System Hardening Policy
Purpose
The purpose provides the basis for protecting configurable devices and resources owned and operated by Uncanny Software. These rules are in place to protect sensitive and classified data of employees and Uncanny Software.
Scope
This policy applies to all Uncanny Software computer systems and facilities, with a target audience of all employees and partners.
Policy
Vendor Documentation - If the vendor for a device or resource publishes a document with hardening recommendations, the IT or SRE team shall use that document as the foundation and layer additional hardening guidelines on-top.
Operating System - Operating System must run the latest long term support (LTS) version compatible with the required applications. Updates to the operating system should be regularly applied to the system.
Hard Drive Encryption - Physical discs for the system are to be encrypted to prevent unauthorized access to its contents.
Disaster Recovery - Redundant backups must be implemented on critical systems to reduce the time to recover and preserve data.
Logging - Critical systems should retain logs for a minimum of 30 days.
End-Point Protection - Systems must include software providing real-time protection against viruses and malware.
Management Agent - An agent is to be installed on the system for monitoring & when applicable, policy enforcement
Network Access - Applications and services unrelated to the primary purpose or administration of the system should not be accessible remotely from the network.
Administrator Account - The system needs to include an administrator account that is separate from the primary user account. The password for this account should follow the Password Management Policy.
User Accounts - General access to the system should be given using least-privileged accounts. The password for user accounts should follow the Password Management Policy.
Violations
Any violation of this policy may result in disciplinary action, up to and including termination of employment. Uncanny Software reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Uncanny Software does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Uncanny Software reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.
References
ISO/IEC 27002:2013 - 17. Security Continuity Management
Related Documents
Revision History
Last updated