| Reference: 01.21-32.50 | Version: 1.0 | Effective Date: Dec 20, 2018 | Revision Date: Jan 23, 2019 |
| Title: Mortgage Planners – Monitoring Policy |
| DOMAIN: MONITORING | DOCUMENT TYPE: SECURITY POLICY |
| SECTION: SECURITY & COMPLIANCE |
Mortgage Planner
1 INTRODUCTION
This document was developed by TCPCOM Inc. and defines the requirements regarding “Monitoring” of informational resources at Mortgage Planners.
2 GENERAL INFORMATION
2.1 Revision History
| Version | Date | Summary | Prepared by | Reviewed by | Approved by | Approved Date |
| 1.0 | 2018-12-11 | Initial version | Marc-andre Heroux | NA | NA | NA |
2.2 Related Documents
| Type | Security Requirements |
| Title | Mortgage Planners – Registry of Security Controls |
2.3 Information Security Responsibility
The senior management is responsible of the enforcement of the security policy. The security officer is responsible for ensuring the proper definition and implementation of the security policy.
3 SECURITY POLICY OBJECTIVE
3.1 Purpose of the security policy
Provide clear requirements to detect, monitor and log unauthorized activity and abnormal occurring against the infrastructure of Mortgage Planners and its cyber assets and networks. Support incident prevention, detection and response as well as forensic investigation.
3.2 Scope of Security Policy
This policy applies to all employees of Mortgage Planners, services providers and employees of third parties performing work related to information resources Mortgage Planners.
The scope of cyber assets is as follows: servers and network systems and security/utilities supporting business functions and operations.
3.3 Managing Information Security
The senior management must ensure that a security officer assists Mortgage Planners in defining and implementing effective controls to limit access to information according to roles, need to know and need to use. Processes, mechanisms and solutions to prevent the disclosure of information and to maintain the integrity and availability of informational resources must be defined and implemented.
3.4 Breach of Security Policy
An intentional or unintentional violation of policies, procedures or standards or security requirements of Mortgage Planners may be subject to disciplinary action and may result in termination of employment or contract and possibly civil/criminal justice prosecution.
Anyone suspected of a security breach or deviation will be treated fairly and a full investigation will be conducted to protect its legal rights.
3.5 Exceptions to the policy
Any exceptions related to this security policy must be approved by the senior management.
4 EVENT LOGGING
4.1 Policy Statement
The system audit logs and other security-related logs such as access logs to systems of Mortgage Planners must be enabled. Audit trails and events must be retained for at least one year and be available to perform assessments and investigations (at least three months must be immediately available for analysis). Logs must also be protected against unauthorized access and changes.
Proper logging must be enabled on all servers, networks and security devices as well as systems/utilities. Regular review of the security events must be performed.
Requirements for logging must be clearly defined and implemented.
4.2 Security Risks
If audit logs and other events related to security are not captured in sufficient details and kept as required, the necessary information to manage security would not be available.
This could prevent Mortgage Planners to respond appropriately to an incident or to correct a situation quickly.
5 TIME SOURCE
5.1 Policy Statement
Time for a system must come from a central source standard, and not the local system by default. The time of the different systems should be properly adjusted and protected against unauthorized changes. It is essential to have the correct time on a system to support computer problems and/or response to security incidents.
The requirements for the time source must be clearly defined and implemented.
5.2 Security Risks
If the systems are not configured on a standard time source, it might be very difficult to reconcile and correlate events to solve a computer problem or manage a security incident.
This could prevent Mortgage Planners from being able to properly respond to an incident or being unable to identify a security issue.
6 MONITORING SYSTEM USE
6.1 Policy Statement
Mortgage Planners systems and facilities must be monitored to detect unauthorized activities. Logs need be examined to ensure that only authorized activities are carried out. The level of monitoring required is determined by the sensitivity of a system, the information stored or processed by a system.
Monitoring requirements must be clearly defined and implemented.
6.2 Security Risks
If systems and facilities of Mortgage Planners are not subject to adequate monitoring, unauthorized access, intrusions, and other misuse of the systems of Mortgage Planners could not be detected. A system can be compromised and information could be disclosed or altered by unauthorized sources.
Inadequate monitoring could not allow to detect abnormal activities (e.g. number of unauthorized access attempts) before causing damage to a critical service of Mortgage Planners.
8 DETECTION OF NEW ACTIVE NETWORK
8.1 Policy Statement
A solution must be in place to identify any new cyber assets connected to the network (eg, wireless access point (WAP) server, laptop, device). It shall be conducted periodically, at least quarterly, to test, detect and identify the presence of any wireless access point interconnected to the company network.
Mortgage Planners must validate quarterly that no equipment or unauthorized device has been added to the system components (e.g. unauthorized WIFI USB key, wireless access point (WAP)). To comply with this requirement, Mortgage Planners can rely on physical inspection or an automated electronic mechanism.
The requirements for the detection of new cyber assets on the network should be clearly defined and implemented.
8.2 Security Risks
If there is no detection of periodically detection to identify a new wireless access point or any new cyber assets connected to the network, a threat agent could be connected to the company network without authorization, remain undetected and disrupt or negatively impact a critical system.
9 SECURITY INFORMATION AND EVENT MANAGEMENT
9.1 Policy Statement
Logs of all critical components and systems performing critical or security functions should be collected, correlated and managed centrally.
Requirements regarding the management of logs and events must be clearly defined and implemented
9.2 Security Risks
Without storing security information and events in a centralized area, it could be difficult to detect abnormal activities, manage incidents and manage security adequately.