IT Infrastructure Guidelines 
Document ID : IT Infrastructure Guidelines Ver_2.00
on : December 29, 2021
Prepared By : Shaik
Approved By : Soundarrajan
 IT Infrastructure Guidelines 
Internal 2 of 6
  1. Scope
These guidelines Administration, Network Administration, and  Telecom services and Desktop support functions.
2. Purpose
The purpose of this guideline is to provide basic security requirements to IT  Infrastructure   team   to   protect   Network   and   systems   from   unauthorized   access   and   use.
3. Guidelines
3.1. Security
should ensure that Licenses and critical system  documents are available on server and access should be restricted to Head IT  infrastructure and Manager.
“System Use” monitoring should be done NMS on critical  applications servers.
Reports and alerts for systems utilization and any changes should be enabled  on all critical applications.
Regular monitoring for resource utilization should carried out using “OP
Manager”. Filtering of traffic through network should be done with  respect to tables and rules maintained by IT.
The network services should be provided the basis of business  requirements of the individuals.
The list subnet assigned to various projects be maintained.
3.2.  Router Security
Every router should meet the following configuration standards:
No local user accounts should be configured the router.
Routing controls be based on source destination.
The enable password on the router should be in a secure encrypted form.
Disallow the following:
a) IP broadcasts
b) Incoming packets at router with invalid addresses
c) TCP small services
d) UDP small services
e) All source routing
f) All web services running on router
Corporate standardized community strings be used.
Access rules should be as business needs arise.
 IT Infrastructure Guidelines 
Internal 3 of 6
Each router should have a log-on warning statement posted in clear view.
Physical and logical access to diagnostic and configuration should be  controlled.
3.2.1. VLAN Security
VLANs should be defined in VLAN Schema with the of configuring  access. Inter VLAN access to users should not be given and should only be  with access to the services they have been specifically  to use.
3.2.2. VPN Security
VPN access should be given to only or users business  needs, by appropriate authority. VPN have a “Two node”  for users and should be encrypted.
maintenance services are offered through use of Information  Dynamics VPN (such as Dialer maintenance) security features, service  levels, and requirements of all network services should be  identified and included in network services agreement.
3.3. Server Security
IT and Network Team be responsible for system administration and should  own all internal servers deployed at Information Dynamics. guidelines  should be followed but not be limited to server security:
Any change in the setup or configuration of Servers should be registered.
Configuration changes for production servers should the  appropriate change management procedures.
Operating System configuration should in accordance with approved  guidelines.
Services and applications will not be used should be disabled where  practical.
Access to services should be logged and/or protected through access- control methods.
The approved security patches should be installed on the system, the only  exception being when immediate application would interfere business  requirements
Servers should be physically located in an access- environment.
should be specifically prohibited from operating from  uncontrolled cubicle areas.
All security-related events on critical or sensitive systems should be  logged and audited.
 IT Guidelines 
Internal 4 of 6
Security-related events report to Head IT Infrastructure and CISO.  Corrective should be prescribed as needed. Security-related  events include, but should be not limited to:
o Port-scan attacks
o Evidence of unauthorized access privileged accounts
o Anomalous occurrences that are not related to specific applications  on the host.
“Session Time Out” should be implemented to prevent unauthorized  activity and server overload and restrictions on connection times should  also be used to provide additional for high-risk applications.
Fire wall should be enabled on internet facing servers and should include  Group policies to prevent access to restricted sites.
Logs of server should be reviewed fortnightly. Any unauthorized attempt  to log server should be reported to and Head IT  infrastructure.
Information Dynamics IT Team should monitor security issues -- both  internal external.
Security should be implemented within a reasonable timeframe  after release. Information Dynamics should make announcements  of patches.
The server should run legally licensed versions of the operating system  and software.
The server should run only necessary services.
After the administrator determines what default accounts are required on a  server, all other default accounts should be disabled.
Servers should authenticate all users using industry-standard to  ensure only authorized access to the resource.
3.3.1. Password Management
All passwords of Servers, Critical application and data bases should include  “Alphanumeric” characters 
passwords should be backed up along with the backup server data and  media should be stored in a place. Passwords than three  generation should destroyed.
Passwords should not be stored in text on the computer system.
Vendor supplied default passwords be modified before the system is  migrated to the environment.
3.4. Desktop Security
Local Password: Local Administrator Password should be created  for all desktops in Organization be available with System admin  Team/IT engineers.
 IT Infrastructure Guidelines 
Internal 5 of 6
Antivirus: All desktops should have the latest antivirus to protect  them from viruses and worms.
Sharing: Sharing of folder on the local desktop should not allowed.
Patches/Security Updates: Desktops should be with latest security  patches/Updates.
USB, Bluetooth: All USB (for storage media) ports, CD drive,  Infrared, Bluetooth ports should be disabled.
Utilities: User should be provided with utilities that are required  to fulfill business purpose Information Dynamics, otherwise be  disabled.
Only licensed software application should be installed on desktops.
3.5. Technical Compliance Checking Guidelines
The downtime required for the compliance check should be discussed &  agreed.
The live data & customer data should not be accessed by the auditors;
The on production server should be agreed upon prior carrying out the  check;
Access organizational audit tools should be restricted. The access should  only be given after an approval from ISM.
3.6. Log Review Guidelines
Monitoring all system should be carried out periodically and necessary  action should be taken on incidents identified through analysis.
Transactions/event logs of and mail logs should be backed up. 
All the operational should be reported to HOD IT & Infrastructure.
of Routers and Switches be reviewed. In case any incident is  identified the of the same should saved further investigation.
Logs of other network should be reviewed through Network  Management System.
All Administrator logs should be reviewed by Head IT Infrastructure.
The of unsuccessful attempt on all application monitored,  and investigated.
Records of these monitoring should be maintained.
3.7. Code Protection Guidelines:
 IT Infrastructure Guidelines 
Internal 6 of 6
Protection should be provided against code “Antivirus”.
For security awareness, and appropriate system access and change management
controls, following should considered but not limited to.
Information Dynamics access Control Policy should be while  providing access the users to prevent any unauthorized access to the  Information Dynamics Network and Computing facilities.
Unauthorized software or software with inappropriate licensing should not  be allowed to be installed on Servers and workstations.
The licenses of software and applications should be maintained.
Anti-Virus, Firewalls and other required detection software should be  installed at Gateways, Mail Servers and desktops. Information Dynamics’s  Anti- Policy should be considered while installation of any Anti- Virus product at Gateways, Mail Servers and Workstations.
All Anti-Virus, Firewall and other detection software should be regularly  updated for virus signatures. Adequate should be taken of all  Licenses and updated signatures.
All mails servers should have Antivirus detection software should be  installed check all outgoing and incoming mails at Information  Dynamics network traffic.
All Servers facing Internet gateway should be removed from network  while dealing with emergency situation or during installation of Anti- Virus software, Firewalls and other detection software to prevent  execution of that may affect the functioning of other installed  components on network.
Freeware download should be blocked for the users in organization.