Organizational Security Policy

Policy is the First Step in Implementing Cybersecurity

Access Control

POL.AC.L1-3.1.1

All CLIENT information systems that store, process, or transmit CUI shall employ Role Based Access Control (RBAC) to limit system access to only authorized users of CUI. Furthermore, all processes shall be visible and identifiable to both system administrators and the client user who is logged in (client user respective processes only). All devices which have the capacity to view CUI shall be identified, contractually covered by Planet Security, Inc. The use of shared accounts and/or passwords is prohibited.

All CLIENT non-digital CUI assets shall be protected at all times from confidentiality compromise. All personnel who have access to non-digital CUI assets shall follow Planet Security, Inc. provided procedures pertaining to the same for ensuring confidentiality of non-digital CUI assets. Procedure I.D: PRO.AC.L1-3.1.1

POL.AC.L1-3.1.2

All CLIENT information systems that store, process, or transmit CUI shall employ Application Whitelisting with only approved and authorized applications included in the list. Non-listed applications shall be implicitly blacklisted.

POL.AC.L1-3.1.20

All CLIENT information systems that store, process, or transmit CUI shall only allow external system connectivity:

• From approved Remote Desktop Protocol (RDP) Client Devices

• To Signal Messenger systems and other connected Signal Users

• Web browsing via Brave web browser to allowed websites. No attempt to access non-approved websites shall be made.

• All other connections to external systems are prohibited.

POL.AC.L1-3.1.22

CUI shall never be posted, published, or otherwise be allowed to be housed on any publicly accessible information system or any other system that has not been explicitly authorized for such usage by this policy.

Violations may include Organizational Termination and Criminal prosecution as authorities may pursue.

POL.AC.L2-3.1.3

CLIENT management shall only approve access to CUI to those who NEED such access in the performance of their assigned duties. This pertains to both digital and non-digital CUI assets.

POL.AC.L2-3.1.4

All CLIENT employees, or contractors with employee-like access shall be aligned in such a manner as to promote security through the inability to perform malevolent activity without collusion.

POL.AC.L2-3.1.5

All CLIENT information systems shall employ the principle of least privilege. No employee, contractor, or representative of CLIENT shall have access to security functions or privileged accounts. Elevated access of any CPE/SPE environment is the sole responsibility of Planet Security, Inc.

POL.AC.L2-3.1.6

CLIENT personnel shall not have elevated provisioning at any time. Planet Security, Inc. personnel shall not have access to any form of CUI.

POL.AC.L2-3.1.7

CLIENT personnel shall not have the ability to execute privileged functions. Privileged execution attempts shall be logged, both success and failure.

POL.AC.L2-3.1.8

Unsuccessful logon attempts shall be limited to 5 on any system that stores, processes, or transmits CUI.

POL.AC.L2-3.1.9

Privacy and security notices consistent with applicable CUI rules shall be presented to the the logging-in user on any system that may store, process, or transmit CUI.

POL.AC.L2-3.1.10

Session lock with pattern-hiding displays to prevent access and viewing of data after 15 minutes of inactivity on any system that may store, process, or transmit CUI.

POL.AC.L2-3.1.11

User sessions shall be terminated after 120 minutes of inactivity on any system that may store, process, or transmit CUI..

POL.AC.L2-3.1.12

Any system that may store, process, or transmit CUI shall monitor and control remote access sessions.
The exclusive method of remote access sessions for any system that may store, process, or transmit CUI shall be RDP sessions that originate from an approved white-listed IP address. Remote access shall be limited to IP address spaces within the United States of America.

POL.AC.L2-3.1.13

Any system that may store, process, or transmit CUI shall exclusively employ FIPS algorithms and cryptographic modules when used to to protect the confidentiality of CUI usage within remote access sessions.

POL.AC.L2-3.1.14

Remote access shall be via a single entry point on the CPE/SPE.

POL.AC.L2-3.1.15

Security-relevant information shall only be available to Planet Security, Inc.

POL.AC.L2-3.1.16

Wireless connectivity shall not be used to access any system that may store, process, or transmit CUI.

POL.AC.L2-3.1.17

Wireless connectivity shall not be used to access any system that may store, process, or transmit CUI.

POL.AC.L2-3.1.18

Wireless connectivity shall not be used to access any system that may store, process, or transmit CUI.

POL.AC.L2-3.1.19

Authorized mobile devices and/or mobile computing platforms that store, process, or transmit CUI shall utilize FIPS validated full drive encryption. Exclusive RDP access from these devices does not necessitate the encryption of these devices.

POL.AC.L2-3.1.21

Use of Portable media devices shall be exclusively:

• Be limited to the two portable hard drives which are/were supplied with the CPE/SPE for backup purposes.

• Be limited to the two USB "Thumb Drives" which are/were supplied with the CPE/SPE for purposes of transferring digital CUI assets to CLIENT operational technology devices such as manufacturing devices (CNC, other).

• The aforementioned devices shall never be plugged in or otherwise used in any non-CLIENT device or the CPE/SPE.

For questions regarding this Information Security Policy, please reach out to your Planet Security, Inc. Support Engineers using Signal.