INTRODUCTION
Hirett (hereinafter referred to as the “Company”) utilises host based and boundary firewalls to protect its devices, networks, property, staff and customers. We understand the importance of effective protective measures and recognise our obligation to set up such firewalls to enable maximum protection and include effective firewall rules.
The boundary firewall is essential in mitigating the risks associated with loss or threats to our information and business and we utilise government and expert guidelines and requirements for setting up the rules and parameters that define the firewall.
We also use host-based firewalls on all devices to ensure a double layered protective approach. This allows for tailored rules and configuration on specific devices and the ability to protect that device and therefore the information it contains or accesses wherever it is used.
WHY THIS POLICY EXISTS
The purpose of this policy is to define the Company standards for securing devices and networks within the scope of its information security program, as defined below. By utilising host-based and boundary firewalls, the Company aims to protect against cyber-attacks; loss or damage to personal data; unwanted virus and/or malware attacks; loss of intellectual property and any other adverse effects from unauthorised access to our networks or devices.
This policy focuses on the Company’s firewall use, configuration and administration and enables the effective set up, maintenance and monitoring of its firewalls. It also defines how many firewalls the Company utilises and the scope and areas that each of these protect.
POLICY SCOPE
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the Spain or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
IN SCOPE
All the devices on Hirett network are covered by this policy
NOT IN SCOPE
This policy doesn’t cover external service providers infrastructure
KEY AREAS
The Company has implemented and configured boundary and host-based firewalls to ensure that all network communications from other devices and services are safe and essential.
A boundary firewall protects the network as a whole, placing a protective buffer around all of the devices within your network and protecting against any external network to which the Company connects.
The second type of firewall that the Company utilises are host-based firewalls that are installed onto individual devices (i.e. laptops, smartphones, desktop computers etc). These offer an extra layer of protection from external network traffic and also allow specific user-based rules to be set.
We have defined a number of objectives that we meet when implementing and configuring firewalls, as detailed below. Where an objective applies to either the boundary or host-based firewall, we have defined that in the objective. For any objective that denotes solely ‘firewall’, this applies to both boundary and host based.
- Change the default usernames and passwords on all boundary firewalls as soon as implemented
- Update the boundary firewall password every quarter
- Enable and configure host-based firewalls on all devices within the scope
- Verify and approve connections and/or devices to the firewall
- Verify that the configurations in the firewall block services from inside the network from being accessed externally
- Document the devices connected to the firewall and the business need for this connection
- Define firewall rules for the inbound and outbound traffic
- Retain a log of all firewall rules to contain: –
- firewall rule’s purpose
- affected device/service/user/network
- date rule applied
- duration of rule (if duration limited)
- person who authorised the rule
- Review firewall rules every 6 months
- All logs are enabled and are monitored for suspicious behaviour
- Where a port is opened for business reasons (i.e. to allow a client to access an internal system externally); a risk assessment and authorisation review is conducted by the IT Manager to ensure that risks are minimised and there is an essential business purpose for opening the port
- Where opened port durations are limited (i.e. a client only needs to access a system for one day), the IT Manager is responsible for disabling the access as soon as it is no longer required
- Limit access to firewall management interface to IT Manager only
- Regularly update firewalls with relevant patches and/or firmware
RESPONSIBILITIES
It is the responsibility of the IT Team to oversee; implement; configure; monitor and maintain all firewalls within the organisation. The IT Team has been assessed to ensure that they have an adequate level of knowledge and understanding in boundary and host-based firewall configuration and maintenance and that they are able to carry out monitoring and reviews on all protective measures.