Server Security Policy
Overview
Mediflash created this policy to outline practices for secure administration of servers that will aim to limit risk against real-world threats and defend against cyber threats in a responsible and pragmatic manner. Consistent server administration, updated policies and configuration management all help to secure the digital environment.
Standards – The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned, operated, and/or leased by Mediflash. Effective implementation of this policy will minimize unauthorized access to Mediflash proprietary information and technology.
Scope – All employees, contractors, consultants, temporary and other workers at Mediflash and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, and/or leased by Mediflash or registered under a Mediflash-owned internal network domain.
Policy
General Requirements – All internal servers deployed at Mediflash are managed by an operational group that is responsible for system administration. Approved server configuration guides are established and maintained by that group. Information and configuration changes are logged and kept up to date following appropriate change management procedures. For security, compliance, and maintenance purposes, authorized personnel may monitor, and audit equipment, systems, processes, and network traffic as required.
Configuration Requirements – Operating System are configured following the configuration guides for consistent environments. Services and applications that will not be used are disabled where practical. Access to services is logged and protected through access-control lists. The most recent security patches are installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
Security – Security principles of least required access to perform a function are always employed. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access is performed over those secured channels. Servers are physically located in an access-controlled environment. All security-related events on critical or sensitive systems are logged. Security-related events are reported to ownership. Corrective measures are then prescribed as needed.
Policy Compliance – The systems administration team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.