ITC Security Policy 

for cloud services

Versioning

The ITC security policy is an intent to be compliant with standards, requirements and recommendations from the following third parties:

• PCI - Payment Card Industry standard
• SANS - System Administration, Networking and Security institute
• Norsis - Norsk senter for informasjonssikring
• NSM - Nasjonal sikkerhetsmyndighet
• IETF - Internet Engineering Task Force
• RFC - Request For Comments
• ITU - International Telecommunication Union
• ISO - International Organization for Standardization

and general best practise.

Requirements for all

• Security in systems and services must continuously be developed and maintained. Automated maintenance cannot be executed by any lower security zone.
• All persons must have their own account. Shared password between persons are not allowed.
• Passwords, any form of software token or PKI capable of giving superuser access to any other system or service are not to be permanently stored anywhere. Not even encrypted. Shared secrets for two-step token generation are allowed on employee devices in encrypted form, but only on non-jailbroken mobile devices (phone/tablet).
• Only a few people as possible should have access.
• Only employees can have permanent superuser access.
• Communication between other security zones must be encrypted.
• Any login allowing superuser access must as a minimum require 2-step authentication and auditing.
• Single-Sign-On, SSO, is not allowed between different services. This means it is not permitted to login with two-step authentication on the first service, and then to another service without requiring re-authentication.
• Test of security systems and procedures must be performed frequently.
• All systems and services must be continuously monitored
• Machine-machine authentication between different services that allow superuser access is not permitted. This includes monitoring and maintenance systems.
• Direct communication to a third party network in a high security zone is not permitted and must go through a protected service in a lower zone.
• VPN/proxy-services that allow access into a high security zone is not allowed unless every VPN user have its unique IP-address with a restrictive firewall in front.  The VPN-service must fulfill the same security requirements and security zone as the system or service it protects.

Requirements for applications

• An application is not allowed to have access to processes of other services.
• An application is not allowed to have access to files or data of other services.
• An application is not allowed to have superuser access to the operating system or CPU ring 0,1 or 2.
• Trusted applications is only allowed when all of the source code is available and the application has been compiled from that source code.

Virtual servers and the hypervisor

• No VM is allowed by the network switch to use other mac-addresses or IP-addresses than their own.
• Only employees shall be granted superuser access, even temporarily.
• It is not allowed to give the same VM access to different security zones.
• No VM is allowed to run as superuser/root.
• No VM is allowed on process level to have access to any other VM.

Physical network switches

• The switch must require MAC-authentication towards the server port or be configured with a manuel MAC-filter.

Requirements for routers / firewalls

• VMs and servers shall not be allowed to use TCP/IP ports that are not in use.

Requirements for storage systems

• The storage system must be behind a closed network only accessible to the required applications. Management are only allowed for machines in the same security zone or higher.

Requirements for physical security

• Equipment shall be locked and have a access control.
• No third parties shall have physical access to the equipment.