Restricting Network Access for Insecure Systems

Policy Statement

The Information Technologies & Services (ITS) Security & Identity Management team at Business must take appropriate action to assess, evaluate, and mitigate any threats that pose a serious risk or impact to Business information or Business data. If an information system connected to the Business network appears to be vulnerable to a threat and has a high likelihood of compromise, ITS reserves the right to block the information system from accessing the network, including the internet. This policy specifies the guidelines and thresholds to determine the risk of a system compromise and if its network access must be blocked. 

Reason for Policy

Information systems at Business may contain confidential data. Systems that are accessible from the public internet are more vulnerable to attack from a malicious group or individual than a system that resides solely on the internal network. However, systems on the internal network are also exposed to threats if a compromised system exists on the network. As such, all systems must be secured and ITS reserves the right to turn off or restrict functionality of a system in order to contain an attack in the event of a compromise.

Who Should Read this Policy

All users of Business.

Definitions

These definitions apply to terms as they are used in this policy.

1. ITS Information Technologies & Services 
2. Information system A server, laptop, desktop, or appliance, whether physical or virtual, that contains, stores, or provides access to Business data and resides on the Business network; the system may also be installed and/or supported by an outside vendor or third party.
3. confidential As defined in ITS Data Classification, confidential data includes, without limitation, the following: PHI; PII; customer records, including those protected under Privacy Act 1988; financial data, including data and the information pertaining to credit cards covered by the Payment Card Industry Data Security Standard (PCI DSS); employment records, including pay, benefits, personnel evaluations, and other staff records, research grants and related information, such as applications, contracts, study protocols, intellectual property belonging to Business, and other sensitive research data.
4. Threat Any activity that can be a possible danger. When a threat exploits a vulnerability, an organization can suffer losses.
5. Vulnerability A weakness. It can be a weakness in a system, a configuration, a process, hardware, software, or any other aspect of a system.
6. Compromise A system is compromised, either knowingly or unknowingly, when it has been taken over by another individual or information system without permission.

Principles

ITS Security & Identity Management has the authority to evaluate the seriousness and urgency of any threat to an information system on the Business network. Any action taken (e.g., powering off systems and/or restricting/limiting access to the network) is based on a risk assessment that considers the likelihood of a system becoming infected, breached, or the confidentiality and integrity of Business data being compromised. Several factors and vulnerability reports are reviewed and considered before any action is taken on a system. 

Any findings and appropriate action will be communicated with the appropriate system managers and administrators. All ITS systems must be configured in accordance with the Requirements for Securing Information Systems policy.

Threats and vulnerabilities have been categorized into three severities that dictate remediation timeframes: critical, severe, and moderate.

1.1 CRITICAL

A system with a critical risk rating has a high to very high likelihood of compromise and risking the confidentiality or integrity of the data and the availability of the system. Systems in this category must be remediated within 24 hours and may be shut off immediately depending on the threat. The system owner or manager will be notified upon discovery and blocking.

A critical severity may consist of any of the following vulnerabilities:

1. A targeted attack against a system or the Business network has been launched.
2. A data compromise or breach has occurred.
3. Passwords or account credentials have been compromised, obtained, or used illegally.
4. A system has been compromised that has led to a reputational, legal, or financial liability for Business.
5. A system has been compromised and is being actively controlled by an outsider.
6. Malware has infected a system and is at risk for spreading to other systems on the network.
7. A default password is blank or has not been changed and the system is exposed to the internet.

1.2 SEVERE

A system with a severe risk rating has a medium likelihood of compromise and risking the confidentiality or integrity of the data and the availability of the system. The system owner or manager will be notified upon discovery and must acknowledge a plan to remediate the vulnerabilities within five (5) business days. If acknowledgement is not received within the initial notification, a second notification will be sent as a courtesy to alert the system owner. Failure to respond within two (2) business days of the second notification may result in the system being blocked from accessing the network.

A system with a severe risk rating may exhibit any of the following vulnerabilities:

1. Malware has infected an isolated system, but it is identified and contained.
2. User access (not as an administrator) is gained by an unauthorized individual.
3. A default password is blank or has not been changed, but the system is not exposed to the internet.

1.3 MODERATE

A system with a moderate risk rating has low likelihood of compromise and risking the confidentiality or integrity of the data and the availability of the system. The system owner or manager will be notified upon discovery and must acknowledge a plan to remediate the vulnerabilities within thirty (30) days. If acknowledgement is not received within the initial notification, a second notification will be sent as a courtesy to alert the system owner. Failure to respond within two (2) business days of the second notification may result in the system being secured with additional compensating controls or isolated from the network to mitigate any vulnerabilities or threats.

A system with a moderate risk rating may exhibit any of the following vulnerabilities:

1. A system is out-of-date with security patches and the system is connected to the Business network, but it is not exposed to the internet.
2. Unnecessary services are running on the system, but they do not present a high risk of the system being compromised or exploited.

1.4 LOW

A system with a low risk rating has very low likelihood of compromise and risking the confidentiality or integrity of the data and the availability of the system. The system owner or manager will be notified upon discovery and must acknowledge a plan to remediate the vulnerabilities within ninety (90) days. If acknowledgement is not received within the initial notification, a second notification will be sent as a courtesy to alert the system owner. Failure to respond within two (2) business days of the second notification may result in the system being secured with additional compensating controls or isolated from the network to mitigate any vulnerabilities or threats.

A system with a low risk rating may exhibit any of the following vulnerabilities:

1. A system is out-of-date with security patches, but the system is not connected to the network.
2. A system is running an obsolete or unsupported operating system, but the system is not connected to the network.
3. Unnecessary services are running on the system that may impact performance, but do not present any risk of the system being compromised.

Related Documents

The following documents are also relevant to this policy:

1. Requirements for Securing Information Systems
2. Vulnerability Management Process