A.14.2.5 Resolver General Hardening Guidelines

1. Purpose, scope, and users

Resolver’s Hosted Platform has automated the process of building out, hardened, and securing servers.

Resolver’s Hosted Platform uses a combination of Scripts, Automation tools, and Server imaging to build out Servers. These tools and processes ensure that all servers have the same foundation, layered products, and security.

The intended audiences for this document are DevOps, QE, and Development team members looking for guidance on best practices to deploy Production, testing, and development environments.

2. Reference documents

  • ISO/IEC 27001:2013 standard, control A.14.2.5
  • Information Security Policy (ISP)

3. General guidelines for VM deployment

  • Infrastructure as Code (IaC) approach should be taken wherever it’s possible.
  • All unnecessary Virtual devices such as:
    • Floppy Drive
    • USB Controller
    • Sound Card
    • Printers
    • Parallel / Serial Ports
  • Encrypt your data, snapshots, and disk I/O, utilizing the encrypted EBS volumes with an enabled AES-256 encryption algorithm.
  • Disable UPnP
  • It is preferred to disallow SSH by default. SSH access should be enabled only internally and should be blocked by the firewall from outside the management network.
  • All servers should have the same software and configuration foundation.

4. General guidelines for OS deployment

  • All unnecessary services and protocols should be uninstalled/removed or turned off:
    • Disable IP Forwarding.
    • Disable IPv6 protocol if not in use.
    • Disable wireless & WWAN.
    • Disable Firewire \ USB Mass Storage Devices.
  • All unnecessary (for external/outside access) port should be restricted to access by firewall / Security groups or ACL.
  • All servers are patched on a monthly basis with urgent vendor security patches evaluated as they arise from our respective vendors and security bodies.

5. Components

Our automation tools come complete with a robust set of tools for server creation, deployment, server backup, and server deletion and server management.

6. Process

All servers are requested through DevOps. DevOps receives the request and reviews ensuring technical suitability prior to building out the server. DevOps uses standardized tools or IaC to build out and deploy servers that are fully hardened with standard Platform tools and infrastructure with the correct patches and versions of the software.

7. Non-Conformance

All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

8. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from the unclear definition of the document.

EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.