring

tools shall be implemented.

Any unauthorized device detected by scanning or identified through

physical means as being used while on Ensono premises shall be

deactivated and can be removed or confiscated by an authorized security

administrator.

6.7 .6 .2 WI-F I SECURITY REQUIREM ENTS FOR EMPLOYEE AC CESS

Where it is deemed appropriate by senior management, Ensono Service

Operations teams may deploy secured Wi-Fi networks for employee access to

internal Ensono networks. Such networks should always be configured and

managed to current industry best practices and should at a minimum meet the

following requirements:


58

Unless prohibited by job function, duties, or contractual/regulatory

requirements all Ensono employees with a valid and functional Ensono

Active Directory account shall be permitted to use these approved

networks.

All users connecting to Wi-Fi networks must be authenticated and the

ability to track each device to a user must be maintained.

Individuals who are not Ensono employees shall not be permitted to access

these Wi-Fi networks.

All approved devices configurations will be reviewed by Security or Audit &

Compliance teams on a periodic basis to maintain adherence to industry

best practices.

All access to such Wi-Fi networks must be validated by at least two-factor

authentication methods.

The strongest industry standard Wi-Fi authentication and encryption

protocols must be used at all times. Devices and networks that cannot are

not permitted.

6.7 .6 .3 WI-F I SECURITY REQUIREM ENTS FOR GUEST ACCES S


Operations teams may deploy secured Wi-Fi networks for guest access to the

internet. Such networks should always be configured and managed to current

industry best practices and should at a minimum meet the following

requirements:




networks.

Devices permitted to access such networks must be identifiable to the

individual owner.

Guest access permission must be revoked after 24 hours.

Access for periods of time longer than 24 hours may be granted to

individuals with long-term contractor status. Such access shall not exceed

the term of the contract or 90 days, whichever is shorter.



not permitted.

Guest networks may never allow direct connectivity to Ensono’s internal

networks.

6.7.7 Remote Access Standard 6.7 .7 .1 GENERAL CONTROLS FOR CENTRALIZED REMOTE A CCESS

SOLUTIONS


59

Remote access to Ensono’s network, or any device contained on Ensono’s

network shall be provided through a secured system or through a VPN

connection and shall require at least two-factor authentication.

Remote access connections to Ensono’s network or individual network

devices which do not pass through approved firewalls or secure

authentication servers shall be strictly prohibited and, prior to

implementation or use, shall require approval from Security through the

ISP Exception Request Process.

All inbound remote access connections shall require, at a minimum, the

use of a dynamic password system, which is approved by relevant security

teams and Security.

Auditing and logging of significant events shall be enabled, stored centrally

by Security, and monitored for all remote access connections.

6.7 .7 .2 GENERAL CONTROLS FOR DIRECT INWARD DIAL

SOLUTIONS (NON -CENTRALIZED)

Information Owners shall maintain responsibility for identifying and

documenting all modems or similar devices that allow remote access to

devices or systems that are within their area of responsibility.

Externally connected modems or modem-like devices shall be labeled with

the appropriate Information Owner’s contact information.

Information Owners shall maintain an updated list of all accounts that

access a direct inward dial system connected to, or allowing access to,

devices or systems within their area of responsibility.

6.7 .7 .3 SECURITY OF DIRECT I NWARD DIAL SOLUTIONS (NON-

CENTRAL IZED)

User accounts used to remotely access Ensono resources shall be

approved, in writing or electronic format, prior to use of a dial-in account.

Password for user accounts used to remotely connect to Ensono’s

information resources shall comply with Ensono’s password policy.

Auditing and logging of significant events shall be enabled and monitored

for all systems and devices configured to allow dial-in capabilities.

Access to a dial-in solution shall require, at a minimum, UserID/password

authentication.

Direct inward dial shall be disabled when not in use. This includes

hardware and/or software disabling.

Systems administrators shall be notified prior to remote connectivity

occurring on Ensono systems or devices.

6.8 SYSTEM CONFIGURATIONS

6.8.1 Server and Mainframe Security Standard

6.8 .1 .1 SERVER AND MAINFRAME GENERAL SECURITY CON TROLS


60

Naming conventions for servers and mainframes shall be subject to

approval from relevant Information Custodians and Security.

Asset management records shall include, at a minimum, hostname, IP

address, owner, description, and security classification.

All software installed on centrally managed servers and mainframes shall

be maintained at a level supported by the vendor.

Each server and mainframe shall have an identified and documented

Information Owner.

The Information Custodian shall be responsible for providing relevant

technical information to the NOC, EOC, Security, Audit and Compliance

team, and other relevant teams.

The Information Custodian shall be responsible for ensuring that systems

within their area of responsibility are placed within Ensono’s vulnerability

detection process.

The Information Custodian shall be responsible for ensuring systems within

their area of responsibility are part of an accurate inventory.

All implemented systems shall meet or exceed vendor-recommended

minimum hardware requirements.

Detailed information pertaining to the configuration of a server or

mainframe, to include information received from vulnerability scans, shall

be classified as INTERNAL USE ONLY, and shall require appropriate

authorization prior to any disclosure.

All systems, within both production and development environments, shall

be designed, commissioned, implemented, maintained, modified and

decommissioned in a standardized, documented fashion designed to

protect and secure Ensono information resources.

All system access shall be explicitly denied unless specifically allowed.

All TCP/UDP ports shall be explicitly disabled unless specifically needed.

All user access to a system shall require, at a minimum, a user

account/password pair for authentication.

System audit logs shall be enabled and reviewed on all systems in a

centrally managed system monitored by E-SEC.

User access logs shall be enabled and reviewed on all systems.

All systems used to conduct business processes shall be maintained within

an identified Ensono data center.

All systems shall be hardened as specified by industry standards or legal

agreements.

Externally facing systems or systems designated as RESTRICTED are

required to implement secure configurations as provided by the Center for

Internet Security (e.g. CIS Benchmarks).

All systems shall be maintained to industry standards, where applicable,

based on business need.

All systems shall be configured to restrict the chances of, or opportunities

to use an alternate boot device.

All systems shall be verified to be free of unacceptable vulnerabilities prior

to implementation into Ensono’s environment.


61

6.8 .1 .2 SERVER AND MAINFRAME MALWARE PROTECTION A ND

PATCH CONTROLS

All systems, where applicable, shall have centrally managed malware

protection software loaded, active and enabled.

All systems that have centrally managed malware protection software

installed shall comply with Ensono’s malware protection controls.

All systems shall be subject to scans by Ensono’s internal vulnerability

detection scanner.

All systems shall have patches and updates applied in a timely manner.

6.8 .1 .3 SERVER AND MAINFRAME CHANGE MANAGEMENT

All changes to systems, both in production and development, shall be part

of an identified change management program.

6.8 .1 .4 SERVER AND MAINFRAME SYSTEM DIAGNOSTIC DA TA

When system diagnostic data must be shared with a 3rd party vendor, it

must be transported by secure means approved by E-SEC

When diagnostic data is written to an external USB storage device, the USB

storage device must be an approved device and such device must be

tracked using a chain of custody methodology or other such process that is

tracked and maintains and audit trail.

All diagnostic data shall be deleted from USB storage devices once no

longer needed

6.8.2 Workstation Security Standard 6.8 .2 .1 WORKSTATION GENERAL SECURITY CONTROLS

Workstations will apply secure configurations which will be reviewed and

approved by the Security, Audit, and/or Compliance teams.

All software installed on workstations shall be maintained at a level

supported by the vendor.

All workstation access shall be restricted to authorized users.

All workstations will be tracked in a centrally managed asset management

solution.

All workstations shall have malware protection software loaded, enabled

and active.

All workstations shall apply operating system and third-party patches on a

timely basis.

All workstations shall be designed, commissioned, implemented,

maintained, modified and decommissioned in a standardized, documented

fashion, designed to protect and secure Ensono information resources.

All workstations shall be updated and maintained to industry standards

where applicable, based on business need.


62

All users shall be prohibited from modifying, changing, removing or

circumventing security controls implemented by designated workstation

administrators, network system administrators or domain administrators.

All workstations shall have a logon banner specifying that unauthorized

use is prohibited.

All Information Custodians shall maintain an accurate inventory of

workstations within their area of responsibility.

All workstations shall be configured with password protected BIOS.

All workstations shall be configured to restrict the chance of, or

opportunity to use an alternate boot device.

Any end user system used to connect to Ensono’s network infrastructure

shall be required to have the latest updates and security patches applied,

as well as malware protection software loaded, enabled, active and

updated prior to connecting to Ensono’s network assets.

All Ensono-provided workstations shall be a member of an Ensono’s

corporate domain.

6.8.3 Email Standard

6.8 .3 .1 EMAIL GENERAL SECURI TY CONTROLS

Use of Ensono corporate email systems shall be considered “pre-

approved” for all employees.

The use of non-Ensono email systems (e.g., Hotmail®, Yahoo!®, AOL®, etc.)

for business-related correspondence shall be strictly prohibited, due to the

inherent security vulnerabilities of those systems as well as a lack of

adequate retention capabilities. The use of a non-Ensono email system

shall be permitted only when Ensono’s system is not readily available, and

the business issue is too urgent to wait until the corporate system

becomes available. Whenever a non-Ensono email system is used for

business related purposes, there must be no RESTRICTED or CONFIDENTIAL

contents unless it is encrypted prior to transmission.

Ensono shall protect, maintain and retain corporate email systems

including, but not limited to, all corporate relevant data, mailboxes or any

other information contained within corporate email systems.

Ensono’s email systems shall be protected as deemed necessary by

Ensono’s identified administrators.

All external communications with clients shall be encrypted using TLS 2.0

or later.

6.8 .3 .2 USER MAILBOX CONFIGU RATION

All user mailboxes shall have a valid x.400 address.

Users shall be restricted to two (2) valid SMTP addresses, of which one

must conform to the identified standard naming convention.

The mailbox alias shall be the domain user ID.

Identification fields shall adhere to standard naming conventions.

The global address list shall have only one address entry per Ensono user.


63

6.8 .3 .3 EMAIL DISTRIBUTION L ISTS

Email administrators shall be responsible for creating, renaming and

deleting distribution lists.

Each distribution list shall have an identified owner who is solely

responsible for the distribution list memberships.

The display names for a distribution list shall adhere to the following:

Alias – short description

6.8 .3 .4 RESOURCE MAILBOXES

Exchange administrators shall be responsible for creating, renaming and

deleting resource mailboxes to include calendar resources, team

mailboxes, etc.

Each resource mailbox shall have an identified owner who is solely

responsible for permissions to any and all folders contained within their

resource mailbox.

The display name for a resource mailbox shall adhere to the following:


6.8 .3 .5 EMAIL CUSTOM RECIP IE NTS

In the event it is necessary to add a customer’s email address to an Ensono

global distribution list the following shall be followed:

Display names for custom recipients shall be added using the following

format:

Last_First – Last First (Company)

These display names shall be created within the Customer Addresses

container of the Exchange Administrator.

6.9 EXCHANGES OF INFORMATION AND SOFTWARE

6.9.1 Information Confidentiality Information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED, either implied

as such or specifically identified as such by contract or other means, should be protected

from unauthorized or unintended release or disclosure. All users shall adhere to the

following:

Information classified as or known to be CONFIDENTIAL or RESTRICTED, either formally or

informally, shall be restricted from disclosure, transferal or sale to any non-Ensono party.

Ensono’s Marketing team shall maintain responsibility for final approval of disclosure of any

information formally or informally classified as PUBLIC.

All exchanges of software and/or data between Ensono and any third party, not strictly

related to a business purpose, shall be prohibited unless a written agreement has been

signed.

All written agreements for the exchange of software and/or data shall, at a minimum,

contain the following:

Terms of the exchange


64

Date/Period of the agreement

Software/Data handling agreements

Software/Data protection agreements

Information classified, either formally or informally, as RESTRICTED or CONFIDENTIAL shall

be restricted from transport or transfer across any public network unless appropriately

encrypted.

All encryption solutions used to transport or transfer information classified as RESTRICTED or

CONFIDENTIAL shall comply with the ISP.

6.9.2 Information Reliability All information received, downloaded or acquired from a public network source should be

considered suspect until verified and authenticated by a second source. To that extent, the

following should be adhered to when accessing information from a public network:

All non-text files downloaded from a non-Ensono source via the Internet or a public network

shall be screened with Ensono -approved malware protection software prior to being used

or installed on Ensono -owned or managed information resources.

Information, software or programs downloaded from a non-trusted source shall be tested on

a standalone, non-production machine prior to introduction into Ensono’s corporate

network.

Downloaded files that are compressed and/or encrypted shall be uncompressed and/or

decrypted prior to screening with malware detection software.

Automatic updating of software or information on Ensono computers via “background push”

internet technology shall be prohibited on all Ensono information resources unless Security

has approved the vendor.

The identity of individuals and/or organizations shall be verified prior to being engaged for

business purposes.

All users shall be prohibited from misrepresenting, obscuring, suppressing or replacing

another Ensono user’s identity on the Internet or any Ensono information resource.

All users shall be prohibited from establishing new Internet Web pages dealing with Ensono

business or making modifications to existing Web pages dealing with Ensono business unless

done in compliance with Ensono policies and applicable contract requirements.

All users shall be prohibited from modifying, hot linking to, updating, altering or otherwise

changing existing web pages that deal with Ensono business without approval from Ensono’s

Marketing team.

6.9.3 Public Representation Ensono employees shall be allowed to indicate their affiliation with Ensono when conducting

personal business online, to the extent that:

Opinions or statements, including but not limited to, political advocacy statements and

product/server endorsement presented in conjunction with an affiliation with Ensono shall

also contain notification that the opinions or statements presented do not necessarily reflect

Ensono’s position.

All representations on behalf of Ensono, with the exception of ordinary marketing and

customer service activities, shall be approved by Ensono’s Marketing team prior to release to

the public.


65

Ensono employees shall be prohibited from performing libel, defamation of character, other

legal problems, flaming or other similar written attacks whenever an affiliation with Ensono

is associated with the post.

Ensono employees shall be prohibited from making threats against, harassing, annoying or

alarming another user or organization over the Internet.

Ensono shall reserve the right to require the removal of inappropriate Internet postings or

messages created by Ensono employees, which include an affiliation with Ensono.

Inappropriate postings are as follows:

Cursing or other foul language

Statements that contain non-business related information or that could be viewed as

harassing others based on:

Race

Creed

Color

Age

Sex

Physical or mental disability

Sexual orientation

Political statements

Religious statements

National origin

Military status

Public posting of Ensono or client confidential information on public forums is strictly

prohibited.

The decision to remove a posting shall be the responsibility of Ensono management

and/or Human Resources.


66

7 Firewall General Security Controls Firewall devices shall be stationed at all points of entry into Ensono’s network.

Firewall devices shall be established between any trusted and non-trusted network.

Firewalls shall exist as a dedicated system or device and shall be prohibited from performing any

other function other than firewall-related tasks.

Firewall devices shall, at a minimum, meet or exceed all vendor hardware specifications.

All firewall devices which are in production shall have a backup device or system fully capable of

fulfilling the obligations of the primary firewall in case of an emergency or failure.

Firewalls shall be configured as “default deny.”

Firewall policies and perimeter protection device configurations will be reviewed quarterly by

Security and Audit & Compliance teams.

7.1 .1 .1 IDENTIF IED RESPONSIB IL ITY

Ensono Network teams are responsible for all management of, changes to,

updates to, or modifications of all firewall devices managed or owned by

Ensono. Security and Audit & Compliance teams will review and approve

all significant modifications that may affect Ensono assets.


teams to identify and document all necessary technical standards for

firewall devices. This includes both devices currently in use, as well as

devices that are under consideration for use.


teams for creation, maintenance and administration of any procedure or

relevant documentation related to firewall devices.

7.1 .1 .2 FIREWALL CONFIGURATI ON

All firewall devices shall be configured to explicitly deny all traffic and

services on all ports not specifically authorized.

All openings through a firewall device shall have documentation

supporting the opening and will contain the following information:

Business unit requesting change

User requesting change

Business reason supporting change

Managerial approval

All firewall devices, in the event of a failure, shall be configured to “default

deny” for all network traffic until such a time the appropriate

administrator re-enables all services.

All firewall devices shall deny all traffic on an external connection that

appears to have originated from an internal network address.

Intrusion Detection and/or Advanced Threat solutions shall monitor all

firewall devices owned or managed by Ensono.

Firewall configurations shall implement secure configurations including but

not limited to the following:

Authentication through centralized directory services and restriction on

local accounts


67

Consistent, standard, and centrally managed build configurations

Backup and restoration procedures

Logging of all “Accepts” and “Denies”

Implementation of advanced features, such as Layer 7 controls or Intrusion

Detection/Prevention features

Firewall configurations will be reviewed and approved by Security

7.1 .1 .3 FIREWALL ADMINISTRAT ION

Appropriate firewall documentation shall be maintained in offline storage.

This includes, but is not limited to, diagrams, IP addresses and

configurations.

Firewall documentation shall not be stored on the firewall device.

All changes to a firewall device shall be consistent with Ensono’s change

management practices as specified within the ISP.

All firewall devices shall be tested for vulnerabilities and configuration

problems prior to introduction into a production environment.

Administrative access to firewall devices shall be limited to authorized and

approved firewall administrators.

Administrative access to firewall devices shall be restricted to only allow

access through an internal network connection or through physical access.

Remote access to a firewall over a public network shall require encryption

and strong authentication.

Whenever applicable, all firewall administrators shall receive periodic

training on firewalls and network security practices.

In the event that access through a firewall includes authentication based

on source address, authentication shall be combined with other security

schemes to protect against IP spoofing attacks.

All firewall devices shall have security patches and updates implemented in

a timely manner.

All employees tasked with monitoring firewall devices shall subscribe to

external advisories.

7.1 .1 .4 PHYS ICAL SECURITY

All firewall devices shall be located in physically-secured rooms.

All locations that house firewall devices shall have monitoring and logging

capabilities.

Access to rooms which house firewall devices shall be restricted to

authorized personnel whose access is necessary to conduct a business

function.

7.1 .1 .5 LOGGING AND AUDIT ING

Log files shall be enabled on all firewall devices and centrally stored and

monitored by Security.

All log files shall comply with the standards specified within the ISP.

All log files for all firewall devices shall be maintained and stored for

review for a minimum of one (1) years.


68

7.1.2 Router and Switch Security Standards

7.1 .2 .1 ROUTER AND SWITCH GE NERAL SECURITY CONTR OLS

All routers shall be required to use a centralized access control system for

all user authentications.

Local user accounts shall be restricted on all routers managed or owned by

Ensono, and shall be used only when TACACS is not available.

Local user accounts shall adhere to Ensono’s password requirements.

IP directed broadcasts shall be disallowed.

Incoming packets sourced with invalid addresses shall be disallowed.

TCP small services shall be disallowed.

UDP small services shall be disallowed.

Source routing shall be disallowed.

Web services running on a router shall be disallowed.

SNMP community strings shall adhere to Ensono’s password requirements.

Routers and switches shall apply secure configurations and be managed

centrally.

Configurations will be reviewed and approved by Security or Audit &

Compliance teams.

7.1.3 Wi-Fi Networks and Devices

7.1 .3 .1 RESTRICTIONS ON USE OF WI-FI DEVICES

Ensono prohibits the operation of Wi-Fi networks and devices that have

not been approved or implemented by Ensono Service Operations teams.

This includes implementation at any location or facility managed, owned or

leased by Ensono.

All Wi-Fi networks and associated configurations shall be reviewed and


Security or designee shall be authorized to use scanners and other similar

tools to monitor for rogue access points, networks, and other wireless

devices. Wireless Intrusion Detection/Prevention and other monitoring

tools shall be implemented.

Any unauthorized device detected by scanning or identified through

physical means as being used while on Ensono premises shall be

deactivated and can be removed or confiscated by an authorized security

administrator.

7.1 .3 .2 WI-F I SECURITY REQUIREM ENTS FOR EMPLOYEE AC CESS


Operations teams may deploy secured Wi-Fi networks for employee access to

internal Ensono networks. Such networks should always be configured and

managed to current industry best practices and should at a minimum meet the

following requirements:


69




networks.

All users connecting to Wi-Fi networks must be authenticated and the

ability to track each device to a user must be maintained.

Individuals who are not Ensono employees shall not be permitted to access

these Wi-Fi networks.

All approved devices configurations will be reviewed by Security or Audit &

Compliance teams on a periodic basis to maintain adherence to industry

best practices.

All access to such Wi-Fi networks must be validated by at least two-factor

authentication methods.



not permitted.

7.1 .3 .3 WI-F I SECURITY REQUIREM ENTS FOR GUEST ACCES S


Operations teams may deploy secured Wi-Fi networks for guest access to the

internet. Such networks should always be configured and managed to current

industry best practices and should at a minimum meet the following

requirements:




networks.

Devices permitted to access such networks must be identifiable to the

individual owner.

Guest access permission must be revoked after 24 hours.

Access for periods of time longer than 24 hours may be granted to

individuals with long-term contractor status. Such access shall not exceed

the term of the contract or 90 days, whichever is shorter.



not permitted.

Guest networks may never allow direct connectivity to Ensono’s internal

networks.

7.1.4 Remote Access Standard 7.1 .4 .1 GENERAL CONTROLS FOR CENTRALIZED REMOTE A CCESS

SOLUTIONS


70

Remote access to Ensono’s network, or any device contained on Ensono’s

network shall be provided through a secured system or through a VPN

connection and shall require at least two-factor authentication.

Remote access connections to Ensono’s network or individual network

devices which do not pass through approved firewalls or secure

authentication servers shall be strictly prohibited and, prior to

implementation or use, shall require approval from Security through the

ISP Exception Request Process.

All inbound remote access connections shall require, at a minimum, the

use of a dynamic password system, which is approved by relevant security

teams and Security.

Auditing and logging of significant events shall be enabled, stored centrally

by Security, and monitored for all remote access connections.

7.1 .4 .2 GENERAL CONTROLS FOR DIRECT INWARD DIAL

SOLUTIONS (NON -CENTRALIZED)

Information Owners shall maintain responsibility for identifying and

documenting all modems or similar devices that allow remote access to

devices or systems that are within their area of responsibility.

Externally connected modems or modem-like devices shall be labeled with

the appropriate Information Owner’s contact information.

Information Owners shall maintain an updated list of all accounts that

access a direct inward dial system connected to, or allowing access to,

devices or systems within their area of responsibility.

7.1 .4 .3 SECURITY OF DIRECT I NWARD DIAL SOLUTIONS (NON-

CENTRAL IZED)

User accounts used to remotely access Ensono resources shall be

approved, in writing or electronic format, prior to use of a dial-in account.

Password for user accounts used to remotely connect to Ensono’s

information resources shall comply with Ensono’s password policy.

Auditing and logging of significant events shall be enabled and monitored

for all systems and devices configured to allow dial-in capabilities.

Access to a dial-in solution shall require, at a minimum, UserID/password

authentication.

Direct inward dial shall be disabled when not in use. This includes

hardware and/or software disabling.

Systems administrators shall be notified prior to remote connectivity

occurring on Ensono systems or devices.

7.2 SYSTEM CONFIGURATIONS

7.2.1 Server and Mainframe Security Standard

7.2 .1 .1 SERVER AND MAINFRAME GENERAL SECURITY CON TROLS


71

Naming conventions for servers and mainframes shall be subject to

approval from relevant Information Custodians and Security.

Asset management records shall include, at a minimum, hostname, IP

address, owner, description, and security classification.

All software installed on centrally managed servers and mainframes shall

be maintained at a level supported by the vendor.

Each server and mainframe shall have an identified and documented

Information Owner.

The Information Custodian shall be responsible for providing relevant

technical information to the NOC, EOC, Security, Audit and Compliance

team, and other relevant teams.

The Information Custodian shall be responsible for ensuring that systems

within their area of responsibility are placed within Ensono’s vulnerability

detection process.

The Information Custodian shall be responsible for ensuring systems within

their area of responsibility are part of an accurate inventory.

All implemented systems shall meet or exceed vendor-recommended

minimum hardware requirements.

Detailed information pertaining to the configuration of a server or

mainframe, to include information received from vulnerability scans, shall

be classified as INTERNAL USE ONLY, and shall require appropriate

authorization prior to any disclosure.

All systems, within both production and development environments, shall

be designed, commissioned, implemented, maintained, modified and

decommissioned in a standardized, documented fashion designed to

protect and secure Ensono information resources.

All system access shall be explicitly denied unless specifically allowed.

All TCP/UDP ports shall be explicitly disabled unless specifically needed.

All user access to a system shall require, at a minimum, a user

account/password pair for authentication.

System audit logs shall be enabled and reviewed on all systems in a

centrally managed system monitored by E-SEC.

User access logs shall be enabled and reviewed on all systems.

All systems used to conduct business processes shall be maintained within

an identified Ensono data center.

All systems shall be hardened as specified by industry standards or legal

agreements.

Externally facing systems or systems designated as RESTRICTED are

required to implement secure configurations as provided by the Center for

Internet Security (e.g. CIS Benchmarks).

All systems shall be maintained to industry standards, where applicable,

based on business need.

All systems shall be configured to restrict the chances of, or opportunities

to use an alternate boot device.

All systems shall be verified to be free of unacceptable vulnerabilities prior

to implementation into Ensono’s environment.


72

7.2 .1 .2 SERVER AND MAINFRAME MALWARE PROTECTION A ND

PATCH CONTROLS

All systems, where applicable, shall have centrally managed malware

protection software loaded, active and enabled.

All systems that have centrally managed malware protection software

installed shall comply with Ensono’s malware protection controls.

All systems shall be subject to scans by Ensono’s internal vulnerability

detection scanner.

All systems shall have patches and updates applied in a timely manner.

7.2 .1 .3 SERVER AND MAINFRAME CHANGE MANAGEMENT

All changes to systems, both in production and development, shall be part

of an identified change management program.

7.2 .1 .4 SERVER AND MAINFRAME SYSTEM DIAGNOSTIC DA TA

When system diagnostic data must be shared with a 3rd party vendor, it

must be transported by secure means approved by E-SEC

When diagnostic data is written to an external USB storage device, the USB

storage device must be an approved device and such device must be

tracked using a chain of custody methodology or other such process that is

tracked and maintains and audit trail.

All diagnostic data shall be deleted from USB storage devices once no

longer needed

7.2.2 Workstation Security Standard 7.2 .2 .1 WORKSTATION GEN ERAL SECURITY CONTRO LS

Workstations will apply secure configurations which will be reviewed and

approved by the Security, Audit, and/or Compliance teams.

All software installed on workstations shall be maintained at a level


All workstation access shall be restricted to authorized users.

All workstations will be tracked in a centrally managed asset management

solution.

All workstations shall have malware protection software loaded, enabled

and active.

All workstations shall apply operating system and third-party patches on a

timely basis.

All workstations shall be designed, commissioned, implemented,

maintained, modified and decommissioned in a standardized, documented

fashion, designed to protect and secure Ensono information resources.

All workstations shall be updated and maintained to industry standards

where applicable, based on business need.


73

All users shall be prohibited from modifying, changing, removing or

circumventing security controls implemented by designated workstation

administrators, network system administrators or domain administrators.

All workstations shall have a logon banner specifying that unauthorized

use is prohibited.

All Information Custodians shall maintain an accurate inventory of

workstations within their area of responsibility.

All workstations shall be configured with password protected BIOS.

All workstations shall be configured to restrict the chance of, or

opportunity to use an alternate boot device.

Any end user system used to connect to Ensono’s network infrastructure

shall be required to have the latest updates and security patches applied,

as well as malware protection software loaded, enabled, active and

updated prior to connecting to Ensono’s network assets.

All Ensono-provided workstations shall be a member of an Ensono’s

corporate domain.

7.2.3 Email Standard

7.2 .3 .1 EMAIL GENERAL SECURI TY CONTROLS

Use of Ensono corporate email systems shall be considered “pre-

approved” for all employees.

The use of non-Ensono email systems (e.g., Hotmail®, Yahoo!®, AOL®, etc.)

for business-related correspondence shall be strictly prohibited, due to the

inherent security vulnerabilities of those systems as well as a lack of

adequate retention capabilities. The use of a non-Ensono email system

shall be permitted only when Ensono’s system is not readily available, and

the business issue is too urgent to wait until the corporate system

becomes available. Whenever a non-Ensono email system is used for

business related purposes, there must be no RESTRICTED or CONFIDENTIAL

contents unless it is encrypted prior to transmission.

Ensono shall protect, maintain and retain corporate email systems

including, but not limited to, all corporate relevant data, mailboxes or any

other information contained within corporate email systems.

Ensono’s email systems shall be protected as deemed necessary by

Ensono’s identified administrators.

All external communications with clients shall be encrypted using TLS 2.0

or later.

7.2 .3 .2 USER MAILBOX CONFIGU RATION

All user mailboxes shall have a valid x.400 address.

Users shall be restricted to two (2) valid SMTP addresses, of which one

must conform to the identified standard naming convention.

The mailbox alias shall be the domain user ID.

Identification fields shall adhere to standard naming conventions.

The global address list shall have only one address entry per Ensono user.


74

7.2 .3 .3 EMAIL DISTRIBUTION L ISTS

Email administrators shall be responsible for creating, renaming and

deleting distribution lists.

Each distribution list shall have an identified owner who is solely

responsible for the distribution list memberships.

The display names for a distribution list shall adhere to the following:


7.2 .3 .4 RESOURCE MAILBOXES

Exchange administrators shall be responsible for creating, renaming and

deleting resource mailboxes to include calendar resources, team

mailboxes, etc.

Each resource mailbox shall have an identified owner who is solely

responsible for permissions to any and all folders contained within their

resource mailbox.

The display name for a resource mailbox shall adhere to the following:


7.2 .3 .5 EMAIL CUSTOM RECIP IE NTS

In the event it is necessary to add a customer’s email address to an Ensono

global distribution list the following shall be followed:

Display names for custom recipients shall be added using the following

format:

Last_First – Last First (Company)

These display names shall be created within the Customer Addresses

container of the Exchange Administrator.

7.3 EXCHANGES OF INFORMATION AND SOFTWARE

7.3.1 Information Confidentiality Information classified as INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED, either implied

as such or specifically identified as such by contract or other means, should be protected

from unauthorized or unintended release or disclosure. All users shall adhere to the

following:

Information classified as or known to be CONFIDENTIAL or RESTRICTED, either formally or

informally, shall be restricted from disclosure, transferal or sale to any non-Ensono party.

Ensono’s Marketing team shall maintain responsibility for final approval of disclosure of any

information formally or informally classified as PUBLIC.

All exchanges of software and/or data between Ensono and any third party, not strictly

related to a business purpose, shall be prohibited unless a written agreement has been

signed.

All written agreements for the exchange of software and/or data shall, at a minimum,

contain the following:

Terms of the exchange


75

Date/Period of the agreement

Software/Data handling agreements

Software/Data protection agreements

Information classified, either formally or informally, as RESTRICTED or CONFIDENTIAL shall

be restricted from transport or transfer across any public network unless appropriately

encrypted.

All encryption solutions used to transport or transfer information classified as RESTRICTED or

CONFIDENTIAL shall comply with the ISP.

7.3.2 Information Reliability All information received, downloaded or acquired from a public network source should be

considered suspect until verified and authenticated by a second source. To that extent, the

following should be adhered to when accessing information from a public network:

All non-text files downloaded from a non-Ensono source via the Internet or a public network

shall be screened with Ensono -approved malware protection software prior to being used

or installed on Ensono -owned or managed information resources.

Information, software or programs downloaded from a non-trusted source shall be tested on

a standalone, non-production machine prior to introduction into Ensono’s corporate

network.

Downloaded files that are compressed and/or encrypted shall be uncompressed and/or

decrypted prior to screening with malware detection software.

Automatic updating of software or information on Ensono computers via “background push”

Internet technology shall be prohibited on all Ensono information resources unless Security

has approved the vendor.

The identity of individuals and/or organizations shall be verified prior to being engaged for

business purposes.

All users shall be prohibited from misrepresenting, obscuring, suppressing or replacing

another Ensono user’s identity on the Internet or any Ensono information resource.

All users shall be prohibited from establishing new Internet Web pages dealing with Ensono

business or making modifications to existing Web pages dealing with Ensono business unless

done in compliance with Ensono policies and applicable contract requirements.

All users shall be prohibited from modifying, hot linking to, updating, altering or otherwise

changing existing web pages that deal with Ensono business without approval from Ensono’s

Marketing team.

7.3.3 Public Representation Ensono employees shall be allowed to indicate their affiliation with Ensono when conducting

personal business online, to the extent that:

Opinions or statements, including but not limited to, political advocacy statements and

product/server endorsement presented in conjunction with an affiliation with Ensono shall

also contain notification that the opinions or statements presented do not necessarily reflect

Ensono’s position.

All representations on behalf of Ensono, with the exception of ordinary marketing and

customer service activities, shall be approved by Ensono’s Marketing team prior to release to

the public.


76

Ensono employees shall be prohibited from performing libel, defamation of character, other

legal problems, flaming or other similar written attacks whenever an affiliation with Ensono

is associated with the post.

Ensono employees shall be prohibited from making threats against, harassing, annoying or

alarming another user or organization over the Internet.

Ensono shall reserve the right to require the removal of inappropriate Internet postings or

messages created by Ensono employees, which include an affiliation with Ensono.

Inappropriate postings are as follows:

Cursing or other foul language

Statements that contain non-business related information or that could be viewed as

harassing others based on:

Race

Creed

Color

Age

Sex

Physical or mental disability

Sexual orientation

Political statements

Religious statements

National origin

Military status

Public posting of Ensono or client confidential information on public forums is strictly

prohibited.

The decision to remove a posting shall be the responsibility of Ensono management

and/or Human Resources.


77

8 Personnel Security

8.1 PERSONNEL SECURITY OBJECTIVES To reduce the risks of human error, theft or fraud.

To ensure that users are aware of Information Security threats and to help them support Ensono’s

Information Security practices.

To minimize the damage from security incidents and malfunctions, and to monitor and learn from

such incidents.

8.2 SECURITY INCLUDED IN JOB ROLES

8.2.1 Including Security in Job Role Definition All job role definitions shall include appropriate language identifying the correlating

Information Security responsibilities for said job role.

Management shall be responsible for working with HR and Security to identify job role

specific security concerns for job roles.

8.2.2 Personnel Screening Policy Employment screening checks, as specified by Ensono’s Legal, HR, and the Risk Management

Committee, shall be conducted for all permanent staff, contractors, temporary staff, and

third party users prior to beginning work at Ensono or being granted access to Ensono

information assets.

Employment screening checks shall be successfully passed prior to beginning work at Ensono

or being granted access to Ensono information assets.

All employees shall be required to have on file a signed consent allowing Ensono to conduct

background screening checks.

All employees granted security related roles shall be required to satisfactorily pass

supplemental employment screening checks on a periodic basis.

8.2.3 Terms and Conditions of Employment All employees, who are given access to Ensono owned or managed information assets, shall

sign Ensono’s confidentiality or non-disclosure agreement prior to being granted access to

any Ensono owned or managed information asset.

All employees shall be responsible for working with Ensono’s identified security teams to

support the implementation of a corporate-wide security environment.

Full compliance with the ISP is a condition of employment. Violation of the ISP may result in

disciplinary action up to and including immediate termination.

8.3 PERSONNEL EDUCATION, TRAINING, AND AWARENESS

8.3.1 Security Training and Awareness All new Ensono associates are granted access to Ensono’s information resources to facilitate

completion of new hire training curriculum, which includes required security awareness


78

training. New hire security awareness training must be completed within ten (10) business

days of start date.

All employees shall be required to complete security awareness training at least annually, to

ensure that all personnel are aware of the importance of Information Security.

Failure to complete Ensono’s mandatory security awareness training will be deemed a

violation of the Employee Standards of Conduct, which may result in disciplinary action up to

and including termination of employment.

Security shall be responsible for working with training organizations, legal and compliance

teams to develop relevant security training material.

8.4 RESPONDING TO SECURITY INCIDENTS

8.4.1 Security Incident Handling Priorities Priorities for handling Information Security incidents are as follows:

Protection of human life and safety.

Protection of INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information.

Collection and analysis of information to determine if a violation of the ISP or the

commission of a computer crime has occurred.

Prevention of damage to systems and restoration of systems to routine operation as quickly

as possible.

8.4.2 Security Incident Reporting Security, Audit & Compliance, Physical Security, Legal, and/or HR teams will collaborate to

respond to the following types of incidents as appropriate:

Information Security

Property Loss and Protection

Employee Safety

Drugs

Financial Violations

Other as identified by senior management

All users of Ensono information assets have the responsibility to report any security incident.

Anonymous reporting of security incidents shall be permitted.

When requested and in accordance with policy, security incident inquiries will remain

confidential.

All users have an obligation to report security weaknesses in a timely manner.

8.4.3 Security Incident Response Procedures Security incident response procedures shall be conducted and carried out as specified within

Ensono’s Security Incident Response Plan.

8.4.4 Reportable Information Security Incidents Standard The sections below outline examples of potential Information Security incidents.

8.4 .4 .1 UNAUTHORIZED DISCLOS URE


79

INTERNAL USE ONLY, CONFIDENTIAL, or RESTRICTED information is

disclosed without authorization.

8.4 .4 .2 SYSTEM INCAPACITATIO N

A system’s ability to function is impaired by a high volume of activity from

various sources.

A resource such as power, network access or routing tables is modified,

degrading the system’s ability to perform normal functions.

Malicious code interferes with a system’s operation.

An asset is stolen, damaged or destroyed.

8.4 .4 .3 SYSTEM TAMPERING

A user ID is employed to gain access to system administrative functions

without prior authorization.

A system weakness allows access to system administrative functions by

non-authorized users.

A valid user ID is permitted to gain access to system administrative

functions without authorization.

Non-administrative personnel are allowed to perform administrative

system functions.

8.4 .4 .4 INFORMATION TAMPERIN G

A user ID is employed without authorization to gain access to password

files, protected or restricted data, licensed applications, software, or

restricted applications, software and/or code.

A system weakness allows unauthorized access to password files,

protected or restricted data, licensed applications, software, or restricted

applications, software and/or code.

A theft of information resources provides access to passwords files,

protected or restricted data, licensed applications, software, or restricted

applications, software or code.

8.4 .4 .5 MISUSE OF INFORMATIO N TECHNOLOGY

A user installs unlicensed software.

A user downloads, copies or distributes unlicensed software.

A user’s account is employed in violation of legal statutes, regulations or

organization policies.

8.4 .4 .6 UNAUTHORIZED ACCESS

A valid user ID or user account is employed without authorization.

A valid user ID or user account is used to access areas outside of the user’s

account authorization.

A system weakness is exploited, but no access is gained outside the

account’s authorization.

A user’s privilege to access information is higher than that which was

authorized.


80

Access to facilities (buildings, rooms, secure areas) is gained without

authorization.

8.4 .4 .7 UNAUTHORIZED USE

INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED information is used for

a purpose not specifically permitted based on the user’s need-to-know or

the identified disclosure classifications.

Any Ensono information asset is used in such a way as to violate the ISP.

8.4 .4 .8 ATTEMPTED EXPLORATIO N OF INFORMATION RES OURCES

Illegal data gathering is directed against a system (port scanning, sniffing,

net scanning, etc.).

Actions are attempted that could impair a system’s ability to function.

Actions are attempted that could result in a system or information

compromise.

8.4 .4 .9 NON-SYSTEM INCIDENTS

Unauthorized access to facilities results in information resource exposure

or compromise.

Unauthorized parties gain access to INTERNAL USE ONLY, CONFIDENTIAL,

or RESTRICTED information.

Ensono information resources are exposed or compromised due to lack of

control over computing equipment or media.

Ensono information resources are exposed or compromised due to an

environmental hazard.

8.4 .4 .10 INDIV IDUAL USER REPO RTING RESPONSIBIL IT I ES

Security shall be notified of all offensive communications. Ensono

users shall not respond directly to the originator of offensive email

messages, telephone calls and/or other communications.

Users shall retain copies of messages, notes or voice mail entries of this

nature and turn them over to Security.

8.4.5 Security Incident Information Retention and Classification Information related to or gleaned from a security incident shall be maintained and retained

until such a time as the Chief Security Officer deems the information no longer relevant.

Information related to or gleaned from a security incident shall be classified RESTRICTED.

8.5 PROBLEM MANAGEMENT

8.5.1 Reporting Software Malfunctions Where applicable, Information Custodians shall identify and document problem management

procedures for all information assets within their area of responsibility.

Any attempt to interfere

with, preve

nt, obstruct or

dissuade a user

in their efforts to

report a

suspected

security

incident or

violation is strictl

y prohib

ited and

cause for

disciplinary


81

9 Application Development and Maintenance

9.1 APPLICATION DEVELOPMENT AND MAINTENANCE OBJECTIVES To ensure security is included in the commission, design and operational phases of system

development.

To prevent loss, modification or misuse of data in applications.

To ensure that IT projects are conducted in a secure manner.

To maintain the security of application and system software and information.

9.2 SECURITY INCLUSION IN APPLICATION DEVELOPMENT

9.2.1 Application Development General Security Controls All developed software solutions shall include appropriate security, access and audit

controls.

All software development shall follow standardized and documented procedures that

include design, implementation, testing, hardening and modification.

All internally-developed software code shall be required to successfully pass Security

approved code level testing and review prior to implementation.

9.2.2 Application Development Design and Planning Security requirements shall be identified and agreed upon prior to the development of any

system or solution.

Security requirements shall be identified during the planning phase of any project, and shall

be included as part of the overall business case.

To speed the development process and enhance Ensono’s security stance, where applicable,

existing approved security architecture shall be included in new projects.

9.2.3 Creation of New Security Architecture or Design System and application development teams shall be prohibited from creating new security

architecture, composing new security schemes, developing new encryption solutions or

otherwise deviate from existing identified security controls without expressed approval from

Security.

9.3 SOFTWARE CODING AND TESTING REQUIREMENTS

9.3.1 Input Data Validation Data input to application systems should be validated to ensure it is correct and appropriate. The

following controls and/or checks shall be implemented and tested where appropriate:

Dual input or other input checks to detect the following errors:

Out of range values

Invalid characters in data fields

Missing or incomplete data

Exceeding upper and lower data volume limits


82

Unauthorized or inconsistent control data

Periodic review of the content of key fields or data files to confirm their validity and

integrity.

Procedures for responding to validation errors.

Procedures for testing the plausibility of the input data.

Defining the responsibilities of all personnel involved in the data input process.

9.3.2 Control of Internal Processing The following controls and/or checks shall be implemented and tested where appropriate:

Limit the use and locations in programs of add and delete functions to implement changes to

data.

Define procedures to prevent instances of programs or processes executing or running in the

wrong order, or running after failure of prior processing.

Require the use of correct processes to recover from failures to ensure the correct

processing of data.

Validate of system-generated data.

Check on the integrity of data or software downloaded/uploaded between central and

remote systems.

Perform integrity checking of records or files.

9.3.3 Output Data Validation Data output should be tested and validated to ensure that processing is occurring correctly. As

such, the following controls and/or checks shall be implemented and tested where appropriate:

Plausibility checks to test whether the output data is reasonable.

Reconciliation control counts to ensure processing of all data.

Procedures for responding to output validation tests.

Defining the responsibilities of all personnel involved in the data output process.

9.4 CRYPTOGRAPHIC CONTROLS

9.4.1 Key Management All key management solutions devised and maintained by Ensono shall be implemented and

maintained as specified within Ensono’s PKI Certificate Policy (CP) and Ensono’s PKI

Certification Practice Statement (CPS).

All key management and information privacy practices shall be disclosed and provided as

governed and specified within Ensono’s PKI CP and Ensono’s PKI CPS.

All certificate management and information privacy practices shall be disclosed and provided

as governed and specified within Ensono’s PKI CP and Ensono’s PKI CPS.

All Certificate Authority (CA) subscriber information shall be properly authenticated.

CA key and certificate integrity shall be established and protected throughout the life cycle

of use.

CA subscriber and relying party information shall be protected from uses not specified within

the CA.

CA subscriber and relying party information shall be restricted to authorized users.

Continuity of CA key and certificate life cycle management operations shall be maintained.


83

CA systems development, maintenance, and operation shall be properly authorized and

performed in such a manner that it maintains system integrity.

Encryption keys shall not be disclosed to non-Ensono users unless approved by the key

owner or Registration Authority.

Private encryption keys and single key solution keys shall be encrypted when transmitted

over a communication network.

Automated key management solutions shall be preferred over manual key management

solutions and shall be the chosen over manual key management solutions unless approved

by Security.

Ensono’s identified PKI solution shall be used to encrypt and manage keys for all data that is

stored in an encrypted format (i.e. persistent) at Ensono.

9.4.2 Encryption Ensono requires that information classified as CONFIDENTIAL or RESTRICTED, which is

received by Ensono or sent by Ensono, be encrypted. This includes information classified as

CONFIDENTIAL by a client, as well as information classified as SENSITIVE by clients or

regulatory agencies.

All information classified as CONFIDENTIAL, or RESTRICTED by Ensono, clients or regulatory

agencies, which is transmitted to or from Ensono via any public network shall be encrypted.

All information classified as CONFIDENTIAL, or RESTRICTED by Ensono, clients or regulatory

agencies, which is stored on physical media and transported to or from Ensono via any

physical delivery method shall be encrypted.

All encryption solutions shall use the Ensono standard toolset, comply with the x.509

standard, or be a solution agreed upon between Security and the customer and have the

following minimum requirements:

Uses public/private key pairs

Uses a minimum of 256-bit encryption

Encryption of data at rest should be employed as deemed necessary by regulatory,

contractual, or Risk Management Committee requirements.

9.5 SECURITY OF SYSTEM FILES

9.5.1 Control of Operational Software The following controls and/or changes shall be implemented and tested where necessary:

Only appropriately identified and authorized librarians shall update production program

libraries.

Where possible, operational systems shall only hold executable code.

Executable code shall not be implemented on a production system until evidence of

successful testing and user acceptance is obtained, and the corresponding source libraries

have been updated.

Audit logs shall be maintained for all updates to production program libraries.

Previous versions of software shall be retained for contingency purposes.

Vendor supplied software used in production systems shall be maintained at a level



84

Security concerns shall be included in any decision related to upgrading to a newer release

of an application.

Software patches shall be applied when application of such patches removes or reduces a

security weakness.

Physical or logical access provided to third party users for access to production software

shall only be provided for support purposes, and shall be monitored.

All software configurations and secure configurations should be centrally managed by a

configuration management solution.

9.5.2 Protection of System Test Data Test data shall be protected and controlled.

System and acceptance testing shall use data that is as close as possible to production data.

Personal information shall be prohibited from use within a testing capacity, unless approved

by the Information Owner.

Test environments shall have security and access controls that match the production

environment for which testing is being conducted.

Production information shall be removed from test environments once testing is complete.

The copying and use of production information within a test environment shall be logged for

auditing purposes.

9.5.3 Access Control to Program Source Library Where possible, source libraries shall not be held on production systems.

Development and support staff shall be prohibited from unrestricted access to source

libraries.

Programs under development or maintenance shall not be held in operational source

libraries.

Updates to source libraries shall be conducted by an authorized librarian.

Program listings shall be held in a secure environment.

Audit logs shall be maintained for all access to program source libraries.

Older version(s) of software shall be archived with clear indications of precise dates and

times when they were operational. Supporting software, job control, data definitions and

procedures shall be maintained with archived software.

Maintenance and copying of program source libraries shall be restricted and shall follow

identified and documented change control procedures.

9.6 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES

9.6.1 Change Control Procedures The Information Custodian over a test/development environment shall be identified and

documented.

The identified Information Custodian shall be responsible for working with relevant teams to

identify and document specific change control procedures for environments within their

area of responsibility.

Formal change control procedures shall be documented that:

Ensure security and control procedures are not compromised.


85

Ensure that support programmers are granted access only to those parts of the system

necessary for their work.

Ensure that formal agreement and approval for a change is obtained.

Wherever possible, application and operational change control procedures shall be

integrated to include:

A record of agreed to authorization levels.

Ensure changes are submitted by authorized users.

The review of controls and integrity procedures to ensure they will not be compromised by

authorized changes.

The identification of all computer software, information, database entities and hardware

that require amendment.

Formal approval for detailed proposals before work commences.

Ensure the user or customer accepts changes prior to any implementation.

Ensure any implementation of a change is conducted in such a way as to minimize business

disruptions.

Ensure system documentation is updated at the completion of each change, and that old

documentation is archived or disposed of properly.

Version control for all software updates.

An audit trail for all change requests.

Ensure operating documents and user procedures are updated and changed as needed.

9.6.2 Technical Review of Operating System Changes Periodically, it is necessary to change an operating system. The following shall be adhered

to:

Adequate testing of all software updates and patches must occur within a test

environment prior to implementation on a production system. This includes, but is not

limited to:

Appropriate testing of the operating system for potential problems.

Appropriate testing of all relevant applications for potential problems.

Review of all application controls and integrity procedures to ensure that updates or

patches have not compromised existing security controls.

Notification of operating system changes shall be provided to allow time for all

appropriate reviews of the update/patch to occur.

Appropriate changes shall be made to all relevant BC/DR documentation.

9.6.3 Covert Channels and Trojan Code All software developers shall be prohibited from creating code which contains:

Undocumented code

Programs that can be considered a backdoor

Programs that allow for the bypassing of security controls

Once installed, modification of and access to code shall be strictly limited and shall be

controlled and audited.

Software and code must only be downloaded in accordance with Ensono’s Malware

Protection Policy, particularly the requirement that only trusted sources shall be used.

Software agreements for solutions that are externally and client facing shall include

requirements for maintaining software that is free from secure coding flaws.


86


87

10 Business Continuity/Disaster Recovery (BC/DR)

10.1 BUSINESS CONTINUITY/DISASTER RECOVERY OBJECTIVES To ensure the continuation of Ensono and to expedite a resumption of business processes in the event that a

disruption occurs due to disaster or security failure.

10.2 BC/DR MANAGEMENT OVERSIGHT

10.2.1 BC/DR Management Controls Senior Management shall identify and designate a team that has the sole responsibility for

the commission, design, implementation, maintenance, administration and testing of all

corporate Business Continuity and Disaster Recovery (BC/DR) plans. This team shall be

identified by Executive Leadership.

The BC/DR team shall maintain responsibility for all aspects of BC/DR for Ensono. This

includes design, commission, implementation, administration, maintenance, decommission,

documentation and testing.

The BC/DR team shall ensure the appropriate level of security controls are maintained during a

business interruption in accordance with business requirements, the Information Security Policy,

input from E-SEC, and the Risk Management Committee.


88

11 Physical and Environmental Security

11.1 PHYSICAL AND ENVIRONMENTAL SECURITY OBJECTIVES To prevent unauthorized access, damage and interference to business premises.

To prevent loss, damage or compromise of assets and interruptions to business activities.

To prevent compromise or theft of information and information processing facilities.

11.2 PHYSICAL SECURITY GENERAL CONTROLS

11.2.1 General Physical Security Notification Ensono reserves the right to inspect and search the personal effects of any person entering

or leaving Ensono owned, managed or leased facilities. This includes, but is not limited to

purses, packages or vehicles.

Ensono shall prohibit any user from carrying a firearm or prohibited weapon of any kind onto

any property owned, managed or leased by Ensono. This includes, but is not limited to,

persons who are licensed to carry a weapon.

11.2.2 Clean Desk Policy Ensono users must be aware of the need to maintain the confidentiality of CONFIDENTIAL,

RESTRICTED, and INTERNAL USE ONLY information, and take steps that are reasonable under the

circumstances to maintain the confidentiality of that information.

11.2 .2.1 PROCEDURES

Users must adhere to Ensono’s Information Handling requirements to

ensure that all information is appropriately secured, as determined by

criticality and classification of the information and/or contractual

obligations, when unattended during and after work hours.

Users shall take appropriate steps to prevent the disclosure of

CONFIDENTIAL, RESTRICTED, and INTERNAL USE ONLY information to

unauthorized persons. This includes information that might be disclosed

verbally, physically, and/or electronically.

Keys, security badges, tokens, and other means used to lock information in

a required secure manner shall not be left unattended during and after

work hours.

11.2 .2.2 AUDIT ING PROCESS

On a periodic basis, authorized personnel will conduct a physical walk through

of Ensono office space looking for potentially sensitive data, as defined in the

Clean Desk Policy, which is in the clear and unattended. The authorized

personnel will then:

Document any discrepancies discovered with regards to sensitive client

information, to include:

Ensono desk and/or office number

What data was found


89

Ensono employee’s identity

Address the infraction with the affected employee(s).

Follow up within five (5) business days to ensure the issue has been

resolved satisfactorily.

11.2.3 Removal of Property Users shall be prohibited from taking equipment, information, or software off-site without

authorization from their manager.

Where necessary, equipment shall be logged out and logged in to reduce chances for theft.

All owners of an Ensono physical resource shall be required to relinquish said resource upon

an appropriately-authorized request.

Physical assets containing or possibly containing information assets shall not be removed

from their appropriate locations without the approval of Security.

11.3 SECURE AREAS

11.3.1 Physical Security Perimeter Where deemed necessary by the physical security organization, physical security barriers

shall be erected to protect Ensono -owned, managed or leased facilities and information

assets.

Users shall be informed of the following approved options for providing a physical security

perimeter:

Receptionists

Security guards

Metal key locks

Magnetic card door locks

Other, as determined by the physical security organization

11.3.2 Physical Entry Controls All users shall be required to retain and display their Ensono -provided identification at all

times while within a facility or location that is owned, managed or leased by Ensono.

All users shall be required to use their Ensono -provided identification to gain physical access

to any Ensono owned, managed or leased facility or location.

Unless approved by management, all visitors shall be escorted at all times while within a

facility or location that is owned, managed or leased by Ensono.

All users shall be fully responsible for the use of their Ensono -provided identification, and

are prohibited from giving/loaning their identification to another person.

The physical security organization shall be responsible for review of access to secured

locations on a periodic basis.

11.3.3 Securing Offices, Rooms and Facilities Access to offices, computer machine rooms or other areas that contain INTERNAL USE ONLY,

CONFIDENTIAL or RESTRICTED information shall be physically restricted from access to only

users with a business need-to-know.


90

Telecommunication systems and network equipment shall be secured with antitheft devices

when located in an open environment/not a limited access environment.

Servers used to conduct Ensono or client business shall be maintained within an identified

data center.

Access to systems development offices, telephone wiring closets, computer machine rooms,

network switch rooms or other work areas containing Ensono non-public information shall

be physically restricted.

The Information Custodian shall maintain responsibility for working with Ensono’s security

organization to determine appropriate access control methods.

When deemed appropriate by the physical security organization, facilities or locations

managed, owned or leased by Ensono shall be unobtrusive and provide minimum indication

of their purpose.

BC/DR equipment and backup media shall be maintained in an offsite location.

11.3.4 Working in Secure Areas Physical access to Ensono data centers and other secured locations shall be restricted to

authorized personnel only.

Third party and vendor service personnel shall be restricted from secure locations unless

appropriately authorized and supervised or monitored.

11.4 EQUIPMENT SECURITY

11.4.1 Equipment Protection Equipment used for Ensono’s core business shall be sited or protected to reduce the risks from

environmental threats, hazards, and opportunities for unauthorized access.

11.4.2 Power Supplies Equipment used for Ensono’s core business shall be protected from power failures and other

electrical anomalies.

11.4.3 Cabling Security Power and telecommunications cabling carrying data or supporting Ensono’s core business shall

be protected from interception or damage.

11.4.4 Security of Offsite Equipment Users shall be fully responsible for the security of equipment within their possession when

being used offsite.

Portable devices that contain unencrypted CONFIDENTIAL or RESTRICTED information shall

not be checked as airline luggage, left with hotel porters or left in the possession of an

individual or entity which does not have a need-to-know.

Users in the possession of a portable computing device shall physically secure said device

when not in use. For example, the device should be in a locked office, locked desk, locked

vehicle or in the person's physical possession. This includes, but is not limited to, the

following:

Laptops


91

Notebooks

PDA’s

Other portable devices

CONFIDENTIAL or RESTRICTED information contained on a portable device shall be

encrypted prior to leaving the device unattended.

11.4.5 Secure Disposal or Re-use of Equipment The preparation of any electronic storage media or devices to be disposed, reused, or

otherwise discarded must adhere to Ensono’s Information Handling requirements to ensure

that all INTERNAL USE ONLY, CONFIDENTIAL or RESTRICTED has been securely removed.

All storage devices or media shall be checked and verified to be free of INTERNAL USE ONLY,

CONFIDENTIAL or RESTRICTED information or licensed software prior to being discarded or

disposal.

All storage devices or media that contain INTERNAL USE ONLY, CONFIDENTIAL or

RESTRICTED information or licensed software shall be physically destroyed or securely

overwritten prior to being discarded or disposal.

All storage devices or media shall be checked and verified to be free of INTERNAL USE ONLY,

CONFIDENTIAL or RESTRICTED information or licensed software prior to reuse in any device

other than the device it originally came from.


92

12 Compliance

12.1 COMPLIANCE OBJECTIVES To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations.

To ensure compliance with the ISP and related security documentation.

12.2 COMPLIANCE WITH LEGAL REQUIREMENTS AND ENSONO POLICY

12.2.1 Identification of Applicable Legislation Relevant statutory, regulatory, legislative and contractual requirements shall be explicitly

identified and documented.

Relevant statutory, regulatory, legislative and contractual requirements shall be broadly

communicated to users to assist in ensuring user compliance with Ensono’s obligations.

12.2.2 Intellectual Property Rights Users shall be prohibited from using any Ensono information resources to download, copy,

redistribute, share, upload, store or otherwise access music, software, data or intellectual

property in a manner inconsistent with the associated license agreement.

Users shall be prohibited from using any Ensono information resource to circumvent an

existing security device in an unauthorized manner, or in a manner inconsistent with the

license agreement.

Users shall be prohibited from disclosure of Ensono’s Intellectual Property without

appropriate approval.

12.2.3 Safeguarding of Organizational Records Relevant and important organizational records shall be protected from loss, destruction and

falsification.

Appropriate security controls shall be implemented to insure the safety of important

organizational records.

12.2.4 Legal Conflicts All users shall be responsible for providing immediate notification to members of Security in the

event that any section of the ISP is identified as being in conflict with existing laws or regulations.

12.2.5 Prevention of Misuse of Information Assets The use of Ensono’s information assets shall be primarily for business purposes and must be

authorized for each user prior to receiving access.

Use of Ensono’s information assets requires all users comply with the ISP at all times.

Violation of the ISP is subject to disciplinary action, up to and including immediate

termination of employment and immediate termination of client, partner, and/or vendor

relationships.

Ensono’s non-enforcement of any policy requirement does not constitute its consent.

Ensono reserves the right to revoke logical or physical access for any user at any time

without prior notification.


93

12.2.6 Collection of Evidence Evidence provided for external legal proceedings shall conform to the rules of evidence as

laid down in the relevant law or in rules of the specific court in which the case will be heard.

To achieve admissibility of evidence in court, Ensono shall ensure that information systems

comply with any published standard or code of practice for the production of admissible

evidence.

12.2.7 Reviews of Security Policy Compliance Information owners shall be responsible for ensuring all information assets and processes

within their realm or responsibility comply with the ISP.

Information owners shall be responsible for ensuring adequate security standards and

procedures are identified and documented for all information assets and processes within

their realm of responsibility.

Information Custodians shall be responsible for ensuring all security procedures related to

their areas of responsibility are carried out correctly.

All areas of Ensono shall be subject to regular compliance reviews by Ensono’s identified

internal audit team.

12.3 SYSTEM AUDIT CONSIDERATIONS

12.3.1 System Audit Controls System and process audit controls shall be formally identified and documented.

Notification of system and process audits shall be fully communicated in a timely manner,

prior to the audit taking place.

System and process audits shall be controlled and scope limited to areas as specified within

the associated notification.

All access shall be monitored and logged to produce a reference trail.

All audit procedures, requirements and responsibilities shall be documented.

12.3.2 Protection and Use of System Audit Tools The use of system audit tools, on Ensono’s network and information assets, shall be strictly

controlled. These tools include, but are not limited to, the following:

Password cracking utilities

Port scanning utilities

Network sniffing utilities

Vulnerability scanners

Use of system audit tools shall be restricted to those users whose documented job

function requires the periodic use of such tools.

Use of system audit tools shall require approval from Security prior to use of such tools.

The use of a system audit tool shall be monitored at all times, and shall be audited on a

periodic basis.


94

This page intentionally left blank.

Ensono, LP Information Security Policyda.ks.gov/purch/Contracts/Default.aspx?getfile=...2016/12/08...

Documents

Transcript of Ensono, LP Information Security Policyda.ks.gov/purch/Contracts/Default.aspx?getfile=...2016/12/08...