Server Security Policy

1.0 Overview

The servers that host our systems are crucial to the ongoing success of the FunnelMaker business. Securing them is as important as securing our networks, to add another layer to the security of the organization.

2.0 Purpose

This policy document outlines best practices for building and maintaining strong servers.

3.0 Scope

These guidelines apply to employees, contractors, consultants, temporary and other workers at FunnelMaker, including all personnel affiliated with third parties.

These guidelines apply to all servers, both physical, and virtual, on premises or in the cloud.

4.0 Policy

4.1 Server Configuration

4.1.1 Operating System configuration should be in accordance with approved information security guidelines, including CIS benchmarks, NIST guidelines, and known vendor recommendations.
FunnelMaker employs routine scans that check for and report on these every three days.

4.1.2 Services and applications that will not be used must be disabled where practical.

4.1.3 Servers should be configured, maintained, and orchestrated using an automated system.

We use Ansible, Puppet, and Docker Swarm to manage all servers, physical and virtual.

4.1.4 Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible.
Internal services are restricted by IP and all access is logged.

4.1.5 The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.

4.1.6 Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient.

All communication between systems is certificate-based.

4.1.7 Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do.

4.1.8 If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).

4.1.9 Servers should be physically located in an access-controlled environment.

4.1.10 Servers are specifically prohibited from operating from uncontrolled cubicle areas.

4.1.11 All servers must have passwords changed from the default for accounts that can be logged in. Ansible and Puppet updating passwords to new passwords is acceptable.

4.2 Server Monitoring

4.2.1 All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:

All security related logs are kept online for a minimum of 1 week.
Daily incremental backups are retained for at least 2 weeks.
Monthly full backups are retained for a minimum of 6 months.

4.2.2 Security-related events will be reported to the Operations Team, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:

Port-scan attacks
Evidence of unauthorized access to privileged accounts
Anomalous occurrences that are not related to specific applications on the host

4.2.3 Systems must be monitored by a known and established monitoring suite, with all alerts enabled.

FunnelMaker runs multiple monitoring suites (Nagios, Zabbix, Prometheus)

4.2.4 Systems must be scanned for vulnerabilities regularly.
FunnelMaker has automated processes that execute Lynis, RKHunter, and ChkRootkit scans across every server every three days. There is also a monthly OpenVAS scan that checks through tens of thousands of vulnerabilities.

4.2.5 Systems must run a sufficient anti-virus system.
FunnelMaker runs Sophos Anti-Virus for Linux.

4.3 Server Access

4.3.1 Access to production servers and super-user accounts must be limited by the principle of least privilege.
Only the Operations Team has access to production servers.

4.4 Vulnerability / Penetration Testing

4.4.1 Vulnerability testing is done through TrustWave's third party testing tool. Scans to app.stgi.net and secure.FunnelMaker.com are run every month.

4.4.2 SecurityMetrics performs monthly penetration testing on our primary IP address and sends monthly report emails.

4.4.3 OpenVas is a network vulnerability testing service that tests our network with over 47,000 possible exploits. This testing is completed every month.