|Version: 1.00||Issue Date: 3/3/2015|
This Extranet Policy specifies how third party organizations are allowed to connect to the organizational network when connecting is required to conduct business.
This Extranet Policy will help ensure that connections from third party organizations are secure.
This Extranet Policy describes how third party organizations may connect to our organizational network when the third party organization must connect to conduct business with our organization.
This Extranet Policy applies to all connections from external organizations which connect to organizational resources that are not publically available such as public web servers. Connections to Telephone companies and Internet Service Providers (ISPs) for the purposes of providing communications access to our organization are excluded from this policy. This policy applies to connections using VPN, ISDN, frame relay, telephone and other applicable connection methods. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Connection Requirements
All external connections must be reviewed by the designated computer security staff and approved by the Chief Information Security Officer. A security review report must be created by security staff and signed by the requestor of the service and the Chief Information Security Officer. Any changes to the external connection must be justified and must be reviewed by the designated computer security staff and approved by the Chief Information Security Officer. Changes must be implemented in compliance with the Change Management Policy. All external connections must be kept in an inventory hard copy or database. The information must be kept current with a minimum of information including:
Type of connection (VPN, telephone, etc.)
Whether the connection is inbound, outbound, or both.
Networking information such as IP addresses used
Systems allowed access to
Business need for the connection
Number of users to use the connection and names if possible.
Point of contact in our organization
When the connection was implemented.
External connections may be terminated or suspended without warning due to security incidents but the connection team must notify the business owners as soon as is reasonably possible if their connection is suspended or terminated. All connections must be reviewed by the team managing them and the business owners of the connection must be contacted to be sure it is still required. When a connection is no longer required, the manager who sponsored the project must inform the manager of the team that manages external connections. The connection team will terminate the connection in compliance with the Change Management Policy.
All third parties that connect to the organizational network must agree not to attempt to circumvent security on any devices and must agree to access only those resources required. The agreement must be signed by the Chief Information Security Officer and a senior member of the third party organization who is qualified to sign for their organization. The Chief Information Security Officer will designate staff members to create the connection agreement.
All external connections must allow only the minimum privileges required to fit the business need according to the Access Control Policy.
Each connection to a third party organization must have a point of contact in our organization where the third party organization can direct questions or work to have problems resolved. The manager who is sponsoring the project that requires the connection must designate a point of contact for the connection.
Where certificates or public/private keys are used to support the connection or identify the connecting third party, a registration authority which must be a trusted third party must verify the credentials of the connecting party. Only after verification, can transactions be allowed.
Since proper management of external connections is important for protecting the security of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
Approved by:__________________________ Signature:_____________________ Date:_______________