BTR Services


Internal Systems Security Policy


1.0 Purpose              

This policy establishes information security requirements for BTR Services systems to ensure that BTR Services confidential information and technologies are not compromised, and that production services and other BTR Services interests are protected.


2.0 Scope

This policy applies to all internally connected systems, BTR Services employees and third parties who access BTR Services systems.


3.0 Policy


3.1 Ownership Responsibilities

1. BTR Services is responsible for assigning system managers, a point of contact (POC), and a back-up POC (if applicable) for each system.


2. System managers are responsible for the security of their systems and the systems impact on the corporate production network and any other networks. System managers are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined lab managers must do their best to safeguard BTR Services from security vulnerabilities.


3. System managers are responsible for the system compliance with all BTR Services security policies.


4. The System Manager is responsible for controlling system access. Access to any given system will only be granted by the system manager or designee. This includes continually monitoring the access list to ensure that those who no longer require access to the system have their access terminated.


5. The Network Support Organization must maintain a firewall function between the corporate production network and all public equipment.


6. The Network Support Organization reserves the right to interrupt system connections that impact the corporate production network negatively or pose a security risk.


7. The Network Support Organization must record all system IP addresses, which are routed within BTR Services networks.



8. All user passwords must comply with BTR Servicesí Password Policy. In addition, individual user accounts on any system device must be deleted when no longer authorized within three (3) days.


9. Production services are defined as ongoing and shared business critical services that generate revenue streams or provide customer capabilities.


10. System manager will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.


3.2 General Configuration Requirements


1. All traffic between the corporate production systems must go through a System manager maintained firewall function.


2. Original firewall function configurations and any changes thereto must be reviewed and approved by System manager. System manager may require security improvements as needed.


3. Traffic between production networks and test networks, as well as traffic between separate test networks, is permitted based on business needs and as long as the traffic does not negatively impact on other networks. Test systems must not advertise network services that may compromise production network services or put lab confidential information at risk.


4. System manager reserves the right to audit all test-related data and administration processes at any time, including but not limited to, inbound and outbound packets, firewalls and network peripherals.


5. Gateway devices are required to comply with all BTR Services product security advisories.


6. The password will only be provided to those who are authorized to administer the system network.


7. All system external connection requests must be reviewed and approved by System manager. Strong passwords are encouraged.



4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.


5.0 Definitions