Organizational Security Policy

Policy is the First Step in Implementing Cybersecurity

Systems and Communications Protection

POL.SC.L1-3.13.1

The CPE/SPE shall employ automated mechanisms to monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of the CPE/SPE environment. Key internal boundaries shall be defined as an interface that CUI passes from or between a system, host, network, trust-zone or subnet boundary.

POL.SC.L1-3.13.5

The CPE/SPE Network Security Reference Architecture shall provide subnetworks for publicly (RBAC) accessible system components that are physically or logically separated from internal networks.

POL.SC.L2-3.13.2

The CPE/SPE shall employ architectural designs and systems engineering principles that promote effective information security within organizational systems.

POL.SC.L2-3.13.3

The CPE/SPE shall provide and be configured for separate user functionality from system management functionality.

POL.SC.L2-3.13.4

CLIENT shall implement procedures to prevent unauthorized and unintended information transfer via shared system resources (i.e. printers, copiers, etc). Procedure: PRO.SC.L2-3.13.4

POL.SC.L2-3.13.6

The CPE/SPE shall deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

POL.SC.L2-3.13.7

The CPE/SPE environment devices shall not be multi-homed. When used, VPN configurations shall not use split-tunneling.

POL.SC.L2-3.13.8

The CPE/SPE environment shall utilize FIPS validated cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

POL.SC.L2-3.13.9

The CPE/SPE shall employ automated mechanisms to terminate network connections associated with communications sessions at the end of the sessions, or after 120 minutes of inactivity.

POL.SC.L2-3.13.10

The CPE/SPE environment shall employ automated key management mechanisms to establish and manage cryptographic keys for the cryptography schemes employed within the CPE/SPE environment.

CLIENT shall implement the methods from procedure: PRO.SC.L2-3.13.10 for the protection of Keys used to unlock both the HDD (Backup), and USB Flash Drives (Transfer to OT devices).

POL.SC.L2-3.13.11

The CPE/SPE shall exclusively employ FIPS-validated cryptography (140-2 (or) 140-3) when used to protect the confidentiality of CUI.

POL.SC.L2-3.13.12

The CPE/SPE environment shall not allow for remote activation (auto-answer or other similar mechanisms) of collaborative computing devices and provide indication of devices in use to users who are present at the device. Examples of these types of devices are microphones and cameras/webcams. Auto-answer shall be disabled on any such device (i.e. Skype has feature of auto-answer).

POL.SC.L2-3.13.13

Planet Security, Inc. shall monitor the use of Mobile Code within the CPE/SPE environment to detect unauthorized use. Examples of mobile code are javascript, java, flash, OLE, and similar forms of code. Approved formats of mobile code for CLIENT shall exclusively consist of .pdf document generation. All other forms of Mobile Code are prohibited from being produced. (This does not pertain to website flyby whereby the website utilizes javascript or other types of mobile code which are not produced by the CLIENT organization.

POL.SC.L2-3.13.14

Planet Security, Inc. shall monitor the use of Voice over IP technology within the CPE/SPE environment to detect unauthorized use.

Approved uses of VOIP for the CPE/SPE environment shall exclusively consist of teleconferencing and company phone system.

POL.SC.L2-3.13.15

CLIENT shall protect the authenticity of all communications sessions originating from or received by any organizational technologies.

Procedures for this Policy Element: PROPOL.SC.L2-3.13.15

POL.SC.L2-3.13.16

The CPE/SPE shall protect the confidentiality of CUI at rest while within the CPE/SPE environment.

The CLIENT shall protect the confidentiality of CUI at rest while within the CLIENT operational environment.

POL.SC.L2-3.13.17

Under penalty of employee/contract termination and prosecution as authorities may pursue, CUI shall not be published on any external system and/or internal system that is not expressly authorized for the publication of CUI.

For questions regarding this Information Security Policy, please reach out to your Planet Security, Inc. Support Engineers using Signal.