1. Overview
Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors. Consistent Server installation policies, ownership and configuration management are all about doing the basics well.
2. Purpose
The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Milk Moovement. Effe
ctive implementation of this policy will minimize unauthorized access to Milk Moovement proprietary information and technology.
3. Scope
All employees, contractors, consultants, temporary and other workers at Milk Moovement must adhere to this policy.
4. Policy
4.1 General Requirements
4.1.1 All internal servers deployed at Milk Moovement must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by Milk Moovement senior management. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by Milk Moovement senior management. The following items must be met:
4.1.2 For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.
4.1.3 Configuration Requirements
4.1.4 Operating System configuration should be in accordance with approved Milk Moovement guidelines.
4.1.5 Services and applications that will not be used must be disabled where practical.
4.1.6 Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible.
4.1.7 The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
4.1.8 Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient.
4.1.9 Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do.
4.1.10 If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
4.2 Monitoring
4.2.1 All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: • All security related logs will be kept online for a minimum of 1 week.
5. Policy Compliance
5.1 Compliance Measurement The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
5.2 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team in advance.
5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6 Related Standards, Policies and Processes
• Audit Policy45
1. Overview
See Purpose.
2. Purpose
The purpose of this policy is to ensure all servers deployed at Milk Moovement are configured according to the Milk Moovement security policies. Servers deployed at Milk Moovement shall be audited at least annually and as prescribed by applicable regulatory compliance.
Audits may be conducted to:
• Ensure integrity, confidentiality and availability of information and resources
• Ensure conformance to Milk Moovement security policies
3. Scope
This policy covers all servers owned or operated by Milk Moovement. This policy also covers any server present on Milk Moovement premises, but which may not be owned or operated by Milk Moovement.
4. Policy
4.1 Specific Concerns Servers in use for Milk Moovement support critical business functions and store company sensitive information. Improper configuration of servers could lead to the loss of confidentiality, availability or integrity of these systems.
4.2 Guidelines Approved and standard configuration templates shall be used when deploying server systems to include:
• All system logs shall be sent to a central log review system
• All Sudo / Administrator actions must be logged
• Use a central patch deployment system
• Host security agent such as antivirus shall be installed and updated
• Network scan to verify only required network ports and network shares are in use
• Verify administrative group membership
• Conduct baselines when systems are deployed and upon significant system changes
• Changes to configuration template shall be coordinated with approval of change control board.
4.3 Responsibility Milk Moovement shall conduct audits of all servers owned or operated by Milk Moovement. Server and application owners are encouraged to also perform this work as needed.
4.4 Relevant Findings All relevant findings discovered as a result of the audit shall be listed in the Milk Moovement tracking system to ensure prompt resolution or appropriate mitigating controls.
4.5 Ownership of Audit Report. All results and findings generated must be provided to appropriate Milk Moovement management within one week of project completion. This report will be considered company confidential.
5. Policy Compliance
5 Compliance Measurement The Milk Moovement Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
5.1 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team in advance.
5.2 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6. Related Standards, Policies and Processes
None.
7. Definitions and Terms
None.
1.0 Purpose
The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection. Milk Moovement Information Security's intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how Milk Moovement’s established culture of openness, trust and integrity should respond to such activity. Milk Moovement Information Security is committed to protecting Milk Moovement's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
1.1 Background
This policy mandates that any individual who suspects that a theft, breach or exposure of Milk Moovement Protected data or Milk Moovement Sensitive data has occurred must immediately provide a description of what occurred via e-mail to info@milkmoovement.com, by calling 709- 743-4030, or through the use of the help desk reporting web page at https://www.milkmoovement.com. This e-mail address, phone number, and web page are monitored by the Milk Moovement’s Information Security Administrator. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place.
2.0 Scope
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personally identifiable information or Protected Health Information (PHI) of Milk Moovement members. Any agreements with vendors will contain language similar that protects the fund.
3.0 Policy
Confirmed theft, data breach or exposure of Milk Moovement Protected data or Milk Moovement Sensitive data As soon as a theft, data breach or exposure containing Milk Moovement Protected data or Milk Moovement Sensitive data is identified, the process of removing all access to that resource will begin. The CEO will chair an incident response team to handle the breach or exposure. The team will include members from:
• IT Infrastructure
• IT Applications
• Finance (if applicable)
• Legal
• Communications
• Member Services (if Member data is affected)
• Human Resources
• The affected unit or department that uses the involved system or output or whose data may have been breached or exposed
• Additional departments based on the data type involved, Additional individuals as deemed necessary by the Executive Director Confirmed theft, breach or exposure of Milk Moovement data. The CEO will be notified of the theft, breach or exposure. IT, will analyze the breach or exposure to determine the root cause. Develop a communication plan.Work with Milk Moovement communications, legal and human resource departments to decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected.
3.1 Ownership and Responsibilities
Roles & Responsibilities: • Sponsors - Sponsors are those members of the Milk Moovement community that have primary responsibility for maintaining any particular information resource. Sponsors may be designated by any Milk Moovement Executive in connection with their administrative responsibilities, or by the actual sponsorship, collection, development, or storage of information. • Information Security Administrator is that member of the Milk Moovement community, designated by the CEO or the Director, Information Technology (IT) Infrastructure, who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Sponsors. • Users include virtually all members of the Milk Moovement community to the extent they have authorized access to information resources, and may include staff, trustees, contractors, consultants, interns, temporary employees and volunteers. • The Incident Response Team shall be chaired by Executive Management and shall include, but will not be limited to, the following departments or their representatives: IT-Infrastructure, IT-Application Security; Communications; Legal; Management; Financial Services, Member Services; Human Resources.
4.0 Enforcement
Any Milk Moovement personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third party partner company found in violation may have their network connection terminated.
5.0 Definitions
Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text;
Plain text – Unencrypted data.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s).
Protected Health Information (PHI) - Under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered
Protected data - See PII and PHI
Information Resource - The data and information assets of an organization, department or unit.
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Safeguards help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data. See PII and PHI above.
1. Overview
A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines. By requiring business units to incorporate an SRP as part of their business continuity operations and as new products or services are developed and prepared for release to consumers, ensures that when an incident occurs, swift mitigation and remediation ensues.
2. Purpose
The purpose of this policy is to establish the requirement that all business units supported by the Milk Moovement team develop and maintain a security response plan. This ensures that security incident management team has all the necessary information to formulate a successful response should a specific security incident occur.
3. Scope
This policy applies any established and defined business unity or entity within Milk Moovement.
4. Policy
The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the specific business unit for whom the SRP is being developed in cooperation with the Milk Moovement Team. Business units are expected to properly facilitate the SRP for applicable to the service or products they are held accountable. The business unit security coordinator or champion is further expected to work in the development and maintenance of a Security Response Plan.
4.1 Service or Product Description The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.
4.2 Contact InformationThe SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).
4.3 Triage The SRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.
4.4 Identified Mitigations and Testing The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.
4.5 Mitigation and Remediation Timelines The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.
5. Policy Compliance
5.1 Compliance Measurement Each business unit must be able to demonstrate they have a written SRP in place, and that it is under version control and is available via the web. The policy should be reviewed annually.
5.2 Exceptions Any exception to this policy must be approved by the Milk Moovement Team in advance and have a written record.
5.3 Non-Compliance Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up to and including termination of employment, should a security incident occur in the absence of an SRP
6. Related Standards, Policies and Processes
None.
7. Definitions and Terms
None.
1. Overview
Electronic email is pervasively used in almost all industry verticals and is often the primary communication and awareness method within an organization. At the same time, misuse of email can post many legal, privacy and security risks, thus it’s important for users to understand the appropriate use of electronic communications.
2. Purpose
The purpose of this email policy is to ensure the proper use of Milk Moovement email system and make users aware of what Milk Moovement deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within Milk Moovement Network.
3. Scope
This policy covers appropriate use of any email sent from a Milk Moovement email address and applies to all employees, vendors, and agents operating on behalf of Milk Moovement.
4. Policy
4.1 All use of email must be consistent with Milk Moovement policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
4.2 Milk Moovement email account should be used primarily for Milk Moovement business related purposes; personal communication is permitted on a limited basis, but non-Milk Moovement related commercial uses are prohibited.
4.3 All Milk Moovement data contained within an email message or an attachment must be secured according to the Data Protection Standard.
4.4 Email should be retained only if it qualifies as a Milk Moovement business record. Email is a Milk Moovement business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
4.5 Email that is identified as a Milk Moovement business record shall be retained according to Milk Moovement Record Retention Schedule.
4.6 The Milk Moovement email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any Milk Moovement employee should report the matter to their supervisor immediately.
4.7 Users are prohibited from automatically forwarding Milk Moovement email to a third party email system (noted in 4.8 below). Individual messages which are forwarded by the user must not contain Milk Moovement confidential or above information.
4.8 Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Milk Moovement business, to create or memorialize any binding transactions, or to store or retain email on behalf of Milk Moovement. Such communications and transactions should be conducted through proper channels using Milk Moovement-approved documentation.
4.9 Using a reasonable amount of Milk Moovement resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a Milk Moovement email account is prohibited.
4.10 Milk Moovement employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
4.11 Milk Moovement may monitor messages without prior notice. Milk Moovement is not obliged to monitor email messages.
5. Policy Compliance
5.1 Compliance Measurement The Milk Moovement senior management team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
5.2 Exceptions Any exception to the policy must be approved by the Milk Moovement senior management team in advance.
5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6. Related Standards, Policies and Processes
• Data Protection Standard