 |
The following FAQ has been compiled to aid in analyzing service provider systems containing OEM data and service provider connections to OEM networks. This is neither all-inclusive nor comprehensive, but provides stimulus for discussions and subsequent documents and agreements.
Security Policy & Organizational Security | Outsourcing / 3rd Parties | Personnel Security | Incident Response | Physical & Environmental Security | Communications & Operations Management | Access Control |Authorization | Authentication | Location | Data Integrity | Secure Web Services | Data Encryption | Vulnerability Testing | Business Continuity Management | Compliance / Accountability
Q) The following items are included in a security policy. Does your security policy include policies on:
- Definition of information security management responsibilities
- Compliance with legislative & contractual requirements
- Security education requirements
- Prevention & detection of viruses & other malicious software
- Business continuity management
- Consequences of security policy violations
Q) Are you willing to share the security policies?
Q) Is there a process for reviewing, updating, and revising these policies?
Q) Are employees and consultants required to read and acknowledge understanding of these policies?
Q) Do you have a documented and established change control program?
Q) Are you willing to share it? Do you have an Acceptable Use of the Internet policy?
Q) Do you have a process for securing operating system platforms on which application components reside? Are you willing to share it?
Q) How often are vendor related security systems (operating system, database, web server, application, development tools, etc.) monitored for updates?
Q) Do you have a process for implementing patches that address security vulnerabilities or flaws?
Q) Do you receive security vulnerability advisories from organizations such as CERT? If yes, what actions are taken on these advisories?
Q) Do you have separate physical/logical environments for development, testing and production?
Q) Are all employees required to have security awareness training?
Q) Are personnel screened or are background checks performed?
Q) Do you have a documented and established computer incident response program?
Q) Is a log of security incidents maintained?
Q) Do you notify your customers of unauthorized access, intrusion attacks and virus attacks? In what timeframe?
Q) Do you have a process for handling media inquiries regarding incidents?
Q) Do you involve law enforcement regarding security incidents?
Do the physical security controls implemented include:
Q) Restricted physical access to the data center?
Q) Logging physical access to the data center?
Q) Restricted access to consoles?
Q) Authorization of asset removal?
Q) Inventory of physical assets?
Q) Environmental requirements (Protection from geographic forces such as floods, earthquakes, fire, hurricanes, tornadoes, etc.)?
Q) Fire suppression methodologies to be used? (e.g. sprinklers, halon, etc.)
Q) Backup power supplies to be used? (e.g. generators, redundant power supplies, un-interruptible power supplies, etc.)
Q) Monitoring and analyzing error logs?
Q) Is any type of hardening process performed on computer systems? Please describe (at a high level) this process. Is this different for internal use only systems?
Q) Other than principals of the service provider, who else will have physical access to the data center?
Q) Are audits of the physical security conducted on a regular basis? Would you be willing to share a summary of the audit results?
Q) If the devices host other customers’ data, are protections in place to ensure that other customers can’t access OEM data?
Q) Will batch file transfers be secured?
Q) Are these transfers always initiated by the OEM application?
Q) Does the network have a persistent connection to the Internet? Please describe.
Q) Who manages this Firewall? (i.e. ISP, in-house employee or consultant, outside consultant, managed service provider, etc.)
Q) When was the last 3rd party review of your firewall configuration?
Q) Is a network based intrusion detection system used?
Q) Are host-based intrusion detection systems used?
Q) Are file integrity management tools used?
Q) Is virus protection software installed, active, and kept up to date? What is the frequency of the up dates?
Q) As a special plug-in or other downloaded executable content required to use this system or service? Please describe.
Q) Is the password file(s) stored encrypted and protected?
Q) Are accounts for terminated employees promptly removed from access control lists?
Q) How will you prevent access by unauthorized users?
Q) Is access to files, data, and programs granted on a need-to-know basis?
Q) Is OEM data protected from staff and contractors who don’t have a need-to-know?
Q) Will OEM’s data be segregated on servers, in databases and on back-up media to prevent it from becoming part of legal discovery impacting another of your customers?
Q) When a user ID and password are transmitted to OEM users, will they be encrypted? What encryption will be used? How?
Q) How will a OEM user receive their user ID and password?
Q) Where and in what format is the user account database stored?
Q) Is the account locked out after a specified number of attempts and is a report generated from this event?
Q) Is there a provision to create unique user IDs and password verification to establish individual accountability?
Q) Are all Guest Accounts controlled so that individual accountability is not compromised? (i.e. usage is logged and reported)?
Q) Are passwords one-way encrypted during transmission?
Q) Are strong passwords enforced? (Alphanumeric + special characters, no dictionary words)?
Q) Is a password length of at least 5 enforced?
Q) Is the user password automatically expired after 90 days or less and a privileged password expired after 30 days or less?
Q) Is a password history list enforced? (Password cannot be reused within 2 years)?
Q) Are sessions automatically expired and terminated after being inactive for 30 minutes or less?
Q) What are the authentication procedures for resetting passwords?
Q) Are inactive user accounts purged after no more than 6 months of inactivity?
Q) Is 2-factor authentication (something you have plus something you know) incorporated as part of the base charge?
Q) Who is responsible for operational integrity?
Q) Are data, files, and programs protected from unauthorized access and/or alteration, theft, or destruction?
Q) Is database and/or host based intrusion detection systems used? Please describe?
Q) Are file integrity management tools used? Please describe
Q) Is SSL Ver. 2.0 used?
Q) Is SSL Ver. 3.0 used?
Q) Is the site available through a non-SSL address?
Q) Is Active-X to be used?
Q) Are Java and/or JavaScript to be used?
Q) What CGI languages will be used?
Q) Are CGI programs assessed for vulnerabilities and exposures?
Q) Describe the data encryption methodology to be used for both data in transit and in storage (include servers, platforms, and databases).
Q) Are digital signatures used to protect the authenticity of electronic information?
Q) What certificate authority is used? (Internal, external)
Q) Who manages the encryption keys?
Q) If so, are you willing to share the results?
Q) How were the vulnerabilities addressed? (What corrective action was taken?)
Q) What is the frequency of your vulnerability testing?
Q) Is a tool for vulnerability testing used? Please describe.
Q) Do you allow your customers to conduct vulnerability assessments?
Q) Do you require advance notice of audits?
Q) How are SW license agreements enforced?
Leader has an internally published security policy that must be read by each employee that is working on each vendor account and acknowledge their having done so and understanding of said policy in writing.
Q) The following items are included in a security policy. Does your security policy include policies on:
- Definition of information security management responsibilities - All security management responsibilities reside with the Security Officer.
- Compliance with legislative & contractual requirements - Leader follows all standard security practices and closely adheres to any requirements spelled out in the contractual agreement it has with each of its clients.
- Security education requirements - Although there is no formal security education requirements, relevant Leader employees are encouraged to learn about the latest security implementation and monitoring practices. Leader monitors on a regular basis forums that are dedicated to internet security issues, operating system security issues, known and expected worms and viruses, PC specific, Linux specific and Macintosh specific security issues.
- Prevention & detection of viruses & other malicious software - All web sites and data collection forms and services are behind firewall protected servers and access to the various sites is controlled internally as well. Firewalls are in place both at the router level and at the server level to allow access to only the specific ports that any particular server needs open to provide its specific function. Machines that provide web serving do not provide FTP transfer capabilities to outside systems. All known security patches are installed as they are made available. Logs are kept to check against unauthorized changes to systems critical files that might indicate someone attempting to access or tamper with a system in an unauthorized manner and these files are updated and reviewed daily.
- Business continuity management - Backup mirrors of critical servers are available on site. In the event of a cluster failure or similar, these other servers can take over necessary IP addresses and perform the necessary functions to collect, process and report on registrations. Critical components are also stored on DVD's and portable offsite drives that can quickly recreate on another system the images and structure required to perform these services as well in the event of a catastrophic event at the LT facility.
- Consequences of security policy violations - Should the Security Officer notice that an employee is not following Leader’s standard security policies, the employee in question will be interviewed as to why this has occurred. Should this occur on more than one instance, this person may be terminated from Leader Technologies.
We encourage potential clients and especially the Security Officer of potential clients to visit our Data Collection and Warehouse facility in Albuquerque, New Mexico to receive a walk-through of our processes and to view first hand our facilities, our security measures and to meet Leader's Security Officer.
Q) Is there a process for reviewing, updating, and revising these policies?
Security measures and practices are reviewed on a monthly basis by the Security Officer and those employees that are involved in the data collection and data warehousing functions of the company. Should new practices, software or hardware be determined is needed to maintain our standard level of security, a plan is developed and a schedule created to implement these enhancements.
Q) How often is it reviewed?
Monthly.
Q) Are employees and consultants required to read and acknowledge understanding of these policies?
Yes, any new employees are required to read our standard security policies and acknowledge their having done so and understanding of said policy.
Q) Do you have a documented and established change control program?
Version control software is used for all application programs with mandatory commenting. Test servers are used to review all changed web sites and servers before being moved to live servers.
Q) Are you willing to share it? Do you have an Acceptable Use of the Internet policy?
Yes and Yes.
Q) Do you have a process for securing operating system platforms on which application components reside? Are you willing to share it?
Standard methods are used for securing application components: Firewalls, File Protection, Read-Only mounts, limited user access. Yes, we are willing to share it.
Q) How often are vendor related security systems (operating system, database, web server, application, development tools, etc.) monitored for updates?
All security systems are monitored daily. Any hint of a problem, noticed by anyone is reported by email to the Security Officer. Leader Technologies takes a "better to be overly cautious" attitude with respect to security. If there is any indication that there is something suspicious this is discussed with the heads of production and development. A plan of action is implemented if it is determined to be necessary to resolved the situation.
Q) Do you have a process for implementing patches that address security vulnerabilities or flaws?
All patches are applied as they are made available. First on a test server to insure their effectiveness and reliability. Once they are determined to be stable they are "hot-applied" to running servers.
Q) Do you receive security vulnerability advisories from organizations such as CERT? If yes, what actions are taken on these advisories?
Leader Technologies is automatically notified of security concerns through a variety of mechanisms. Important security updates are assessed immediately, placed on test servers to insure compatibility then moved onto production servers.
Q) Do you have separate physical/logical environments for development, testing and production?
All web registration data collection systems are first uploaded and tested on a dedicated Test Server before the site is moved into live production. All registration applications are clearly labeled with a PRELIMINARY graphic to prevent a manufacturer customer such as OEM from putting into production a non-tested application. A fully document review and test of each application is performed before the application is delivered as FINAL, and written acceptance of the application is required before the FINAL application can be delivered to the customer.
Leader Technologies does all web and application development and provides our customers with a finished product. No development work is outsourced. All software development and maintenance, database development and maintenance and all hardware installation and monitoring is done internally. The only services not performed internally by Leader Technologies are services provided by alarm companies and by internet service providers and the local phone company. However all the components of the service we are providing to OEM are developed and maintained in house.
We monitor systems daily for intrusion attempts. All web sites are behind firewall protected servers and access to the various sites is controlled internally as well. Firewalls are in place both at the router level and at the server level to allow access to only the specific ports that any particular server needs open to provide its specific function. Machines that provide web serving do not provide FTP transfer capabilities to outside systems. All known security patches are installed as they are made available. Logs are kept to check against unauthorized changes to systems critical files that might indicate someone attempting to access or tamper with a system in an unauthorized manner and these files are updated and reviewed daily.
Q) Do you have a documented and established computer incident response program?
No.
Q) Is a log of security incidents maintained?
Logs are kept to check against unauthorized changes to systems critical files that might indicate someone attempting to access or tamper with a system in an unauthorized manner and these files are updated and reviewed daily.
Q) Do you notify your customers of unauthorized access, intrusion attacks and virus attacks? In what timeframe?
Any hint of a problem, noticed by anyone is reported by email to the security officer. Leader Technologies takes a “better to be overly cautious” attitude with respect to security. If there is any indication that there is something suspicious this is discussed with the heads of production and development. If required, A plan of action is implemented if it is determined to be necessary to resolved the situation and the client customer is notified of the specific incident and the steps required to fix the problem and to prevent the event from occuring in the future.
Q) Do you have a process for handling media inquiries regarding incidents?
No.
Q) Do you involve law enforcement regarding security incidents?
Should there be a physical break-in to our facilities, the Albuquerque Police Department is notified. Should misconduct regarding security issues be suspected of one of our employees, we would perform an internal review of the situtaion before bringing in any law enforcemenet agencies. After the internal review of the incident, should it be determined that criminal activity occurred, we would report the incidient to the Albuquerque Police Department.
Leader Technologies has multiply redundant T1 lines providing services for incoming data from 3 different service providers with two different blocks of IP addresses being represented at Leader Technologies. Any line or two lines can fail with registration service continuing. Redundant routers and name servers are provided to insure name resolution and packet delivery. A hot copy of all web sites is maintained on a network server. Web and Database servers have redundant hot swap power supplies, uninterrupted power supplies, dual NIC interfaces, and hot swap Level 5 Raid volumes.
Q) Restricted physical access to the data center?
Yes, physical access to the data center is restricted.
Q) Logging physical access to the data center?
Yes, physical access to the data center is monitored by security cameras.
Q) Restricted access to consoles?
Consoles in the data center are password protected and administrative passwords are very rigorously controlled. Only 2 people within the organization have access to critical passwords. Consoles are secured physically as well.
Q) Authorization of asset removal?
Yes.
Q) Inventory of physical assets?
Yes.
Q) Environmental requirements (Protection from geographic forces such as floods, earthquakes, fire, hurricanes, tornadoes, etc.)?
Only that which is normally present due to a brick building.
Q) Fire suppression methodologies to be used? (e.g. sprinklers, halon, etc.)
No.
Q) Backup power supplies to be used? (e.g. generators, redundant power supplies, un-interruptible power supplies, etc.)
Yes. Uninterrupted power supplies are provided on all systems. Critical systems have dual power supplies and independent power sources. Automatic IP accessible Power switches are in use as well to cut-off power to cluster members if their status appears to be unreliable.
Q) Monitoring and analyzing error logs?
Yes.
Q) Is any type of hardening process performed on computer systems? Please describe (at a high level) this process. Is this different for internal use only systems?
The only hardening process is as described previously with respect to firewalls, logs etc. Specific software modules are in place to monitor and deter intrusion. These work by IP address and limit response times and service availability to sources that repeatedly appear to be unsuccessfully attempting to access systems.
Q) Other than principals of the service provider, who else will have physical access to the data center?
No one.
Q) Are audits of the physical security conducted on a regular basis? Would you be willing to share a summary of the audit results?
Physical security audits are performed on a weekly basis. Yes.
No. Devices used to host OEM data are not dedicated to OEM. However extensive measures are taken to insure the collection and management of the customer data. All vendor data is kept in separate databases and is never mixed. There are automated processes that insure the validity and integrity of each record entering a database. User provided information is never modified in these records. They are basically stored as acquired. There are many automated checks in place to insure that data from one customer can not be intermixed with data from another vendor.
Q) If the devices host other customers’ data, are protections in place to ensure that other customers can’t access OEM data?
Yes. Access to data is password protected. External customer passwords are all unique and unrelated and are only provided on an as needed basis for each area of information they want to secure or access. Customers are cautioned against providing these passwords indiscriminately within their organization.
Q) Will batch file transfers be secured?
Yes. Any file transfers can be secured through any required encryption or secure methods such as https access, or by setting up password accessible FTP sites.
Q) Are these transfers always initiated by the OEM application?
No. Any method of data transfer can be setup to match the vendor’s requirements. These range from automatic delivery of data through the OEM application, by instant file transfer after the data has been collected, or by setting a mutually agreed upon delivery schedule of the data.
Q) Does the network have a persistent connection to the Internet? Please describe.
Yes. 3 different service providers are used to provide continuous Internet access.
Q) Who manages this Firewall? (i.e. ISP, in-house employee or consultant, outside consultant, managed service provider, etc.)
The Security Officer and in some cases, specific high level engineers are responsible for monitoring and maintaining any firewalls.
Q) When was the last 3rd party review of your firewall configuration?
The last 3rd party review of our firewalll configuration was on October 7th, 2005.
Q) Is a network based intrusion detection system used?
To a limited extent using standard Cisco router technologies.
Q) Are host-based intrusion detection systems used?
Specific software modules are in place to monitor and deter intrusion. These work by IP address and limit response times and service availability to sources that repeatedly appear to be unsuccessfully attempting to access systems.
Q) Are file integrity management tools used?
Standard Unix/Linux integrity checking and file management tools are used.
Q) Is virus protection software installed, active, and kept up to date? What is the frequency of the up dates?
Virus protection software is installed on all machines and kept up to date with the most recent patches and upgrades availabe. Desktop systems are also protected by anti-virus software.
Q) Is a special plug-in or other downloaded executable content required to use this system or service? Please describe?
No.
The account is disabled and file ownership changed to isolate it from the original owner. If it contains non-critical information, it is archived and removed.
Q) Is the password file(s) stored encrypted and protected?
The password file is protected and encrypted. Administrative passwords are very rigorously controlled. Only 2 people within the organization have access to critical passwords. External customer passwords are all unique and unrelated and are only provided on an as needed basis for each area of information they want to secure or access. Customers are cautioned against providing these passwords indiscriminately within their organization.
Q) Are accounts for terminated employees promptly removed from access control lists?
Yes. Within 2 hours of an employee leaving the company by any means, voluntarily or through termination, their access to secure areas are prevented and passwords are disabled or new passwords are provided where applicable.
Q) How will you prevent access by unauthorized users?
As stated at other places in this faq document, there are various levels of protection, including but not limited to :
Physical protection.
Certificate protection.
128 bit key encryption.
user/password protection.
Firewall and port protection.
Q) Is access to files, data, and programs granted on a need-to-know basis?
Different files, data and programs are given different levels of access. Only 2 people within the organization have access to critical passwords. External customer passwords are all unique and unrelated and are only provided on an as needed basis for each area of information they want to secure or access. Customers are cautioned against providing these passwords indiscriminately within their organization.
Q) Is OEM data protected from staff and contractors who don’t have a need-to-know?
Leader does not use contractors and as such, contractors never have access to OEM’s data. Only those persons within Leader Technologies that need to know will have access to specific records within the overall OEM data. However, most of Leader’s internal personnel will have access to composite data such as nightly reports of the data collected.
Q) Will OEM’s data be segregated on servers, in databases and on back-up media to prevent it from becoming part of legal discovery impacting another of your customers?
Data is segregated into separate files and databases. It is separated as soon as it is received and then kept separate from that point on. All records for a single product exist in a single, separate database. Backups for all products from all manufacturers are aggregated onto single backup sets. If it is desired that this data be kept physically separated from any other data, it can be put onto its own physical media for backup purposes. There would be an additional nominal charge for this.
User ID and password are generally provided through email. However, the information in these emails can be encrypted if required.
Q) When a user ID and password are transmitted to OEM users, will they be encrypted? What encryption will be used? How?
If required, emails that contain passwords can be sent in different manners providing different levels of security. It can be as simple as two separate emails containing the username and password respectively, or sent as an attachment using public/private key encryption, or encrypted files with an existing known password.
Q) Will OEM be responsible for authorization of users?
There would be no other method for OEM to authorize users.
There are various access points for users to identify themselves. Some, such as generic reports are as simple as https with .htaccess files granting access through a username/password scheme. Others require a login to a first line of defense, such as shown above and then another unique login to gain access to more sensitive data, such as browsing customer records collected on behalf of OEM. Access can also be limited by IP addresses or subnets as well as by requiring SSL certificates to exist and be in use.
Q) Where and in what format is the user account database stored?
The user account database for SQL and some web reporting tools access is one way encrypted in SQL tables. Other user account information is stored one way encrypted in text files as is standard on unix systems.
Q) Is the account locked out after a specified number of attempts and is a report generated from this event?
Reports are generated after a certain number (depending on the attempted service) of attempts and deterrents such as time lags or complete lockouts are enacted as well.
Q) Is there a provision to create unique user IDs and password verification to establish individual accountability?
Yes these are generated by hand or randomly on an as needed basis. Access logs are kept for virtually all access and activity.
Q) Are all Guest Accounts controlled so that individual accountability is not compromised? (i.e. usage is logged and reported)
Access logs are kept for virtually all access and activity on a user by user basis.
Q) Are passwords one-way encrypted during transmission?
Many times yes, depending on the service being used. It is possible for a password to be sent plain or encrypted in a textual format and be compared to the exact same representation in a non-critical environment.
Q) Are strong passwords enforced? (Alphanumeric + special characters, no dictionary words)
Yes, typically all automatically generated passwords are created as described. Even if a password is hand selected, it is somewhat mangled so that it is not readily discernible.
Q) Is a password length of at least 5 enforced?
Yes.
Q) Is the user password automatically expired after 90 days or less and a privileged password expired after 30 days or less?
No. However some passwords may be set up that are single use or set to expire if they serve no ongoing purpose, i.e. a one time secure file download.
Q) Is a password history list enforced? (Password cannot be reused within 2 years)?
No.
Q) Are sessions automatically expired and terminated after being inactive for 30 minutes or less?
On certain services, there are timeouts. Not all services require this.
Q) What are the authentication procedures for resetting passwords?
We know all of our account holders personally and insure that we can validate their identity before resetting passwords. The user themselves can not change a password.
Q) Are inactive user accounts purged after no more than 6 months of inactivity?
No. Outside users do not have actual accounts. They can receive emails through an account alias. Other features of a typical account, such as a shell will not exist for an outside account. User accounts only exist for the purpose of viewing or querying results.
Q) Is 2-factor authentication (something you have plus something you know) incorporated as part of the base charge?
No.
Albuquerque, New Mexico, USA
The Vice President of Engineering, is responsible for operational integrity.
Q) Who is responsible for operational integrity?
The Vice President of Engineering, is responsible for operational integrity.
Q) Who is responsible for operational integrity?
Data files are access protected by passwords. Every user account is given the minimal set of privileges needed to perform their required functions. These are broken down to overall file manipulation, read only, update, delete, alter etc.
Q) Is database and/or host based intrusion detection systems used? Please describe.
All unsuccessful access attempts across all services are logged, summarized and reviewed daily.
Q) Are file integrity management tools used? Please describe.
Standard Unix/Linux integrity checking and file management tools are used.
Apache 2.0.46
Q) Is SSL Ver. 2.0 used?
Yes
Q) Is SSL Ver. 3.0 used?
Yes
Q) Is the site available through a non-SSL address?
Yes. For viewing static non-data pages
Q) Is Active-X to be used?
Not by default. Some of our customers have requested special features which require Active-X, but these are implemented on a case-by-case basis and are not the default.
Q) Are Java and/or JavaScript to be used?
Yes.
Q) What CGI languages will be used?
Perl, Java, Bash.
Q) Are CGI programs assessed for vulnerabilities and exposures?
Yes.
They can be upon request.
Q) Describe the data encryption methodology to be used for both data in transit and in storage (include servers, platforms, and databases).
SSL is used for transmission of web based data. DES is used when required to encrypt data files for storage, archiving or transmission. 56 bit keys are used. Other encryption technologies can be used on request.
Q) Are digital signatures used to protect the authenticity of electronic information?
No.
Q) What certificate authority is used? (Internal, external)
Leader Technologies uses Thawte and Verisign for certificates
Q) Who manages the encryption keys?
Security Officers
No. Outside companies have performed penetration and security assessments of Leader Technologies facilities, but these have been done with standard tools, and companies own security audit departments.
Q) If so, are you willing to share the results?
Yes.
Q) How were the vulnerabilities addressed? (What corrective action was taken?)
Tightening of a few non-critical ports was the only modification required.
Q) What is the frequency of your vulnerability testing?
No set schedule.
Q) Is a tool for vulnerability testing used? Please describe.
Yes. Nessus and various other Unix/Linux based tools.
Q) Do you allow your customers to conduct vulnerability assessments?
Yes.
Q) Do you require advance notice of audits?
Yes. Leader Technologies would prefer to know testing schedules in order to monitor activity more closely.
Backups are automatically performed nightly with about a 4 week rotation. Full backups are performed weekly and moved to a secure offsite location in a sealed container.
All unsuccessful attempts of all services are logged. These are summarized and reviewed daily. Many services will deny repeated attempts from the same IP address within a designated time period.
Q) How are SW license agreements enforced?
All internal systems use fully licensed and registered versions of applicable software.