The following minimum information security standards are required for devices connected to the USG PeachNet™ network.
5.11.1 Software Patch Updates
Networked devices must run software for which security patches are made available in a timely fashion. They must have all currently available security patches installed. Exceptions may be granted for patches that compromise the usability of critical applications.
5.11.2 Anti-Virus, Anti-Spam, and Anti-Phishing Software
Anti-virus, anti-spam and anti-phishing software must be running and up-to-date on every level of the device, including clients, file servers, mail servers, and other types of networked devices.
5.11.3 Host-Based Firewall or Host-Based Intrusion Prevention Software
Host-based firewall or hosted-based intrusion prevention software for any particular type of device must be running and configured, on every level of device, including clients, file servers, mail servers, and other types of networked devices. While the use of hardware firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls or host-based intrusion prevention.
USG electronic communications systems or services must identify users and authenticate and authorize access by means of user ID, passwords, or other secure authentication processes (e.g. biometrics or Smart Cards). Password length and strength must meet the USG Password Security and Composition Standard. In addition, shared-access systems must enforce these standards whenever possible and appropriate and require that users change any pre-assigned passwords immediately upon initial access to the account. All default passwords for access to network accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.
5.11.5 Encrypted Authentication
Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the USG network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all networked devices must use only encrypted authentication mechanisms unless otherwise authorized by USG Information Security & ePrivacy. In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.
Encryption, or equally effective measures, is required for all personal, sensitive, or confidential information, as defined in Section 5.7, that is stored on portable electronic storage media (including, but not limited to, CDs/DVDs, external/mobile storage and USB drives) and on portable computing devices (including, but not limited to laptop and notebook computers). This policy does not apply to mainframe and server tapes.
5.11.6 Physical Security
Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to lock and require a user to re-authenticate if left unattended for more than twenty (20) minutes.
5.11.7 Unnecessary Services
A service(s) not necessary for the intended purpose or operation of the device shall not be running.