BTR Services

Internal Systems Security Policy

1.0 Purpose              

This policy establishes information security requirements for BTR Services systems to ensure that BTR Services confidential information and technologies are not compromised, and that production services and other BTR Services interests are protected.

2.0 Scope

This policy applies to all internally connected systems, BTR Services employees and third parties who access BTR Services systems.

3.0 Policy

3.1 Ownership Responsibilities

1. BTR Services is responsible for assigning system managers, a point of contact (POC), and a back-up POC (if applicable) for each system.

2. System managers are responsible for the security of their systems and the systems impact on the corporate production network and any other networks. System managers are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined lab managers must do their best to safeguard BTR Services from security vulnerabilities.

3. System managers are responsible for the system compliance with all BTR Services security policies.

4. The System Manager is responsible for controlling system access. Access to any given system will only be granted by the system manager or designee. This includes continually monitoring the access list to ensure that those who no longer require access to the system have their access terminated.

5. The Network Support Organization must maintain a firewall function between the corporate production network and all public equipment.

6. The Network Support Organization reserves the right to interrupt system connections that impact the corporate production network negatively or pose a security risk.

7. The Network Support Organization must record all system IP addresses, which are routed within BTR Services networks.

8. All user passwords must comply with BTR Services’ Password Policy. In addition, individual user accounts on any system device must be deleted when no longer authorized within three (3) days.

9. Production services are defined as ongoing and shared business critical services that generate revenue streams or provide customer capabilities.

10. System manager will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.

3.2 General Configuration Requirements

1. All traffic between the corporate production systems must go through a System manager maintained firewall function.

2. Original firewall function configurations and any changes thereto must be reviewed and approved by System manager. System manager may require security improvements as needed.

3. Traffic between production networks and test networks, as well as traffic between separate test networks, is permitted based on business needs and as long as the traffic does not negatively impact on other networks. Test systems must not advertise network services that may compromise production network services or put lab confidential information at risk.

4. System manager reserves the right to audit all test-related data and administration processes at any time, including but not limited to, inbound and outbound packets, firewalls and network peripherals.

5. Gateway devices are required to comply with all BTR Services product security advisories.

6. The password will only be provided to those who are authorized to administer the system network.

7. All system external connection requests must be reviewed and approved by System manager. Strong passwords are encouraged.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

• Internal  - A system that is within BTR Services' corporate firewall and connected to BTR Services' corporate production network
• Network Support Organization  - Any System manager approved BTR Services support organization that manages the networking of non-lab networks.
• System manager - The individual responsible for all system activities and personnel
• Test - A test is any non-production environment, intended specifically for developing, demonstrating, training and/or testing of a product.
• External Connections (also known as DMZ ) - External connections include (but not limited to) third-party data network-to-network, analog and ISDN data lines, or any other Telco data lines.
• Gateway Device - A gateway device is the system device that connects the BTR Services network.
• Telco - A Telco is the equivalent to a service provider. Telcos offer network connectivity, e.g., T1, T3, OC3, OC12 or DSL. Telcos are sometimes referred to as "baby bells", although Sprint and AT&T are also considered Telcos. Telco interfaces include BRI, or Basic Rate Interface - a structure commonly used for ISDN service, and PRI, Primary Rate Interface - a structure for voice/dial-up service.
• Traffic - Mass volume of unauthorized and/or unsolicited network Spamming/Flooding traffic.
• Firewall - A device that controls access between networks. It can be a PIX, a router with access control lists or similar security devices approved by System manager.
• Extranet - Connections between third parties that require access to connections non-public BTR Services resources, as defined by System manager.
• DMZ (De-Militarized Zone)  - This describes network that exists outside of primary corporate firewalls, but are still under BTR Services administrative control.