BTR
Services
1.0 Purpose
This
policy establishes information security requirements for BTR Services systems to
ensure that BTR Services confidential information and technologies are not
compromised, and that production services and other BTR Services interests are
protected.
2.0 Scope
This
policy applies to all internally connected systems, BTR Services employees and
third parties who access BTR Services systems.
3.0 Policy
3.1 Ownership Responsibilities
1. BTR Services is responsible
for assigning system managers, a point of contact (POC), and a back-up POC (if
applicable) for each system.
2.
System managers are responsible for the security of their systems and the
systems impact on the corporate production network and any other networks.
System managers are responsible for adherence to this policy and associated
processes. Where policies and procedures are undefined lab managers must do
their best to safeguard BTR Services from security vulnerabilities.
3.
System managers are responsible for the system compliance with all BTR Services
security policies.
4.
The System Manager is responsible for controlling system access. Access to any
given system will only be granted by the system manager or designee. This
includes continually monitoring the access list to ensure that those who no
longer require access to the system have their access terminated.
5.
The Network Support Organization must maintain a firewall function between the
corporate production network and all public equipment.
6.
The Network Support Organization reserves the right to interrupt system
connections that impact the corporate production network negatively or pose a
security risk.
7. The Network Support
Organization must record all system IP addresses, which are routed within BTR
Services networks.
8.
All user passwords must comply with BTR Services’ Password Policy. In
addition, individual user accounts on any system device must be deleted when no
longer authorized within three (3) days.
9. Production services are
defined as ongoing and shared business critical services that generate revenue
streams or provide customer capabilities.
10.
System manager will address non-compliance waiver requests on a case-by-case
basis and approve waivers if justified.
3.2 General Configuration Requirements
1.
All traffic between the corporate production systems must go through a System
manager maintained firewall function.
2.
Original firewall function configurations and any changes thereto must be
reviewed and approved by System manager. System manager may require security
improvements as needed.
3.
Traffic between production networks and test networks, as well as traffic
between separate test networks, is permitted based on business needs and as long
as the traffic does not negatively impact on other networks. Test systems must
not advertise network services that may compromise production network services
or put lab confidential information at risk.
4.
System manager reserves the right to audit all test-related data and
administration processes at any time, including but not limited to, inbound and
outbound packets, firewalls and network peripherals.
5.
Gateway devices are required to comply with all BTR Services product security
advisories.
6.
The password will only be provided to those who are authorized to administer the
system network.
7. All system external connection
requests must be reviewed and approved by System manager. Strong passwords are
encouraged.
4.0 Enforcement
Any
employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
5.0 Definitions