1. Network Security Management
Purpose: To ensure the protection of information in networks and its supporting information processing facilities.
1.1. Responsibility and Ownership
- Networks shall be managed to ensure the security of data and the protection of connected services from unauthorised access. The overall responsibility for provision of network services and ensuring their security, to meet the business need, resides with the Head of Customer Infrastructure and Operations and the Head of Content Infrastructure and Distribution
1.2. Network Controls
- Configuration standards for network equipment shall be documented to provide instruction to staff regarding the configuration and setup of the equipment. The configuration standards should cover topics such as:
- Device hardening.
- Admin account setup.
- Naming conventions.
- Configuration backup.
- Logging requirements.
- Changes to the configuration of the network shall be subject to documented change control procedures.
- Layer 3 and Layer 2 network diagrams must be maintained and kept up-to-date. Any network changes being presented through the change review process that have a material impact on the layer 3 or layer 2 topology need to be presented with as-is and to-be network diagrams to highlight impacts of the changes.
- Access to network management systems shall be tightly controlled, making sure that users do not have more privilege than is required to perform their job. Access to network management systems, and the level of access granted shall be authorised by the Infrastructure and Operations Manager(Corporate, Network and Broadband Systems).
- Access to the network management interface on network security appliances shall be restricted to specially created network management VLANs.
- Authentication into devices and services that provide a network security function, for users with admin change privileges, should incorporate multi-factor authentication.
Logging and Monitoring
- Appropriate logging and monitoring shall be applied to enable the recording of network-based events that may affect, or are relevant to Information Security. Examples of the types of events that need to be logged include:
- The configuration of change events on network devices;
- IP conversation history between systems on the network; and
- allowed/denied hits on security policies on network security devices.
- Logging should be kept for a minimum of one year to allow for forensic investigations into historical incidents.
Network Connection Control
- Any exposed network connection points that allow a user to plug a workstation into the network shall support authentication. 802.1X style controls with username and password or machine certificates are the preference with MAC based authentication being the minimum standard.
- Non QSR International managed computers are not permitted to be plugged into the QSR International corporate network.
- Computers of partner organisations that require access to QSR International systems may only be connected to specially designed contractor networks that segment the connected computers from the remainder of the corporate network, and provide tight controls over precisely what internal systems can be accessed.
Wireless Network Security
- Staff, contractors, consultants and visitors must not introduce wireless networks or Access Points (AP) into a QSR International site. Wireless networks must only be setup by authorised Information and Technology Network administrators and must be approved by the Change Advisory Board through the change control process.
- An inventory of authorised wireless access points is to be maintained including a documented business justification.
- Business sites must be swept quarterly to detect and identify all authorised and unauthorised wireless access points.
- The wireless network shall be encrypted using a suitably strong protocol. The preferred standard is WPA2. Use of WPA and WEP is prohibited. A high level of key strength should be used (128 bit or higher). Static keys should be avoided, although they are permitted for guest networks that provide Internet access only and no access to the internal network.
- All wireless access points deployed at any QSR International site need to support central management through a single common management system.
1.3. Segregation in networks
- Groups of information services, users and information systems shall be segregated on networks through the design and implementation of network security domains. There are a variety of ways to define network security domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along organisational units (e.g. human resources, finance, marketing) or a combination (e.g. server domain connected to multiple organisational units. The segregation can be performed using either physically different networks or by using different logical networks.
- The network domain model needs to communicate the intent of network segmentation at QSR International, the typical control sets to apply to each domain and the communication rules between domains
Requirements for Firewalls (including routers)
- External network boundaries shall be secured by the use of an appropriately configured and managed firewall or combination of firewalls. Firewalls shall be configured to provide the maximum amount of security consistent with business requirements.
- The security of gateways and firewalls must be subjected periodically to expert scrutiny with reference to the registered connections, and to penetration testing. This must be undertaken at least once a year, and after any major reconfiguration.
- Any part of a network that is on premises where QSR International does not have control of the physical security shall be segregated by a firewall. Inward access shall be subject to risk assessment and strict control. A DMZ shall be used wherever possible for servers that are accessed by external users.
- All firewall rules and router ACLs shall be adequately documented so that an independent reviewer can understand their purpose and the documentation must be maintained and made available for audit. Rulesets and ACLs must be reviewed annually to ensure that rules are correct and up-to-date.
- Disclosure of private IP addresses and routing information to unauthorised parties is prohibited. Methods to obscure IP addressing may include, but are not limited to:
- Network Address Translation (NAT);
- placing servers containing cardholder data behind proxy servers/firewalls;
- removal or filtering of route advertisements for private networks that employ; registered addressing; and
- internal use of RFC1918 address space instead of registered addresses.
2. Information Transfer
Purpose: To maintain the security of information transferred within an organisation and with any external entity.
Information transfer may occur through the use of a number of different types of communication facilities, including electronic mail, voice, facsimile and video. Software transfer may occur through a number of different mediums, including downloading from the Internet and acquisition from vendors selling off-the-shelf products.
- The business, legal and security implications associated with electronic data interchange, electronic commerce and electronic communications and the requirements for controls should be considered and documented.
- The sensitivity of the information being transferred and the party its being transferred to will be critical factors in the overall assessment of risk associated with the information transfer and the controls that should be put in place to secure the transfer.
2.2. Transfer of sensitive or confidential information
Refer to Supplier Relationships Security Policy for details of Information Security in supplier relationships.
The following are the minimum sets of controls that need to be put in place for the transfer of sensitive or confidential information.
- When sharing confidential information with a third party, a non-disclosure agreement shall be put in place prior to the sharing of any information. The non-disclose agreement should cover the following elements:
- A definition of the information to be protected (e.g. confidential information).
- Expected duration of the agreement, including cases where confidentiality might need to be maintained indefinitely.
- Required actions when the agreement is terminated.
- responsibilities and actions of signatories to avoid unauthorised information disclosure.
- Ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
- the permitted use of confidential information and rights of the signatory to use information.
- The right to audit and monitor activities that involve confidential information.
- A process for the notification and reporting of unauthorised disclosure or confidential information leakage.
- Terms for information to be returned or destroyed at agreement cessation.
- Expected actions to be taken in the event of a breach of the agreement.
- QSR International employee’s dealing with confidential QSR International information must be subject to non-discloser agreements.
- Transfer of sensitive or confidential information to third parties via electronic means shall be encrypted in transit. Email is not be used for the communication of sensitive information to third parties unless the attached payloads are encrypted. Decryption keys used in email communication cannot be sent via email. A separate out-of-bands communication channel needs to be used for this purpose.
- QSR International data needs to be classified to determine its sensitivity and confidentiality level. Access controls need to be put in place to ensure that only staff with roles required to access sensitive data can actually access the information. Systems need to be put in place to ensure that reports can be generated to show who has access sensitive information, when they have accessed it and from where.
- Systems put in place for the electronic transfer of data between QSR International systems and third-party company systems, like API gateways and SFTP servers, need to be approved by QSR International. The exposed interfaces to the third parties must be tested every year for vulnerabilities.
- The use of peer-to-peer file transfer applications is strictly prohibited.
Peer-to-peer file sharing is the distribution and sharing of digital media using peer-to-peer (P2P) networking technology. P2P file sharing allows users to access media files such as books, music, movies, and games using a P2P software program that searches for other connected computers on a P2P network to locate the desired content. The nodes (peers) of such networks are end-user computers and distribution servers (not required). Examples include BitTorrent and Gnutella
- The use of consumer-based, cloud file sharing services (e.g. Dropbox, Google Drive, Box) is prohibited for the transfer of QSR International data.
- Transfer of sensitive information over public networks must be encrypted at all times.
3. Electronic messaging
- Employees shall receive security awareness training to reduce the risk of introducing malicious software.
- Emails and attachments can be a source of malicious software and should be treated with caution.
- Unsolicited emails are to be deleted and not responded to.
- When sending emails, employees are responsible for checking that the email is correctly addressed, and that the content of the message is only being sent to appropriate persons.
- Emails sent unencrypted over the Internet are not secure and may be liable to interception, copying and tampering. Where confidential information must be sent outside QSR International’s own networks, an approved, secure messaging service shall be used to ensure security. Under no circumstances may user account information or passwords be sent over the Internet.
- Users are prohibited from automatically forwarding QSR International emails to third party email systems, as doing so might cause emails with confidential or inappropriate content to be transmitted over the Internet.
- Individual messages which are forwarded by the user must not contain QSR International confidential or sensitive information.
- Users are prohibited from using third party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct QSR International business, to create or memorialise any binding transactions, or to store or retain email on behalf of QSR International. Such communications and transactions must be conducted through proper channels using QSR International-approved documentation and systems.
- Users are prohibited from using applications or software that have not been approved for use by QSR International for accessing or managing QSR International email, calendaring, or tasking systems.
- Non-QSR International related commercial uses of QSR International electronic messaging systems are prohibited.
- QSR International employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
- QSR International may monitor messages without prior notice. QSR International is not obliged to monitor email messages.
- All use of email must be consistent with QSR International policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
3.1. Business information systems
- Confidential information can be communicated by other systems such as voice mail and printers. These are subject to comparable security provisions to electronic mail.
- Printers that are used for printing out confidential information shall be located in secure rooms or protected by keys or personal passwords. It is the user’s responsibility to check that print-outs are sent to the correct printer.
- Voice mail systems shall be protected by personal passwords or pin numbers.
3.2. Using the Internet
- Employees must use internet services in a responsible and security conscious manner.
- This section applies to services utilising the Internet such as web browsing, Instant Messaging, Skype, Internet Protocol (IP) telephony, video conferencing or file sharing sites.
- Unless applications using these communications methods are evaluated and approved by IT Compliance, they must not be used for communicating sensitive or classified information over the Internet.
- All Employees must report any suspicious contact from external or unknown sources to the IT Service Desk.Suspicious contact may relate to questions regarding the work duties of employees or the specifics of projects being undertaken by employees.
- Monitoring of breaches of web usage policies—example.g. attempts to access blocked websites as well as compiling a list of employees who excessively download or upload data without a legitimate business requirement, assists QSR International in enforcing their web usage policies.
3.3. Posting official information on websites
- Employees must not post sensitive or classified information on public websites, especially in forums, blogs and social networking sites. Even unclassified information that appears to be benign in isolation, could, along with other information, have a considerable security or reputational impact on QSR International.
- To report cases where such information is posted, employees are to advise their manager in the first instance.
To ensure that personal opinions of employees are not interpreted as official policy, employees must maintain separate professional and personal accounts when using websitesthis includes online social networks.
- Employees can post information authorised for release into the public domain, only on approved websites
3.4. Peer–to–peer applications
The installation and use of peer–to–peer applications is prohibited.
- Employees are not to send or receive files via peer–to–peer applications.
- Only QSR International approved methods of file sharing are to be used.
3.5. Electronic Commerce Services
- Electronic communication and commerce is vulnerable to a number of network threats which may result in fraudulent activity, contract dispute and disclosure or modification of information. When commercial information is communicated, a risk assessment shall be conducted to determine the appropriate level of controls that should be applied to protect against such threats.
Security considerations for electronic commerce shall include:
- Authentication of the parties
- Authorisation of transactions.
- Confidentiality and integrity of contract information.
- Proof of transactions and non-repudiation.
- Integrity of pricing information.
- Vetting of payment information.
- Protection of settlement against fraud.
- Confidentiality and integrity of order information.
- Liability for fraudulent transactions.
- Electronic commerce arrangements between trading partners shall be supported by a documented agreement which commits both parties to the agreed terms of trading.
- Consideration should be given to the resilience to attack of the host used for electronic commerce, and the security implications of any network interconnection required for its implementation.
- When an application involves on-line transactions that are confidential or sensitive (e.g. contractual or financial transactions), then a risk assessment shall be made to determine the appropriate level of controls.
- Transactions shall be protected against misrouting, and against any unauthorised alteration, disclosure or replay.
- The following security measures shall be considered:
- Use of electronic signatures for each of the parties involved in the transaction.
- encryption of the data between all involved parties.
- ensuring stored transaction data is not accessible from the Internet.
3.6. Publicly available systems
- Information that is published to publicly available systems, e.g. Internet web servers, shall be protected from unauthorised modification. Such servers shall be hardened against attack, and the integrity of the information shall be checked frequently, preferably by an automated mechanism. There shall be a formal authorisation process before information is made publicly available.
- Software, data and other information requiring a high level of integrity, when it is made available on a publicly available system, shall be protected by appropriate mechanisms, e.g. digital signatures.