IT Infrastructure Guidelines

Document ID : IT Infrastructure Guidelines Ver_2.00

on : December 29, 2021

Prepared By : Shaik

Approved By : Soundarrajan

Internal 2 of 6

1. Scope

These guidelines Administration, Network Administration, and Telecom services and Desktop support functions.

2. Purpose

The purpose of this guideline is to provide basic security requirements to IT Infrastructure team to protect Network and systems from unauthorized access and use.

3. Guidelines

3.1. Security

• should ensure that Licenses and critical system documents are available on server and access should be restricted to Head IT infrastructure and Manager.

• “System Use” monitoring should be done NMS on critical applications servers.

• Reports and alerts for systems utilization and any changes should be enabled on all critical applications.

• Regular monitoring for resource utilization should carried out using “OP

• Manager”. Filtering of traffic through network should be done with respect to tables and rules maintained by IT.

• The network services should be provided the basis of business requirements of the individuals.

• The list subnet assigned to various projects be maintained.

3.2. Router Security

• Every router should meet the following configuration standards:

• No local user accounts should be configured the router.

• Routing controls be based on source destination.

• The enable password on the router should be in a secure encrypted form.

• Disallow the following:

a) IP broadcasts

b) Incoming packets at router with invalid addresses

c) TCP small services

d) UDP small services

e) All source routing

f) All web services running on router

• Corporate standardized community strings be used.

• Access rules should be as business needs arise.

IT Infrastructure Guidelines

Internal 3 of 6

• Each router should have a log-on warning statement posted in clear view.

• Physical and logical access to diagnostic and configuration should be controlled.

3.2.1. VLAN Security

VLANs should be defined in VLAN Schema with the of configuring access. Inter VLAN access to users should not be given and should only be with access to the services they have been specifically to use.

3.2.2. VPN Security

• VPN access should be given to only or users business needs, by appropriate authority. VPN have a “Two node” for users and should be encrypted.

• maintenance services are offered through use of Information Dynamics VPN (such as Dialer maintenance) security features, service levels, and requirements of all network services should be identified and included in network services agreement.

3.3. Server Security

IT and Network Team be responsible for system administration and should own all internal servers deployed at Information Dynamics. guidelines should be followed but not be limited to server security:

• Any change in the setup or configuration of Servers should be registered.

• Configuration changes for production servers should the appropriate change management procedures.

• Operating System configuration should in accordance with approved guidelines.

• Services and applications will not be used should be disabled where practical.

• Access to services should be logged and/or protected through access- control methods.

• The approved security patches should be installed on the system, the only exception being when immediate application would interfere business requirements

• Servers should be physically located in an access- environment.

• should be specifically prohibited from operating from uncontrolled cubicle areas.

• All security-related events on critical or sensitive systems should be logged and audited.

IT Guidelines

Internal 4 of 6

• Security-related events report to Head IT Infrastructure and CISO. Corrective should be prescribed as needed. Security-related events include, but should be not limited to:

o Port-scan attacks

o Evidence of unauthorized access privileged accounts

o Anomalous occurrences that are not related to specific applications on the host.

• “Session Time Out” should be implemented to prevent unauthorized activity and server overload and restrictions on connection times should also be used to provide additional for high-risk applications.

• Fire wall should be enabled on internet facing servers and should include Group policies to prevent access to restricted sites.

• Logs of server should be reviewed fortnightly. Any unauthorized attempt to log server should be reported to and Head IT infrastructure.

• Information Dynamics IT Team should monitor security issues -- both internal external.

• Security should be implemented within a reasonable timeframe after release. Information Dynamics should make announcements of patches.

• The server should run legally licensed versions of the operating system and software.

• The server should run only necessary services.

• After the administrator determines what default accounts are required on a server, all other default accounts should be disabled.

• Servers should authenticate all users using industry-standard to ensure only authorized access to the resource.

3.3.1. Password Management

• All passwords of Servers, Critical application and data bases should include “Alphanumeric” characters

• passwords should be backed up along with the backup server data and media should be stored in a place. Passwords than three generation should destroyed.

• Passwords should not be stored in text on the computer system.

• Vendor supplied default passwords be modified before the system is migrated to the environment.

3.4. Desktop Security

• Local Password: Local Administrator Password should be created for all desktops in Organization be available with System admin Team/IT engineers.

IT Infrastructure Guidelines

Internal 5 of 6

• Antivirus: All desktops should have the latest antivirus to protect them from viruses and worms.

• Sharing: Sharing of folder on the local desktop should not allowed.

• Patches/Security Updates: Desktops should be with latest security patches/Updates.

• USB, Bluetooth: All USB (for storage media) ports, CD drive, Infrared, Bluetooth ports should be disabled.

• Utilities: User should be provided with utilities that are required to fulfill business purpose Information Dynamics, otherwise be disabled.

• Only licensed software application should be installed on desktops.

3.5. Technical Compliance Checking Guidelines

• The downtime required for the compliance check should be discussed & agreed.

• The live data & customer data should not be accessed by the auditors;

• The on production server should be agreed upon prior carrying out the check;

• Access organizational audit tools should be restricted. The access should only be given after an approval from ISM.

3.6. Log Review Guidelines

• Monitoring all system should be carried out periodically and necessary action should be taken on incidents identified through analysis.

• Transactions/event logs of and mail logs should be backed up.

• All the operational should be reported to HOD IT & Infrastructure.

• of Routers and Switches be reviewed. In case any incident is identified the of the same should saved further investigation.

• Logs of other network should be reviewed through Network Management System.

• All Administrator logs should be reviewed by Head IT Infrastructure.

• The of unsuccessful attempt on all application monitored, and investigated.

• Records of these monitoring should be maintained.

3.7. Code Protection Guidelines:

IT Infrastructure Guidelines

Internal 6 of 6

Protection should be provided against code “Antivirus”.

For security awareness, and appropriate system access and change management

controls, following should considered but not limited to.

• Information Dynamics access Control Policy should be while providing access the users to prevent any unauthorized access to the Information Dynamics Network and Computing facilities.

• Unauthorized software or software with inappropriate licensing should not be allowed to be installed on Servers and workstations.

• The licenses of software and applications should be maintained.

• Anti-Virus, Firewalls and other required detection software should be installed at Gateways, Mail Servers and desktops. Information Dynamics’s Anti- Policy should be considered while installation of any Anti- Virus product at Gateways, Mail Servers and Workstations.

• All Anti-Virus, Firewall and other detection software should be regularly updated for virus signatures. Adequate should be taken of all Licenses and updated signatures.

• All mails servers should have Antivirus detection software should be installed check all outgoing and incoming mails at Information Dynamics network traffic.

• All Servers facing Internet gateway should be removed from network while dealing with emergency situation or during installation of Anti- Virus software, Firewalls and other detection software to prevent execution of that may affect the functioning of other installed components on network.

• Freeware download should be blocked for the users in organization.