30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

Applicant, FLIR, and its back-end operator, Neustar, recognize the vital need to secure the systems and the integrity of the data in commercial solutions. The FLIR registry solution will leverage industry-best security practices including the consideration of physical, network, server, and application elements. Neustar’s approach to information security starts with comprehensive information security policies. These are based on the industry best practices for security including SANS (SysAdmin, Audit, Network, Security) Institute, NIST (National Institute of Standards and Technology), and Center for Internet Security (CIS). Policies are reviewed annually by Neustar’s information security team.

The following is a summary of the security policies that will be used in the FLIR registry, including:
1. Summary of the security policies used in the registry operations
2. Description of independent security assessments
3. Description of security features that are appropriate for .FLIR
4. List of commitments made to registrants regarding security levels

All of the security policies and levels described in this section are appropriate for the .FLIR registry.

30.(a).1Summary of Security Policies
Neustar, Inc. has developed a comprehensive Information Security Program in order to create effective administrative, technical, and physical safeguards for the protection of its information assets, and to comply with Neustarʹs obligations under applicable law, regulations, and contracts. The Program defines:
* The policies for internal users and our clients to ensure the safe, organized and fair use of information resources.
* The rights that can be expected with that use.
* The standards that must be met to effectively comply with policy.
* The responsibilities of the owners, maintainers, and users of Neustar’s information resources.
* Rules and principles used at Neustar to approach information security issues

The following policies are included in the Program:
1. Acceptable Use Policy - The Acceptable Use Policy provides the “rules of behavior” covering all Neustar Associates for using Neustar resources or accessing sensitive information.
2. Information Risk Management Policy
The Information Risk Management Policy describes the requirements for the on-going information security risk management program, including defining roles and responsibilities for conducting and evaluating risk assessments, assessments of technologies used to provide information security and monitoring procedures used to measure policy compliance.
3. Data Protection Policy -The Data Protection Policy provides the requirements for creating, storing, transmitting, disclosing, and disposing of sensitive information, including data classification and labeling requirements, the requirements for data retention. Encryption and related technologies such as digital certificates are also covered under this policy.
4. Third Party Policy - The Third Party Policy provides the requirements for handling service provider contracts, including specifically the vetting process, required contract reviews, and on-going monitoring of service providers for policy compliance.
5. Security Awareness and Training Policy - The Security Awareness and Training Policy provide the requirements for managing the on-going awareness and training program at Neustar. This includes awareness and training activities provided to all Neustar Associates.
6. Incident Response Policy - The Incident Response Policy provides the requirements for reacting to reports of potential security policy violations. This policy defines the necessary steps for identifying and reporting security incidents, remediation of problems, and conducting “lessons learned” post-mortem reviews in order to provide feedback on the effectiveness of this Program. Additionally, this policy contains the requirement for reporting data security breaches to the appropriate authorities and to the public, as required by law, contractual requirements, or regulatory bodies.
7. Physical and Environmental Controls Policy - The Physical and Environment Controls Policy provides the requirements for securely storing sensitive information and the supporting information technology equipment and infrastructure. This policy includes details on the storage of paper records as well as access to computer systems and equipment locations by authorized personnel and visitors.
8. Privacy Policy - Neustar supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. Neustar supports domestic and international laws and regulations that seek to protect the privacy rights of such individuals.
9. Identity and Access Management Policy - The Identity and Access Management Policy covers user accounts (login ID naming convention, assignment, authoritative source) as well as ID lifecycle (request, approval, creation, use, suspension, deletion, review), including provisions for system⁄application accounts, shared⁄group accounts, guest⁄public accounts, temporary⁄emergency accounts, administrative access, and remote access. This policy also includes the user password policy requirements.
10. Network Security Policy - The Network Security Policy covers aspects of Neustar network infrastructure and the technical controls in place to prevent and detect security policy violations.
11. Platform Security Policy - The Platform Security Policy covers the requirements for configuration management of servers, shared systems, applications, databases, middle-ware, and desktops and laptops owned or operated by Neustar Associates.
12. Mobile Device Security Policy - The Mobile Device Policy covers the requirements specific to mobile devices with information storage or processing capabilities. This policy includes laptop standards, as well as requirements for PDAs, mobile phones, digital cameras and music players, and any other removable device capable of transmitting, processing or storing information.
13. Vulnerability and Threat Management Policy - The Vulnerability and Threat Management Policy provides the requirements for patch management, vulnerability scanning, penetration testing, threat management (modeling and monitoring) and the appropriate ties to the Risk Management Policy.
14. Monitoring and Audit Policy - The Monitoring and Audit Policy covers the details regarding which types of computer events to record, how to maintain the logs, and the roles and responsibilities for how to review, monitor, and respond to log information. This policy also includes the requirements for backup, archival, reporting, forensics use, and retention of audit logs.
15. Project and System Development and Maintenance Policy - The System Development and Maintenance Policy covers the minimum security requirements for all software, application, and system development performed by or on behalf of Neustar and the minimum security requirements for maintaining information systems.

30. (a).2Independent Assessment Reports
Neustar IT Operations is subject to yearly Sarbanes-Oxley (SOX), Statement on Auditing Standards #70 (SAS70) and ISO audits. Testing of controls implemented by Neustar management in the areas of access to programs and data, change management and IT Operations are subject to testing by both internal and external SOX and SAS70 audit groups. Audit Findings are communicated to process owners, Quality Management Group and Executive Management. Actions are taken to make process adjustments where required and remediation of issues is monitored by internal audit and QM groups.
External Penetration Test is conducted by a third party on a yearly basis. As authorized by Neustar, the third party performs an external Penetration Test to review potential security weaknesses of network devices and hosts and demonstrate the impact to the environment. The assessment is conducted remotely from the Internet with testing divided into four phases:
* A network survey is performed in order to gain a better knowledge of the network that was being tested
* Vulnerability scanning is initiated with all the hosts that are discovered in the previous phase
* Identification of key systems for further exploitation is conducted
* Exploitation of the identified systems is attempted.
Each phase of the audit is supported by detailed documentation of audit procedures and results. Identified vulnerabilities are classified as high, medium and low risk to facilitate management’s prioritization of remediation efforts. Tactical and strategic recommendations are provided to management supported by reference to industry best practices.

30.(a).3 Augmented Security Levels and Capabilities
There are no increased security levels specific for .FLIR. However, Neustar will provide the same high level of security provided across all of the registries it manages.
A key to Neustar’s Operational success is Neustar’s highly structured operations practices. The standards and governance of these processes:
* Include annual independent review of information security practices
* Include annual external penetration tests by a third party
* Conform to the ISO 9001 standard (Part of Neustar’sISO-based Quality Management System)
* Are aligned to Information Technology Infrastructure Library (ITIL) and CoBIT best practices
* Are aligned with all aspects of ISO IEC 17799
* Are in compliance with Sarbanes-Oxley (SOX) requirements (audited annually)
* Are focused on continuous process improvement (metrics driven with product scorecards reviewed monthly).
A summary view to Neustar’s security policy in alignment with ISO 17799 can be found in section 30.(a).4 below.

30.(a).4Commitments and Security Levels
The .FLIR registry commits to high security levels that are consistent with the needs of the TLD.These commitments include:
Compliance with High Security Standards
* Security procedures and practices that are in alignment with ISO 17799
* Annual SOC 2 Audits on all critical registry systems
* Annual 3rd Party Penetration Tests
* Annual Sarbanes Oxley Audits
Highly Developed and Document Security Policies
* Compliance with all provisions described in section 30.(a).4 below and in the attached security policy document.
* Resources necessary for providing information security
* Fully documented security policies
* Annual security training for all operations personnel
High Levels of Registry Security
* Multiple redundant data centers
* High Availability Design
* Architecture that includes multiple layers of security
* Diversified firewall and networking hardware vendors
* Multi-factor authentication for accessing registry systems
* Physical security access controls
* A 24x7 manned Network Operations Center that monitors all systems and applications
* A 24x7 manned Security Operations Center that monitors and mitigates DDoS attacks
* DDoS mitigation using traffic scrubbing technologies

FLIR Front Office critical business function security Considerations

Policies, Procedures, and Awareness: The first defense of IT assets is policies, procedures, and other documentation that defines and describes practices in use for managing and protecting the company’s assets. Together, these documents describe in detail the meaning of acceptable use, as well as listing sample prohibited activities.

Physical Security
- All FLIR employees are required to wear a Picture ID badge at all times within FLIR facilities. If a picture badge is forgotten, a non-photo badge may be obtained from reception. An Easy Lobby visitor tracking badge, with the employee’s name printed on it, will also be given to the employee. Badges are to be worn in plain view by all FLIR employees so as to be easily seen by any approaching person and are required to access FLIR’s facilities.
- IT will provide a secure physical environment that protects company IT assets from unauthorized use, and from environmental hazards such as fire or water damage, power failure, or improper temperature or humidity.
- All key IT assets, including servers, routers, switches, and telephone systems, will be located in a secure data center, locked room or cabinet. Access to these areas will be limited to authorized personnel only.
- The data center will be protected by a fire suppression device.
- Emergency and conditioned power will be available for all key assets.
- Temperature and humidity will be controlled in the data center.
Access to the data center will be monitored and controlled. During extended periods of vacancy the data center will be monitored by security personnel.

Perimeter Security
Perimeter security must protect the company network from all methods that may be used to access it from external sources. These methods include remote users, business partners, branch offices, home offices, wireless access points, and applications that access the internet automatically. To have effective perimeter security all these areas must be controlled.
Firewalls will be established at all primary access points.
Network address translation (NAT) will be used where full firewalls are not available.
Virtual private networks (VPN) will be used for remote accesses by users and by site-to-site connections over the open internet.
Authentication- All remote sessions will be authenticated by approved method. All corporate network staff must be knowledgeable of all approved authentication methods.
Internal Network Security - The internal company network is made up of a series of hubs, routers, switches, wireless access points, cables, and telecommunication circuits all configured in a local area network (LAN) and wide area network (WAN).

Internal Network Security
Threats to the internal network include unauthorized access to devices and wiring closets, unauthorized access to wireless networks, traffic on unexpected communications ports, and access to network traffic. The company will minimize risk in these areas by implementing the following protection, controls and monitoring:
- Device password changes will be determined by Senior IT Management. In the event of employee turnover, all passwords known to the departing employee will be changed within 24 hours of termination.IT personnel knowledge of passwords will be determined by Senior IT Management. Passwords will be limited to individuals with a need to know in order to perform their job duties, or who provide backup to functions normally performed by others.
- Device firmware will be patched and updated.IT will be knowledgeable of firmware updates released for all critical installed devices. Upon release, IT will assess risk and benefits to installing individual updates.
-All wireless traffic will be encrypted.
-Wireless Access Point (WAP) SSID’s (network names) will not be broadcast on the wireless network.
- IT will review device event and security logs regularly for inappropriate access or error.
- The host layer refers to access and configuration of clients and servers.
Threats to the host layer include unsecured OS configurations, unmonitored access, weak passwords and unpatched systems. Such risks will be minimized in part by:
- Client host passwords will be changed regularly. For these systems password changes will be initiated by group policy.
- Server host password changes will be determined by IT management. In the event of employee turnover, all passwords known to the departing employee will be changed within 24 hours of termination. Passwords will be limited to individuals with a need to know in order to perform their job duties, or who provide backup to functions normally performed by others.
- IT will identify and disable or delete services that are not required on both servers and workstations.
- Downloading Software :To minimize threats downloaded software must be approved by IT.
- For critical systems and where economically practical, IT will implement systems with redundant hardware configurations to minimize single point of failure potential.
- IT will identify systems that require routine maintenance. Routine maintenance will occur each month in order to minimize system down time and employee inconvenience.
- Workstations will be locked during periods of inactivity. In the event a user fails to lock their workstation, it will be locked automatically.
- Network and desktop operating systems will be patched and updated regularly.IT will be knowledgeable of service packs and patches released for all supported operating systems. Upon release, IT will assess risk and benefits to installing individual updates. Installation decisions will be made and coordinated by IT Management.
- All hosts will be audited regularly to ensure they have been updated according to current standard configurations. Necessary remediation will be scheduled during monthly routine maintenance.
- Port blocking, or firewalling, may be utilized to control undesirable traffic on individual hosts.

Application Security
The application layer concerns security associated with specific software installed on company computers. Some software has internal security that must be implemented and maintained. Threats to application security include unauthorized access, insufficient controls, failure to implement privileges, not installing security updates and unauthorized replacement of application files. The company will minimize risk in these areas by implementing the following protection, controls and monitoring:
-When possible, functionality that is not intended to be used in the application will be disabled by the administrator.
-During implementation, applications will be configured to minimize potential security risks.
-Applications will be patched and updated regularly. Upon release, IT will assess risk and benefits of installing individual updates. Installation decisions will be made and coordinated by IT Management.

Data Security
The data layer includes documents, directory files, application data, and databases. Threats to data include unauthorized additions, changes, viewing or deletion of data, modifying or replacing files, or the potential to interrogate data files. The company will minimize risk in these areas by implementing the following protection, controls and monitoring:
- Passwords must meet established password guidelines. Complexity requirements and change policies will be determined and enforced by IT.
- Access to company data will be limited to individuals requiring it to perform their job function. Required data access will be determined by supervisors and data owners. The Controller will review access of individuals with the ability to impact financial results for appropriate checks and balances. IT will implement and maintain user access to data.
- IT personnel access to sensitive information will be determined by Senior IT management. Passwords will be limited to individuals with a need to know in order to perform their job duties, or who provide backup to functions normally performed by others.
- Virus protection will be installed on clients and servers connected to the company network. Clients and servers will utilize both recurring and real time virus scanning. All inbound and outbound email will be scanned before delivery.
- Risk will be considered when choosing locations to store data and applications. Data and other electronic assets will be stored on the company network or, for primary portable computer, in the local My Documents folder, where it will be backed up and managed by IT.
- All data will be adequately protected and stored appropriately. Data stored on production servers will be backed up nightly. Back up media containing company data will be stored in fire safes or in off-site storage with appropriate environmental controls.

Similar gTLD applications: (0)