Data Centre Network Access Policy

Data Centre Network Access Policy

Prepared / Updated By

Reviewed By

Prepared / Updated By

Prepared / Updated By

Prepared / Updated By

Prepared / Updated By

Sr.NoApprover(Name/Title)Signatures
1Mr. Haider Murtaza
Director (Data Comm)





Date:
2Mr. Abdul Qadeer
Divisional Engineer (M&I)


Date:
3Mr. Kashif Fayyaz
Divisional Engineer (ISP)


Date:
4Mr. Miraj Gul
Director General Technica
Date:

Abbreviations

Data Centre Network Access Policy

KMZ

DC:

KMZ Headquarters Datacenter

WAP:

Wireless Access Point

LAN

Local Area Network

SSIS

Service Set Identifier

HTTP:

Hypertext Transfer Protocol

DHCP:

Dynamic Host Configuration Protocol

VLAN:

Virtual Local Area Network

ACL:

Access Control List

QOS:

Quality of Service

FTP:

File Transfer Protocol

SFTP:

Secure File Transfer Protocol

Policy

KMZ protects its networked services in line with its access control policy from unauthorized access, ensuring that firewalls are in place between the KMZ and external network (Intranet) and the Internet that Intrusion Prevention Systems are deployed and monitored to detect & respond to attacks. Appropriate authentication mechanisms are applied for users and equipment that control of user access to information services is enforced

Scope

The Policy applies to any person granted authorization to access any system or device in the KMZ Data Center (an “Authorized User”). This includes but is not limited to
contractors, temporary visitors, vendors, sub-contractors, employees, partners authorized to access any of the KMZ systems, locally or via Remote Access, for any
reason, including email and Internet or intranet web browsing.

The KMZ Network Team will be responsible for implementing, adhering to, and maintaining these controls. For the purposes of this document, “all devices” refers to
workstations, laptops, servers, switches, routers, firewalls, mobile devices, and wireless access points. Where possible, these guidelines will apply to external firewalls that are in
place between the KMZ and intranet network and the Internet, the Intrusion  Prevention Systems deployed and monitored to detect & respond to attacks. Appropriate
authentication mechanisms are applied for users and equipment and that control of user access to information services is enforced.

Data Centre Network Access Policy

1. Authorization procedures shall be used to ensure that users only have access to those services and networks which are appropriate for their role and to their business needs and these are detailed in Access Control Standard and Guidelines.
2. Management controls and procedures shall be used to protect access to network connections and network services that are identified in Network Security
Standard.
3. Network Security Standard shall be used to set out the means by which network services may be accessed.
4 Remote Devices
Any Employee using any Remote Device must ensure that such device is updated with the most recent security patches for their Operating System.
All machines on the LAN and any Remote Device must run current versions of anti-virus software with regularly updated virus definitions. Note that new viruses are introduced
every hour hence; “regularly updated virus definitions” means virus definition update at least once in a week. It could be argued it is reasonable to update every 24 hours.
Any Remote Device must be running a properly-configured firewall program such as Tracker, Zone Alarm or Computer Associates eTrust. Users at Public Hotspot must be
aware that, if such Remote Device is not running a firewall, a malicious user can gain access to the Remote Device and install software or remove files from the Remote
Device’s hard drive.
Any Authorized User accessing any computer or device on the LAN for remote management or administration must use SSH or VPN. For remote file transfer, SCP, SFTP
or VPN must be used. Under no circumstances shall Telnet, FTP or other un-encrypted access method be used.
No Employee using any Remote Device shall access the LAN while connected to any other network, except a personal network over which such Employee has complete control.
5 Role-based access control
Role Based Access Control should be implemented for regulating access to computer or network resources based on the roles of individual users within KMZ. In this context,
access is the ability of an individual user to perform a specific task, such as view, create, or modify a file. Roles are defined according to job competency, authority, and
responsibility within the KMZ
6 Device Profiling
Profiling of devices based on protocols like HTTP and DHCP to identify the end devices on the network. Users should configure device-based policies and enforce per user or per
device policy on the network.

Data Centre Network Access Policy

Profiling and policy enforcement ensure profiling of mobile devices and basic on boarding of the profiled devices to a specific VLAN, assigns ACL and QOS that can’t access
KMZ  equipment like PC’s, Routers, Switches Firewalls as a guest so they can access internet only for justified business purposes and ensure fair usage. Such access should
also have session timeout.
The registration should include two factor authentications with Pakistani Mobile  Number/ National ID Number (to obtain real identity of Guest).

7 Acceptable Use
Authorized User may access the Internet for KMZ business or personal information provided that they:
1. do not jeopardize the security or confidentiality of KMZ information which may
be present on the computer being used to access the Internet;
2. do not violate any of the KMZ policies;
3. do not engage in illegal or prurient activities;
4. do not engage in outside business interests;

8 Password Security

All Authorized Users must use strong passwords. Unacceptable passwords include but are by no means limited to:
1. First or last names, or combinations thereof;
2. Names of an Authorized User’s children or pets;
3. Words found in a dictionary, combinations of dictionary words with a sound alike
digit (second2, etc);
4. Use of the words or variants on the word password, admin, update, access, login,
computer, terminal, workstation, work, home, etc.

8 Password Security

All Authorized Users must use strong passwords. Unacceptable passwords include but are by no means limited to:
1. First or last names, or combinations thereof;
2. Names of an Authorized User’s children or pets;
3. Words found in a dictionary, combinations of dictionary words with a sound alike
digit (second2, etc);
4. Use of the words or variants on the word password, admin, update, access, login,
computer, terminal, workstation, work, home, etc.

9.Wi-Fi Security
All Wi-Fi Access Point (WAP) must be configured
1. Changing the WAP defaults (administration password, router name, router IP
address, SSID name, etc.);
2. Encrypting the signal using the best available encryption method, in order from
most to least desirable, WPA2, WPA, 128-bit WEP;
3. Requiring VPN access into the LAN from anywhere outside the Firewall;
4. Implementing a written access policy, such as this one

Data Centre Network Access Policy

10Unauthorized Software
Required use of any non-standard software equipment processing KMZ information  must be notified to the DC support Team/ IS Manager before installation. All software
used on equipment must have a valid licence agreement. It is the responsibility of the “owner” or responsible user of non-standard software to ensure that this is the case.
Any new additional PCs added to the network must have a licence for the appropriate software i.e. Operating System, SQL Client, Exchange Client, Antivirus, Microsoft Office
etc.
11 Malicious Software
Ensure that Measures are in place to detect and protect the network from viruses,malware, ransom ware and other cyber threats.