2. Information Security Policy Outline
3. Acceptable Use Policy
4. Disciplinary Action for Non-Compliance
5. Protection and Disposal of Stored Data Outline
6. Information Classifications and Categories
7. Physical Security
8. Protection of Data in Transit
9. Secure Disposal of Stored Data
10. Security Awareness and Procedures
11. Network Security
12. System and Password Policy
13. Anti-virus Policy
14. Patch Management Policy
15. Remote Access policy
16. Vulnerability Management Policy
17. Configuration Standards
18. Change Control Process
19. Penetration Testing Methodology
20. Incident Response Plan
21. Roles and Responsibilities
22. Third Party Access
23. User Access Management
24. Access Control Policy
25. Wireless LAN Policy
26. Contact Us
This Information Security Policy encompasses all aspects of security surrounding confidential company information and any stored personal information. Although the focus of this document is on protecting Customer Information this can also include RHM Employee information, company information, supplier information or any other information deemed to be important. This document will be reviewed and updated by Management on an annual basis or as and when relevant to include newly developed security standards or threats into the policy.
RHM Telecommunications processes customer personal information on a daily basis. This Information must have adequate safeguards in place to ensure its safety and integrity for the benefit of both the customer and the company.
RHM Telecommunications commits to respecting the privacy of all its customers and to protecting any information about customers from outside parties. To this end management are committed to maintaining a secure environment in which to process this information so that we can meet these promises.
Employees handling customer information should ensure:
• All customer information is handled in a manner that is appropriate for the content
• They do not disclose customer information unless authorised
• They take all necessary steps to protect sensitive customer information
• They keep passwords and accounts secure
• They request approval from management prior to installing or configuring any new software or hardware, third party connections, modems, wireless access points etc
• Information security incidents are reported, without delay, to the relevant line manager or directly to the DPO
Everyone has a responsibility for ensuring the companies systems and data are protected from unauthorised access and improper use.
The intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to RHM Telecommunications established culture of openness, trust and integrity. Management are committed to protecting the company from illegal or damaging actions by individuals – either knowingly or unknowingly.
• Employees are responsible for exercising good judgment regarding the use of customer information
• Employees should ensure that they have appropriate credentials or training and are authenticated for the use of relevant software or hardware
• Employees should take all necessary steps to prevent unauthorized access to customer information
• Employees should ensure that technologies should be used and setup in acceptable network conditions
• Employees should keep passwords secure and should not share accounts
• Authorised users are responsible for the security of their passwords and accounts
• All computers should be secured with a password and locked when unattended
• All installed security software is working correctly and as intended. Any malfunctions should be reported, without delay, to the Technical Manager.
• Employees must use extreme caution when opening email attachments received from all senders, especially unknown senders, which may contain viruses, malware or other malicious code.
Violation of the standards, policies and procedures outlined in this document by an employee will result in disciplinary action from warnings or reprimands up to and including termination of employment based on the severity. Claims of ignorance, good intentions or using poor judgment will not be used as excuses for non-compliance.
All customer information stored and handled by RHM Telecommunications and its employees must be securely protected against unauthorised use at all times. Any customer information that is no longer required by RHM Telecommunications for business reasons will be destroyed in a secure and irrecoverable manner.
Information stored by RHM Telecommunications has been classified into one of the following three categories:
• Customer Information – Any and all information relating to customers. Access to this information should only be available to internal employees and the respective individual customer.
• Supplier Information – Any and all information relating to suppliers. Access to this information should only be available to internal employees.
• Employee Information – Any and all information relating to employees. Access to this information should only be available to the respective employee, their line manager, Management and any department that requires specific information eg Accounts & HR.
All customer information must be securely protected from any physical vulnerabilities. This includes not only the security of RHM Telecommunications offices and its contents but also portable devices such as laptops and mobile phones. This is to be achieved through strong AES-256 device encryption.
Entrance to the building must be secured through multiple measures including lock and key, coded door entry system, CCTV and 24/7 monitored security alarms.
Access to customer information in both physical media and electronic formats must be physically restricted to prevent access from unauthorised individuals. Physical media will be kept in locked cabinets and drawers or in individually locked rooms. Electronic data will be secured via strict and granular based permission hierarchies. All unnecessary USB ports and Network Points will be disabled. Media is defined as any printed or handwritten paper, removable media, back-up tapes, external hard drives etc.
Visits by customers, suppliers or other third-parties must be pre-arranged where possible and must always be verified by the employee they are visiting. Visitors must be escorted and monitored by a trusted employee whilst in areas where access to customer information or network access is available.
Employees should be trained to report suspicious behaviour of other employees, visitors, third parties as well as software/hardware including indications of tampering of devices to the appropriate personnel.
All customer information must be protected securely if it is to be transported physically or electronically.
• Customer information on company laptops will be secured via AES-256 encryption as well as two-factor authentication.
• Customer information on mobile phones will be secured via device-specific encryption as well as a centrally managed RHM Mobile Device Management (MDM) Solution.
• Customer information sent over email is not encrypted however sent from a fully licensed Exchange server that complies with SPF, DKIM and DMARC regulations.
All data must be securely disposed of when no longer required by RHM Telecommunications regardless of the media or application type on which it is stored.
• All paper is crosscut shredded on site and bagged in a secure locked area before being disposed of securely via a third-party paper shredding and disposal company
• All other physical media is completely destroyed to an irrecoverable state and then disposed of via a third party disposal company
• All electronic data is destroyed to the DoD-5220.2 M standard ensuring it is completely irrecoverable via three secure overwriting passes.
• Data is destroyed 2 years after ceasing trade and/or communication with RHM Telecommunications unless required for longer (eg financial data).
The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of customer information demands regular training of all employees and contractors.
• Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.
• Making this security policy for all members of staff to read and encouraging them to do. Any changes made to the document through annual reviews must be made clear and communicated out to all staff.
• All employees will undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they commence their employment with RHM Telecommunications.
• All third parties with access to customer information are contractually obligated to comply with relevant legislation such as GDPR.
• Company security policies must be reviewed annually and updated as needed.
• Firewalls must be implemented at each point of entry into the company internal network
• All inbound network traffic is blocked by default, unless explicitly allowed and the restrictions have to be documented.
• All inbound and outbound traffic must be restricted to that which is required only. No unnecessary ports or routes are to be left open.
• Firewall and Router configurations must restrict connections between untrusted networks and any systems on the internal company network.
• Firewalls will be in place between any wireless networks and the internal company network
• No direct connections from Internet to the internal company network will be permitted. All traffic has to traverse through a firewall.
• Stateful Firewall technology must be implemented where the Internet enters the internal company network to mitigate known and on-going threats. Firewalls must also be implemented to protect local network segments such as corporate
• A topology of the firewall environment has to be documented and has to be updated in accordance to the changes in the network.
• A network diagram detailing all inbound and outbound connections must be maintained and reviewed annually.
• A Firewall and Router configuration document must be maintained which includes a documented list of services, protocols and ports including a business justification
• Disclosure of private IP addresses to external parties must be authorized.
• Corporate Wireless Networks must be secured by a MAC-Address whitelist to prevent any unauthorised devices from connecting
• Guest WiFi networks must enforce Layer 2 Isolation and have no route to any other segment of the internal company network
All users, including contractors and third parties, who have access to RHM Telecommunications systems, devices or portals are responsible for taking appropriate steps, as outlined below, to generate and secure their passwords
• A configuration standard must be developed along industry acceptable standards
• System configurations should be updated as new issues are identified
• System configurations must include common security parameter settings
• The systems configuration standard should be applied to any news systems configured.
• All vendor default accounts and passwords for systems have to be changed at the time of provisioning the system/device and all unnecessary services and user/system accounts must be disabled
• Security parameter settings must be set appropriately on system components
• All unnecessary functionality, services or protocols (HTTP Access, Telnet, FTP, TR069 etc) must be removed unless absolutely necessary
• Any insecure functionality, services or protocols in use must be documented and justified
• All users must use a password to access RHM Telecommunications network or any other electronic resources
• All user accounts for terminated users must be deactivated or removed immediately
• The user will be locked out if there are several unsuccessful attempts. This locked account can only be enabled by the system administrator. Locked out user accounts will be disabled for a set period of time or until the administrator enables the account.
• All system and user level passwords must be changed on at least a quarterly basis.
• A minimum password history must be implemented.
• A unique password must be setup for new users and the users prompted to change the password on first login.
• Group, shared or generic user account or password and other authentication methods must not be used to administer any system components.
• System services and parameters will be configured to prevent the use of insecure technologies such as Telnet and other insecure remote login commands
• The responsibility of selecting a password that is hard to guess generally falls to users. A strong password must:
o Be at least 8 characters long
o Include mixed-case letters, if allowed
o Include digits and special characters, if allowed
o Not be based on any personal information
o Not be based on a single dictionary word, in any language
• All machines must be configured to run the latest anti-virus software as approved by RHM Telecommunications. The preferred application to use is MalwareBytes Enterprise Anti-Virus software, which must be configured to retrieve the latest updates to the antiviral program automatically on a daily basis. The antivirus should have periodic scanning enabled for all the systems.
• The antivirus software in use should be cable of detecting all known types of malicious software (Viruses, Trojans, adware, spyware, worms and rootkits)
• All removable media should be scanned by MalwareBytes before being used.
• All the logs generated from the antivirus solution have to be retained as per legal/regulatory/contractual requirements or at a minimum of 3 months
• Master Installations of the Antivirus software should be setup for automatic updates and periodic scans
• End users must not be able to modify any settings or alter the antivirus software
• Email with attachments coming from suspicious or unknown sources should not be opened. All such emails and their attachments should be deleted from the mail system as well as from deleted items.
All computers, servers, software, system components etc owned by RHM Telecommunications must have up-to-date system security patches installed to protect the asset from known vulnerabilities.
Where possible all systems and software must have automatic updates enabled for system patches released from their respective vendors. Security patches must to be installed within one month of release from the respective vendor.
• It is the responsibility of RHM Telecommunications employees, contractors, suppliers or other third parties with remote access to the RHM Telecommunications network to maintain the security and integrity of their authentication details.
• Secure remote access into the company internal network must be strictly controlled. Control will be enforced by two factor authentication where possible and strong passwords.
• Vendors or contractors with access to RHM Telecommunications network will only be enabled during the time period the access is required and will be disabled or removed once access is no longer required.
• Remote access will only be established into RHM Telecommunications network from a known or trusted location.
• Machines remotely connected to RHM Telecommunications network must not be left unattended at any time.
• All known vulnerabilities would be assigned a risk ranking such as High, Medium and Low based on industry best practice.
• Any new vulnerabilities identified must be assessed, risk ranked and dealt with in a time scale relative to their risk rating.
• Annual reviews of existing vulnerabilities must be completed.
• All systems must be configured in accordance with the applicable standard for that class of device or system. Standards must be written and maintained by the team responsible for the management of the system.
• Updates to network device operating systems or configuration settings that cause it to fall under these standards must be justified.
• All network device configuration must adhere to RHM Telecommunications required standards before being placed on the network as specified in RHM Telecommunications configuration guide.
• All network device configurations must be checked annually against the configuration guide to ensure the configuration continues to meet required standards.
• Where possible network configuration management software will be used to automate the process of confirming adherence to the standard configuration.
All change requests shall be logged on a central system. A documented audit trail containing relevant information shall be maintained at all times. This should include change request documentation, change authorisation and the outcome of the change.
All change requests shall be prioritised in terms of benefits, urgency, effort required and potential impact on operations.
Changes shall be tested in an isolated, controlled, and representative environment where possible if they are deemed to have significant potential impact on the system or network as a whole.
All users significantly affected by a change shall be notified of the change prior to its completion.
All major changes shall be treated as a project. Major changes will be classified according to effort required to develop and implement said changes.
Procedures for aborting and recovering from unsuccessful changes shall be in place should the outcome of a change be different to the expected result. Where possible fall back procedures will be in place to ensure systems can revert back to what they were prior to implementation of changes.
Documentation shall be updated on the completion of each major change and old documentation shall be archived or disposed of as per the documentation and data retention policies.
• All risks inherent in conducting penetration testing over the systems and network of RHM Telecommunications should be documented including mitigation measures that will be taken.
Examples might be:
Risk: Denial of Service in systems or network devices due to network / port scans.
Mitigation measure 1: scans must be performed in a controlled manner. The start and end of the scan must be notified to responsible personnel to allow monitoring during testing. The scan will be aborted should issues arise.
Mitigation measure 2: scanning tools must be configured to guarantee that the volume of sent packets or sessions established per minute does not cause a problem for network elements. The first scans must be performed in a controlled manner and a use minimum configuration that may be expanded when it is evident that the configuration is not dangerous for network devices or servers in the organization.
• Key staff involved in the project will be listed
• External intrusion tests will be performed remotely from the suppliers premises .Internal intrusion tests will be conducted within RHM Telecommunications office. The Audit team must have access to the company internal network.
• All the tests will be conducted from the equipment owned by the audit team so no equipment for the execution of the tests is required. The only requirement in this regard will be to have an active network connection for each member of the audit team. Those connections must provide access to the target network segment in every case.
• If an incident occurs during the execution of the tests that have an impact on the systems or services of the organisation the incident should be brought immediately to the attention of those responsible for incident management in the project.
• For all findings or vulnerabilities identified during the tests carried out documentation will be generated providing sufficient evidence to prove its existence and recommendations for resolution. The format of the evidence can be variable in each case eg screen capture, raw output of security tools, photographs, paper documents etc.
• As a result of tests performed should generate a document containing at least the following sections:
o Identified Vulnerabilities
o Recommendations for correcting Vulnerabilities
Any major incident (accidental, intentional or deliberate) relating to communications or information processing systems must follow the below procedure. The attacker could be a malicious stranger, a competitor or a disgruntled employee and their intention can range from stealing / destroying information, stealing money or harming the reputation of the company.
Employees of RHM Telecommunications will be expected to report any security related issues in line with the below procedure:
• Each department must report an incident to the DPO or Technical Manager (if available) or to their line manager.
• The incident will be investigated by the relevant team and assist the potentially compromised department in limiting the exposure of information and mitigating the risks associated with the incident.
• The relevant team will report the incident and findings to the appropriate parties.
• The relevant team will determine if policies and processes need to be updated to avoid a similar incident in the future and whether additional safeguards are required in the environment where the incident occurred.
• If unauthorised access hardware or devices (eg Wireless Access Points, Network Switches) are identified or detected as part of the investigation this is should be immediately escalated to the Technical Manager or someone with similar privileges who has the authority and ability to stop, cease, shut down and remove the offending device immediately.
Technical Manager (or equivalent to) is responsible for:
• Creating and distributing security policies and procedures
• Monitoring and analysing security alerts and distributing information to appropriate employees and/or management
• Creating and distributing security incident response and escalation procedures
• Administer User Accounts and manage authentication.
• Monitor and control all access to the company internal network
Management Team are responsible for:
• Maintaining a list of service providers
• Ensuring there is a process for engaging service providers including proper due diligence prior to engagement.
• Ensuring that employees have read and understand this Information Security Policy
Any Third Party who will be remotely accessing RHM Telecommunications network will be granted permission and access on a per-case basis.
Access will be granted via secure methods only and will monitored at all times by the granting member of staff.
Third Parties will never have access or visibility to anything beyond what is required for the scope of the task they are carrying out on behalf of RHM Telecommunications.
Only recognised and pre-authenticated third parties can be granted access. These must be pre-authenticated by the Technical Manager or the Management Team.
Access to the internal company network is controlled through a formal user registration process beginning with a formal notification from HR or from a line manager.
Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions. The use of group or shared IDs is only permitted where they are suitable for the work carried out.
There is a standard level of access based on department. Any special or additional access must be authorised on a per-case basis.
Access to all company systems can only be started after proper procedures are completed.
As soon as an individual leaves RHM Telecommunications employment all of his/her system logons must be immediately revoked.
Access Control configurations and procedures are in place to protect the interests of all users of RHM Telecommunications computer systems by providing a safe, secure and readily accessible environment in which to work.
RHM Telecommunications will provide all employees and other users with the information they need to carry out their responsibilities in as effective and efficient manner as possible.
Access rights will be determined and granted based on the users requirements and must be authorised by the users’ line manager.
Every user should attempt to maintain the security of data even if technical security mechanisms fail or are absent.
Users electing to place information on digital media or storage devices must have clear justification for doing so and, based on the quantity of data, authorised from relevant management.
Access to RHM Telecommunications resources and services will be given through the provision of a unique Active Directory account and complex password.
No access to any RHM Telecommunications resources and services will be provided without prior authentication and authorisation of a user’s RHM Telecommunications Windows Active Directory account.
Password issuing, strength requirements, changing and control will be managed through formal processes. Password length, complexity and expiration times will be controlled through Windows Active Directory Group Policy Objects.
Users are expected to become familiar with and abide by RHM Telecommunications policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.
Access for remote users shall be subject to authorisation by the relevant line manager and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be permitted to any network device or networked system.
RHM Telecommunications will provide Wireless networks in the office premises that are fit for purpose and secured based on their requirement.
RHM Staff network is purely to be used by company devices and is secured via complex password and Layer-2 MAC authentication. Devices requiring access to this network must be pre-configured and authenticated.
RHM BYOD network is to be used by staff personal devices and is secured via complex password. This network is kept physically and logically separate from all other networks and routes out to the public internet via its own breakout.
RHM Guest network is to be used by visitors including customers and suppliers and is secured via complex password and Layer-2 Isolation. This network is kept physically and logically separate from all other networks and routes out to the public internet via its own breakout.
Installation or use of any wireless device or wireless network intended to be used to connect to any of the RHM Telecommunications networks or environments is strictly forbidden. Scans for both visible and hidden networks will be periodically carried out using inSSIDer or other tools.
If you have any questions about this Information Security Policy, please contact us at the below:
Telephone: 0345 136 6060
© rhm telecommunications 2018