World Agroforestry Centre Policy Series MG/C/8/2009 ILRI Policy Series Internet Security Policy One of the policies on information security and business continuity which will be audited by the CGIAR Internal Audit Unit for all Centres given (a) their network inter-linkage through Active Directory and (b) the inter-reliance of many Centres for information backup and recovery of hosted outreach sites. Document Revision History Version Date Author(s) Revision Notes 1.0 29/10/2009 Ian Moore Final draft circulated to staff 1.1 04/12/2009 Ian Moore Revised following SLT guidance Document Control The ICT Manager of the common services unit providing ICT Services to the World Agroforestry Centre and ILRI will maintain control of the document which will be reviewed every two years in conjunction with the ICT Steering Group. Proposed updates will be presented to the Centres’ senior management for adoption according to their organizational arrangements for approval of ICT policies. Upon acceptance by the Centres, the update will come into force. Information Security – Internet Security Policy 1 Any discretionary controls added by a Centre may be reviewed annually; however updates may occur more frequently if deemed necessary. Purpose The purpose of this policy is to establish security measures to ensure a sufficient level of protection is provided in response to the security risks presented by Internet use within the Centre. The Internet provides access to an array of information, resources and services that provide potential opportunities and benefits which aid and support the work of the Centre. However, if Internet use within the Centre is not securely managed, it can expose the Centre to risks at both a technical level (with potential damage being caused to ICT infrastructure) and an operational level (with misuse of Internet resources leading to possible reputational damage to the Centre and a loss in productivity). Scope This document covers the responsibilities of ICT Administrators, other technical staff and general users with regard to Internet security controls but it does not cover the matter exclusively. Other Centre policies, best practice guidelines, standards, and procedures may also define additional responsibilities, especially in regard to network and server security issues. Use of Internet and privacy issues concerning monitoring and archiving of email is covered by the ICT Privacy and Acceptable use policy. This policy applies to all permanent and temporary staff within the Centre as well as contractors and visitors who work and/or visit the Centre who have a stake in any changes occurring in the Centre’s ICT Service environment. Implementing this policy is an important component of ensuring that potential threats to the overall ICT security position of the Centre are managed effectively. This is particularly the case given the shared CGIAR electronic network, which has created inter-dependency among Centres with respect to network security. 1. Administration of Internet Access 1.1. Only authenticated users should have access to the internet from the internal networks. Access by visitors to the Internet is covered in the Network Infrastructure Security Policy. 1.2. All outbound Internet traffic from the Centre’s network zone should pass through a web filtering gateway. Access to sites categorised as being potentially harmful to the Centre will be blocked. More details are provided in the ICT Privacy and Acceptable Use Policy. 1.3. All Internet traffic (inbound and outbound) should pass through an anti-virus gateway. At a minimum, up-to-date anti-virus and anti-malware software should be installed and running on Centre workstations with Internet connectivity. 1.4. All firewalls located in the Centre should be configured in accordance with the configuration guidelines and policy recommendations provided in the Network Infrastructure Security Policy. In addition, the following guidelines apply specifically to Internet facing firewalls: Information Security – Internet Security Policy 2 • Logging of all changes to the firewall configuration and installation should be performed at all times. • An explicit "deny all” rule should be implemented as the last rule in the filtering configuration of Internet facing firewalls to allow for logging of rejected connection attempts to any relevant Internet services. • Backup firewall configuration files stored offline should only be viewable by designated ICT staff. • Internet facing firewalls should use Network Address Translation (NAT) where possible when forwarding to internal network devices. 2. External Connections 2.1. Workstations connected to the internal network should not establish a separate direct connection (for example, through a modem, wireless connection or similar) to other external networks (including the Internet), as per the Network Infrastructure Security Policy and the Workstation Security Policy. 2.2. Access to internal networks from the Internet (for example, via VPN) should only be allowed for users that have been approved for such access by the Centre’s ICT Manager. 2.3. It is highly recommended that workstations that connect to the internal networks via a VPN connection do not access the internet at the same time unless it is through the VPN connection. 2.4. External connections should not be established that allow unauthorised parties to gain access to the internal networks of the Centres. More detail is provided in the Network Infrastructure Security Policy. 3. Internet Services 3.1. Internet services pass through a web filtering gateway and firewall. Use of internet services categorised as being potentially harmful to the Centre will be blocked. More details are provided in the ICT Privacy and Acceptable Use Policy. 3.2. FTP servers hosted by the Centre that accept connections from the Internet should be located in a DMZ. These FTP services can accept anonymous connections but in these circumstances read-only access to the server should be all that is permitted, and access to content on the server should be restricted to non-confidential information. 3.3. A log should be created that records all requests (both inbound and outbound) for Internet services including FTP and SSH. The generated audit logs should be reviewed on a monthly basis by the designated ICT staff of the Centre. 4. Related Documentation 4.1. Network Infrastructure Security Policy 4.2. ICT Privacy and Acceptable Use Policy 4.3. Workstation Security Policy Information Security – Internet Security Policy 3 4.4. ICT Change Management Policy 5. Compliance and Waivers 5.1. Compliance with this policy by users, network administrators, or others responsible for implementation of the policy, is mandatory. Procedures are in place to monitor compliance with this policy. 5.2. Violations of this policy may result in disciplinary action in accordance with the human resources policies of the Centre. 5.3. Requests for waivers of this policy shall be formally submitted to the Senior Manager. The requests shall set out the justification, duration of the proposed waiver and how the increased risk arising from the waiver will be managed. Requests will be approved by the Senior Manager of the person making the request, in consultation with the ICT Manager and will be documented in the form of a management letter. 5.4. Approved waivers shall be monitored to ensure that the conditions of the waivers are being observed. Definitions • Authentication: The process of identifying an individual, usually based on a username and password. Authentication is distinct from authorisation, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access privileges of the individual. Three types of factors can be used to provide authentication: a) something you know (e.g. a password), b) something you have (e.g. a certificate or card), and c) something you are (e.g. a fingerprint or retinal pattern). Using any two in conjunction is known as two factor authentication. • Demilitarized Zone (DMZ): A separate part of the Centre’s network that is shielded and “cut- off” from the main LAN network and its systems. The DMZ prevents external parties from gaining access to your internal systems. • Email: The electronic transmission of information through a mail protocol such as Simple Mail Transfer Protocol (SMTP). • Encryption: The process by which data is re-arranged into an unreadable or unintelligible form for confidentiality, transmission or other security purposes • File Transfer Protocol (FTP): A standard Internet protocol that is used to exchange files between computers on the Internet. FTP is an application protocol that uses the Internet's TCP/IP protocols. FTP is commonly used to download programs and other files to your computer from other servers. • Firewall: Security device (either hardware or software based) that is used to restrict access in communication networks. They prevent computer access between networks, or networks and applications, and only allow access to services that are expressly registered. They also keep logs of all activity, which may be used in investigations. • Network Address Translation (NAT): A feature typically employed by firewalls/routers that interface between external and internal facing networks. NAT allows the allocation of multiple IP Information Security – Internet Security Policy 4 addresses to machines located in internal networks, without the existence of these machines being revealed on the external network. Instead, only a single or small number of IP addresses are advertised to the external network, which are then mapped by the router/firewall to the machines on the internal network. • Senior Manager: The person on the Centre’s management committee (MC/SLT) who has responsibility for the person making the request. • Secure Shell (SSH): A network protocol that allows data to be exchanged is a secure manor between two network devices. • Virtual Private Network (VPN): A virtual network created over the top of a physical network that often includes the internet. The VPN creates a secure tunnel from one computer to a network or between one network and another network which enables data to be transferred and tasks to be accomplished between the two locations in a secure manor. Information Security – Internet Security Policy 5