Scope
This standard applies to all corporate data, including corporate customer data, whether located at a corporate facility or a third party facility, and whether handled by corporate employees, or corporate contractors, vendors, third party service providers, or their staff or agents.  This standard also applies to all wholly owned and partially owned subsidiaries.

The guidance in this standard shall be considered the minimum acceptable requirements for the use of Firewalls managed by the corporate Managed Security Services Team.  This standard sets forth expectations across the entire organization.  Additional guidance and control measures may apply to certain areas of corporate.  This standard shall not be construed to limit application of more stringent requirements where justified by business needs or assessed risks.

MSS Firewall Standard
Corporate’s business functions rely upon the integrity, confidentiality, and availability of its computer systems and the information assets stored within them.   Responsibilities and procedures for the management, operation and security of all information processing facilities must be established.  This standard supports the stated objectives.

Roles & Responsibilities

The End User (EU) is responsible for acting upon electronic messages received from the service, usage of the related messaging services in a manner consistent with this Policy, and when such activity is within their span of control, the retention and disposal of electronic messages sent and received.

The IT Custodian is responsible for defining and implementing security measures and controls to ensure the system(s)/application(s) are managed and operated in a secure and effective manner.

The Chief Information Security Officer has overall responsibility for security policy, and in conjunction with the Information Security Department will be responsible for defining, implementing, managing, monitoring and reviewing compliance with the Electronic Messaging Policy.

The Information Security Department will assist End Users and IT Custodians in assessing, defining, implementing, managing and monitoring appropriate controls and security measures.

The Information Security Department will audit and review the adequacy of controls and security measures in place to measure and enforce conformance to this policy.

Requirements and Implementations
Brand:  Juniper Netscreens, Checkpoint and Cisco PIX are the standard Firewalls for all new firewall deployments at corporate.  The bandwidth requirements determines the version of firewall appliances needed. 

Acquisition:  Juniper Netscreens, Checkpoint and Cisco PIX appliances can be acquired by working with the corporate Managed Security Services team within corporate to purchase or lease the appliance.

Management and Uptime Monitoring Access:  Management access to the firewalls that are co-managed or  managed and monitored, will be restricted to the Managed Security Services Team via firewall restrictions.  Monitor-only configurations will restrict access to only authorized firewall administrators of the Security Operations team.  Only the MSS team will monitor the uptime of the firewalls.

Logging:  The MSS Team will setup logging and will alert the Threat Response Team to security events and downtime detected.

Metrics and Reporting:  The MSS team will make all reports and metrics available via the Secure Internet Interface for authorized users to download and use internally.

Exceptions under this policy must be detailed in a Risk Acceptance form approved by the System / Application Business Owner, an Executive Lines of Business representative and the IT Custodian and the Information Security Compliance Department.

Common services to consider:

1. Management and configuration of firewalls
2. Monitoring of Stateful and non-Stateful firewalls
3. Escalation of security events and Escalation of Security Incidents when needed
4. Service Level Agreements (SLAs) and coordination for change management, and coordination proactive system monitoring
5. Policy configuration changes for additional attack, suspicious, or network misuse, and customer connectivity issues
6. Reporting based on SLA / OLA requirements
7. Firewall log archival activities based on corporate and regulatory compliance requirements.