欢迎转载,但请注明出处及译者。请不要用于商业用途。
原文:
1.0 Purpose
This document describes the policy under which third party organizations connect to <Company Name> networks for the purpose of transacting business related to <Company Name>.
2.0 Scope
Connections between third parties that require access to non-public <Company Name> resources fall under this policy, regardless of whether a telco circuit (such as frame relay or ISDN) or VPN technology is used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for <Company Name> or to the Public Switched Telephone Network does NOT fall under this policy.
3.0 Policy
3.1 Pre-Requisites
3.1.1
Security Review
All new extranet connectivity will go through a security review with the Information Security department (InfoSec). The reviews are to ensure that all access matches the business requirements in a best possible way, and that the principle of least access is followed.
3.1.2
Third Party Connection Agreement
All new connection requests between third parties and <Company Name> require that the third party and <Company Name> representatives agree to and sign the
Third Party Agreement. This agreement must be signed by the Vice President of the Sponsoring Organization as well as a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on file with the relevant extranet group. Documents pertaining to connections into <Company Name> labs are to be kept on file with the [name of team responsible for security of labs].
3.1.3
Business Case
All production extranet connections must be accompanied by a valid business justification, in writing, that is approved by a project manager in the extranet group. Lab connections must be approved by the [name of team responsible for security of labs]. Typically this function is handled as part of the
Third Party Agreement.
3.1.4 P
oint Of Contact
The Sponsoring Organization must designate a person to be the Point of Contact (POC) for the Extranet connection. The POC acts on behalf of the Sponsoring Organization, and is responsible for those portions of this policy and the
Third Party Agreement that pertain to it. In the event that the POC changes, the relevant extranet Organization must be informed promptly.
3.2 Establishing Connectivity
Sponsoring Organizations within <Company Name> that wish to establish connectivity to a third party are to file a new site request with the proper extranet group. The extranet group will engage InfoSec to address security issues inherent in the project. If the proposed connection is to terminate within a lab at <Company Name>, the Sponsoring Organization must engage the [name of team responsible for security of labs]. The Sponsoring Organization must provide full and complete information as to the nature of the proposed access to the extranet group and InfoSec, as requested.
All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will <Company Name> rely upon the third party to protect <Company Name>'s network or resources.
3.3 Modifying or Changing Connectivity and Access
All changes in access must be accompanied by a valid business justification, and are subject to security review. Changes are to be implemented via corporate change management process. The Sponsoring Organization is responsible for notifying the extranet management group and/or InfoSec when there is a material change in their originally provided information so that security and connectivity evolve accordingly.
3.4 Terminating Access
When access is no longer required, the Sponsoring Organization within <Company Name> must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. The extranet and lab security teams must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are found to be depreciated, and/or are no longer being used to conduct <Company Name> business, will be terminated immediately. Should a security incident or a finding that a circuit has been deprecated and is no longer being used to conduct <Company Name> business necessitate a modification of existing permissions, or termination of connectivity, InfoSec and/or the extranet team will notify the POC or the Sponsoring Organization of the change prior to taking any action.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Definitions
Terms Definitions
Circuit
For the purposes of this policy, circuit refers to the method of network access, whether it's through traditional ISDN, Frame Relay etc., or via VPN/Encryption technologies.
Sponsoring Organization The <Company Name> organization who requested that the third party have access into <Company Name>.
Third Party
A business that is not a formal or subsidiary part of <Company Name>.
6.0 Revision History
译文:
外网策略
1.0 目的
此文档阐述了第三方组织为与企业进行业务往来而连接到企业网络的相关策略。
2.0 范围
此策略适用于需要访问企业非公开资源的第三方连接,不管这些连接为何种链路(如帧中继或ISDN)以及是否使用了VPN技术。对于某些第三方连接(如Internet服务提供商 ISP),它们为企业提供了Internet访问或PSTN(公共交换电话网)访问,则这些连接不在此策略适用范围之内。
3.0 策略
3.1 首要策略
3.1.1
安全检查
所有新的外部网连接都需要由信息安全部门进行安全检查。这些检查有助于确保所有的外部访问能够与业务需求最好的匹配,同时遵守最小访问原则。
3.1.2
第三方连接协议
所有新的第三方与企业之间的连接请求都需要第三方与企业代表达成共识,并签署第三方协议。此协议必须由企业相关责任部门的副总裁和第三方的法人代表签署。签署后的文件将保存在相应的外网工作组的档案中。对于企业实验室连接的相关文件将保存在负责该实验室安全的相关团队的档案中。
3.1.3
业务情况
所有的外网连接都必须递交书面的业务有效性申请,此申请需要被相应的外网工作组项目经理认可。实验室连接必须被负责实验室安全的团队认可。通常这些条款是第三方协议的一部分。
3.1.4
联系人
企业相关责任部门必须指定外网连接的联系人(POC)。联系人代表责任方,负责履行本策略以及相应的第三方协议。如果联系人发生变更,相关责任部门必须及时通告。
3.2 建立连接
如果企业的相关责任部门需要与第三方建立外网连接,该部门需要向相应的外网工作组提出新站点申请。外网工作组将委托信息安全部门提交该项目的安全问题分析。如果该连接需要连通企业的实验室,相关责任部门必须委托负责实验室安全的团队进行安全分析。作为要求,相关责任部门必须向外网工作组和信息安全部门提供关于外网连接性质的完整信息。
所有已建立的连接必须遵照最小访问原则,同时需要遵守已认可的业务需求和安全检查要求。无论如何,企业不能依赖第三方来保护网络和资源。
3.3 连接和访问更改
所有访问更改都必须提交有效的业务合理性申请,同时必须通过安全检查。更改需要通过企业更改管理流程来最终实施。由于连接发生更改,安全性也会变化,因此责任部门需要将更改情况向外网管理工作组和/或信息安全部门进行通告。
3.4 终止访问
当访问不再需要时,企业相关责任部门必须向负责该连接的外网工作组通报,然后工作组将终止访问。外网和实验室的安全小组必须每年对其各自的连接进行审查,确保连接仍然需要,并且所提供的访问符合连接的要求。如果发现存在业务操作中已不再需要的连接,应立即终止。安全事件的出现或无用连接的发现都需要对现有的权限许可分配进行更改,或终止相应的连接。信息安全部门和/或外网工作组在采取相应措施之前需要向联系人(POC)或责任部门进行通告。
4.0 执行
所有违反此策略的员工都会面临纪律处分,直至中止雇佣合同。
5.0 定义
术语 定义
Circuit 在本策略中,circuit指网络访问的方式,不管是通过传统的ISDN、帧中继等方式,还是利用VPN/加密 技术。
Sponsoring Organization 企业内要求第三方访问企业网络的部门。
Third Party 企业自身及子公司之外的机构。
6.0 修订历史
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
