The purpose of this policy is to establish the organizational requirements for Identification & Authentication management practices to ensure we operate within a secure infrastructure, using methods that meet or exceed industry best practices as well any governing compliance frameworks necessary to support our customers.

Provide guidance and operation methods and processes that must be maintained to conform with these policies.

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Separate user functionality from system management functionality.

Prevent unauthorized and unintended information transfer via shared system resources.

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

Establish and manage cryptographic keys for cryptography employed in organizational systems.

Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

Control and monitor the use of mobile code.

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

Protect the authenticity of communications sessions.

Protect the confidentiality of CUI at rest.

This document describes the Plan under which third party organizations connect to DLZP Group networks for the purpose of transacting business related to DLZP Group.

Connections between third parties that require access to non-public DLZP Group resources fall under this Plan, regardless of the technology used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for DLZP Group or to the Public Switched Telephone Network does NOT fall under this Plan.

All new extranet connectivity will go through a security review by DLZP leadership. The reviews are to ensure that all access matches the business requirements in the best possible way, and that the principle of least required access is followed.

All new connection requests between third parties and DLZP Group require that the third party and DLZP Group representatives agree to and sign an Agreement. This agreement must be signed by the DLZP Group executive management as well as a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on file with the relevant extranet group.

All production extranet connections must be accompanied by a valid business justification, in writing, that is approved by DLZP leadership. Typically this function is handled as part of the Third Party Agreement.

The Sponsoring Organization must designate a person to be the Point of Contact (POC) for the Extranet connection. The POC acts on behalf of the Sponsoring Organization, and is responsible for those portions of this Plan and the Third Party Agreement that pertain to it. In the event that the POC changes, the relevant extranet organization must be informed promptly.

Sponsoring Organizations within DLZP Group that wish to establish connectivity to a third party are to file a new site request with the proper extranet group. The extranet group will engage IT management to address security issues inherent in the project.

All connectivity established must be based on the least-privalaged access principle, in accordance with the approved business requirements and the security review. In no case will DLZP Group rely upon the third party to protect DLZP Group’s resources.

All changes in access must be accompanied by a valid business justification, and are subject to security review. Changes are to be implemented via corporate change management process. The Sponsoring Organization is responsible for notifying IT management when there is a material change in their originally provided information so that security and connectivity evolve accordingly.

When access is no longer required, the Sponsoring Organization within DLZP Group must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. The extranet and lab security teams must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are found to be depreciated, and/or are no longer being used to conduct DLZP Group business, will be terminated immediately. Should a security incident or a finding that a circuit has been deprecated and is no longer being used to conduct DLZP Group business necessitate a modification of existing permissions, or termination of connectivity, IT management will notify the POC or the Sponsoring Organization of the change prior to taking any action.

Any employee found to have violated this Plan may be subject to disciplinary action, up to and including termination of employment.

This network documentation Plan is an internal DLZP Group Plan and defines the requirements for network documentation. It defines who will have access to read network documentation and who will have access to change it. It also defines who will be notified when changes are made to the network.

This Plan is designed to provide for network stability by ensuring that network documentation is complete and current. This Plan complements disaster management and recovery by ensuring that documentation is available in the event that systems should need to be rebuilt. This Plan will help reduce troubleshooting time by ensuring that appropriate personnel are notified when changes are made to the network.

DLZP Group maintains all of its infrastructure in AWS cloud and may support other cloud environments in the future. The following virtual equivalents of these legacy services will be documented based on actual cloud services usage.

The network structure and configuration shall be documented and provide the following information:

1. IP addresses of all devices on the network with static IP addresses.
2. Server documentation on all servers as outlined in the “Server Documentation” document.

Network drawings showing:

IT Department Management have full access to all network documentation. IT Department Management shall have the ability to read and modify network documentation. Designated enterprise security staff shall have access to read and change network documentation but those not designated with change access cannot change it.

Appropriate groups of people shall be notified through email when network changes are made including:

1. Reboot of a network device including switches, routers, and firewalls.
2. Upgrades to any software on any network device.
3. Additions of any software on any network device.
4. Changes to any servers which perform significant network functions whether configuration or upgrade changes are made. These servers include:

The Network Administrator shall ensure that network documentation is kept current by performing a quarterly review of documentation or designating a staff member to perform a review. The Test Track requests within the last quarter should be reviewed to help determine whether any network changes were made. Also any current or completed projects affecting network settings are reviewed to determine whether there were any network changes made to support the project.

Network documentation is kept in electronic form in a minimum of two places.

The purpose of this Plan is to define standards for connecting to DLZP Group’s network from any host. These standards are designed to minimize the potential exposure to DLZP Group from damages that may result from unauthorized use of DLZP Group’s resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical DLZP Group’s internal systems, etc.

This Plan applies to all DLZP Group employees, contractors, vendors and agents with a DLZP Group-owned or personally-owned computer or workstation used to connect to the DLZP Group network. This Plan applies to remote access connections used to do work on behalf of DLZP Group, including reading or sending email and viewing intranet web resources.

Remote access implementations that are covered by this Plan include, but are not limited to, cable modems, DSL, VPN (using an encrypted VPN client), etc.

Any employee found to have violated this Plan may be subject to disciplinary action, up to and including termination of employment.

The purpose of this Plan is to provide guidelines for Remote Access Virtual Private Network (VPN) connections to the DLZP Group corporate network.

This Plan applies to all DLZP Group employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing a VPN to access the DLZP Group network.

Approved DLZP Group employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of a VPN, which is a “user managed” service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, and paying any associated fees. Further details may be found in the Remote Access Plan. Additionally,

Any employee found to have violated this Plan may be subject to disciplinary action, up to and including termination of employment.

This Plan prohibits access to DLZP Group networks via unsecured wireless communication mechanisms.

This Plan covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) connected to any of DLZP Group’s internal networks. This includes any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to DLZP Group’s networks do not fall under the purview of this Plan.

27.3.1 Register Access Points and Cards All wireless Access Points / Base Stations connected to the corporate network must be registered and approved by DLZP Group’s Network Administrator. These Access Points / Base Stations are subject to periodic penetration tests and audits. All wireless Network Interface Cards (i.e., PC cards) used in corporate laptop or desktop computers must be registered with DLZP Group.

27.3.2 Approved Technology All wireless LAN access must use corporate-approved vendor products and security configurations.

27.3.3 VPN Encryption and Authentication All computers with wireless LAN devices must utilize a corporate-approved Virtual Private Network (VPN) configured to drop all unauthenticated and unencrypted traffic. To comply with this Plan, wireless implementations must maintain point to point hardware encryption of at least 256 bits. All implementations must support a hardware address that can be registered and tracked, i.e., a MAC address. All implementations must support and employ strong user authentication.

Any employee found to have violated this Plan may be subject to disciplinary action, up to and including termination of employment.