BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

CONTENTS
ExcErpt from carpathia hosting BEst practicEs for sEcurE it infrastructurE managEmEnt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 .1 .2 DEploymEnt BEst practicEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 table 1 .1-1: Deployment Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1 .1 .4 sustainmEnt BEst practicEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 table 1 .1-3: sustainment Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Best Practices for Secure IT Infrastructure Management 2010 Carpathia Hosting, Inc.

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

ExCERPT FROM CARPATHIA HOSTING BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT
This document contains an excerpt from Carpathia Hostings Best Practices for Secure IT Infrastructure Management, the purpose of which is to help demonstrate the depth of Carpathia Hostings understanding of and applied knowledge regarding the deployment and maintenance of secure, reliable IT infrastructure that meets or exceeds federal IT regulations. The excerpted sections in this document are: Deployment Best Practices Sustainment Best Practices Note: Due to the sensitive nature of Carpathia Hosting client applications, we must restrict distribution of certain sensitive and proprietary information to qualified individuals only. For more information please contact Carpathia Hosting at info@carpathia.com.

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

1.1.2 DEPlOyMENT BEST PRACTICES

Carpathia Hosting employs a robust delivery methodology that addresses input from multiple industry recognized best practices authorities and boards. The following is Carpathia Hostings approach to Best Practices regarding deployment of hosted/managed IT environments:

table 1 .1-1: Deployment Best practices

BEST PRACTICE CATEGORy
9. Assign Information Security Roles, Responsibilities, Required Skills, and Enforce Role-based Information Access Privileges

BEST PRACTICE DESCRIPTION

SOURCE OF BEST PRACTICE

CORPORATE INFORMATION SECURITY WORKING GROUP

CARPATHIA HOSTING COMPlIANCE

Exceeds

9.1. (Measure) Percentage of new employees hired this reporting period who satisfactorily completed security awareness training before being granted network access 9.2. (Measure) Percentage of employees who have satisfactorily completed periodic security awareness refresher training as required by policy 9.3 Percentage of position descriptions that define the information security roles, responsibilities, skills, and certifications for: a. Security Managers and Administrators b. IT personnel c. General staff system users 9.4. Percentage of job performance reviews that include evaluation of information security responsibilities and information security policy compliance 9.5. Percentage of user roles, systems, and applications that comply with the separation of duties principle 9.6. Percentage of individuals with access to security software who are trained and authorized security administrators 9.7. Percentage of individuals who are able to assign security privileges for systems and applications who are trained and authorized security administrators 9.8. Percentage of individuals whose access privileges have been reviewed this reporting period Employees with high level system and application privileges Terminated employees 9.9. Percentage of users who have undergone background checks

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

BEST PRACTICE CATEGORy

10. Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation

BEST PRACTICE DESCRIPTION

10.1. Percentage of critical information assets and information-dependent functions for which some form of risk assessment has been performed and documented as required by policy 10.2. Percentage of critical assets and functions for which the cost of compromise (loss, damage, disclosure, disruption in access to) has been quantified 10.3. Percentage of identified risks that have a defined risk mitigation plan against which status is reported in accordance with policy

SOURCE OF BEST PRACTICE

CORPORATE INFORMATION SECURITY WORKING GROUP

CARPATHIA HOSTING COMPlIANCE

Exceeds

11. Ensure Implementation of Information Security Requirements for Strategic Partners and Other Thirdparties

11.1. Percentage of known information security risks that are related to third-party relationships 11.2. Percentage of critical information assets or functions for which access by third-party personnel is not allowed 11.3. Percentage of third-party personnel with current information access privileges who have been reviewed by designated authority to have continued need for access in accordance with policy 11.4. Percentage of systems with critical information assets or functions for which electronic connection by third-party systems is not allowed 11.5. Percentage of security incidents that involved third-party personnel 11.6. Percentage of third-party agreements that include/demonstrate external verification of policies and procedures 11.7. Percentage of third-party relationships that have been reviewed for compliance with information security requirements 11.8. Percentage of out-of-compliance review findings that have been corrected since the last review

CORPORATE INFORMATION SECURITY WORKING GROUP

Exceeds

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

BEST PRACTICE CATEGORy

12. Identify and Classify Information Assets

BEST PRACTICE DESCRIPTION

12.1. Percentage of information assets that have been reviewed and classified by the designated owner in accordance with the classification scheme established by policy 12.2. Percentage of information assets with defined access privileges that have been assigned based on role and in accordance with policy 12.3. Percentage of scheduled asset inventories that occurred on time according to policy

SOURCE OF BEST PRACTICE

CORPORATE INFORMATION SECURITY WORKING GROUP

CARPATHIA HOSTING COMPlIANCE

Meets

13. Implement and Test Business Continuity Plans

13.1. Percentage of organizational units with a documented business continuity plan for which specific responsibilities have been assigned 13.2. Percentage of business continuity plans that have been reviewed, exercised/tested, and updated in accordance with policy

CORPORATE INFORMATION SECURITY WORKING GROUP

Meets

14. Approve Information Systems Architecture during Acquisition, Development, Operations, and Maintenance

14.1. Percentage of information security risks related to systems architecture identified in the most recent risk assessments that have been adequately mitigated. 14.2. Percentage of system architecture changes (additions, modifications, or deletions) that were reviewed for security impacts, approved by appropriate authority, and documented via change request forms 14.3. Percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture

CORPORATE INFORMATION SECURITY WORKING GROUP

Exceeds

17. Collaborate with Security Staff to Specify the Information Security Metrics to be Reported to Management The entity has defined and communicated performance objectives, policies, and standards for system availability. The system availability requirements of authorized users, and system availability objectives, policies, and standards are identified and documented.

CORPORATE INFORMATION SECURITY WORKING GROUP

Exceeds

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

BEST PRACTICE CATEGORy

BEST PRACTICE DESCRIPTION

The documented system availability objectives, policies, and standards have been communicated to authorized users. Documented system availability objectives, policies, and standards are consistent with system availability requirements specified in contractual, legal, and other service level agreements and applicable laws and regulations. Responsibility and accountability for system availability have been assigned. Documented system availability objectives, policies, and standards are communicated to entity personnel responsible for implementing them.

SOURCE OF BEST PRACTICE

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

CARPATHIA HOSTING COMPlIANCE

Exceeds

Exceeds

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

Exceeds

The entity has defined and communicated performance objectives, policies, and standards for system security.

The system security requirements of authorized users, and the system security objectives, policies, and standards, are identified and documented. Documented system security objectives, policies, and standards have been communicated to authorized users. Documented system security objectives, policies, and standards are consistent with system security requirements defined in contractual, legal, and other service-level agreements and applicable laws and regulations. Responsibility and accountability for system security have been assigned.

Exceeds

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

Exceeds

Exceeds

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

Exceeds

Documented system security objectives, policies, and standards are communicated to entity personnel responsible for implementing them.

Exceeds

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

BEST PRACTICE CATEGORy

The entity uses procedures, people, software, data, and infrastructure to achieve system security objectives in accordance with established policies and standards.

BEST PRACTICE DESCRIPTION

The acquisition, implementation, configuration, and management of system components related to system security are consistent with documented system security objectives, policies, and standards.

SOURCE OF BEST PRACTICE

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

CARPATHIA HOSTING COMPlIANCE

Exceeds

There are procedures to identify and authenticate all users authorized to access the system.

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

Exceeds

There are procedures to grant system access privileges to users in accordance with the policies and standards for granting such privileges. There are procedures to restrict access to computer processing output to authorized users.

Exceeds

Exceeds

There are procedures to restrict access to files on off-line storage media to authorized users.

Exceeds

There are procedures to protect external access points against unauthorized logical access.

Exceeds

There are procedures to protect the system against infection by computer viruses, malicious codes, and unauthorized software. Threats of sabotage, terrorism, vandalism and other physical attacks have been considered when locating the system. There are procedures to segregate incompatible functions within the system through security authorizations. There are procedures to protect the system against unauthorized physical access.

Exceeds

Exceeds

Exceeds

Exceeds

There are procedures to ensure that personnel responsible for the design, development, implementation, and operation of system security are qualified to fulfill their responsibilities.

Exceeds

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

1.1.4 SUSTAINMENT BEST PRACTICES

Carpathia Hosting employs a robust delivery methodology that addresses input from multiple industryrecognized best practices authorities and boards. The following is Carpathia Hostings approach to Best Practices regarding sustainment of hosted/managed IT environments:

table 1 .1-3: sustainment Best practices

BEST PRACTICE CATEGORy
1. Oversee Risk Management and Compliance Programs Pertaining to Information Security (e.g., Sarbanes- Oxley, HIPAA, GrammLeach- Bliley, etc.)

BEST PRACTICE DESCRIPTION

1.1. (Measure) Percentage of key information assets for which a comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds 1.2. (Measure) Percentage of key hosted environment functions for which a comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds 1.3. (Measure) Percentage of key external requirements for which the organization has been deemed by objective audit or other means to be in compliance

SOURCE OF BEST PRACTICE

CORPORATE INFORMATION SECURITY WORKING GROUP

CARPATHIA HOSTING COMPlIANCE

Meets

2. Approve and Adopt Broad Information Security Program Principles and Approve Assignment of Key Managers Responsible for Information Security 3. Strive to Protect the Interests of all Stakeholders Dependent on Information Security

2.1. (Measure) Percentage of Information Security Program Principles for which approved policies and controls have been implemented by management 2.2. (Measure) Percentage of key information security management roles for which responsibilities, accountabilities, and authority are assigned and required skills identified 3.1. (Measure) Percentage of board meetings and/or designated committee meetings for which information security is on the agenda 3.2. (Measure) Percentage of security incidents did not that cause damage, compromise, or loss beyond established thresholds to the organizations assets, functions, or stakeholders 3.3. (Measure) Estimated damage or loss in dollars resulting from all security incidents

CORPORATE INFORMATION SECURITY WORKING GROUP

Meets

CORPORATE INFORMATION SECURITY WORKING GROUP

Meets

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

10

BEST PRACTICE CATEGORy

4. Review Information Security Policies Regarding Strategic Partners and Other Thirdparties 5. Strive to Ensure Business Continuity

BEST PRACTICE DESCRIPTION

4.1. (Measure) Percentage of strategic partner and other third-party relationships for which information security requirements have been implemented in the agreements with these parties

SOURCE OF BEST PRACTICE

CORPORATE INFORMATION SECURITY WORKING GROUP

CARPATHIA HOSTING COMPlIANCE

Meets

5.1. (Measure) Percentage of organizational units with an established business continuity plan

CORPORATE INFORMATION SECURITY WORKING GROUP CORPORATE INFORMATION SECURITY WORKING GROUP

Exceeds

6. Review Provisions for Internal and External Audits of the Information Security Program 7. Collaborate with Management to Specify the Information Security Metrics to be Reported 8. Establish Information Security Management Policies and Controls and Monitor Compliance

6.1. (Measure) Percentage of required internal and external audits completed and reviewed by the Board 6.2. (Measure) Percentage of audit findings that have been resolved

Exceeds

CORPORATE INFORMATION SECURITY WORKING GROUP

Exceeds

8.1. (Measure) Percentage of Information Security Program Elements for which approved policies and controls are currently operational 8.2. (Measure) Percentage of staff assigned responsibilities for information security policies and controls who have acknowledged accountability for their responsibilities in connection with those policies and controls 8.3. (Measure) Percentage of information security policy compliance reviews with no violations noted 8.4. (Measure) Percentage of business unit heads and senior managers who have implemented operational procedures to ensure compliance with approved information security policies and controls

CORPORATE INFORMATION SECURITY WORKING GROUP

Exceeds

CARPATHIA.COM

[ BEST PRACTICES FOR SECURE IT INFRASTRUCTURE MANAGEMENT ]

11

BEST PRACTICE CATEGORy

15. Protect the Physical Environment

BEST PRACTICE DESCRIPTION

15.1. Percentage of critical organizational information assets and functions that have been reviewed from the perspective of physical risks such as controlling physical access and physical protection of backup media 15.2. Percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented 15.3. Percentage of critical assets that have been reviewed from the perspective of environmental risks such as temperature, fire, flooding, etc. 15.4. Percentage of servers in locations with controlled physical access 16.1. Percentage of information security requirements from applicable laws and regulations that are included in the internal/external audit program and schedule 16.2. Percentage of information security audits conducted in compliance with the approved internal/external audit program and schedule 16.3. Percentage of management actions in response to audit findings/recommendations that were implemented as agreed as to timeliness and completeness The acquisition, implementation, configuration and management of system components related to system availability are consistent with documented system availability objectives, policies, and standards.

SOURCE OF BEST PRACTICE

CORPORATE INFORMATION SECURITY WORKING GROUP

CARPATHIA HOSTING COMPlIANCE

Exceeds

16. Ensure Regular Internal and External Audits of the Information Security Program with Timely Followup

CORPORATE INFORMATION SECURITY WORKING GROUP

Exceeds

The entity uses procedures, people, software, data, and infrastructure to achieve system availability objectives in accordance with established policies and standards.

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

Exceeds

There are procedures to protect the system against potential risks that might disrupt system operations and impair system availability. Continuity provisions address minor processing errors, minor destruction of records, and major disruptions of system processing that might impair system availability. There are procedures to ensure that personnel responsible for the design, development, implementation and operation of system availability features are qualified to fulfill their responsibilities.

SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm SYSTRUST http://www. aicpa.org/assurance/ systrust/princip.htm

Exceeds

Exceeds

Exceeds

Carpathia Hosting is a leading provider of managed hosting services, delivering secure, reliable and compliant IT infrastructure and management for some of the worlds most demanding enterprises and federal agencies. Founded in 2003, Carpathia is a growing, profitable business run by a seasoned management team with deep experience in delivering enterprise hosting solutions including colocation, managed services and cloud computing. Carpathias suite of services is designed for organizations seeking scalable, secure, robust and enterprise-grade hosting solutions that can be quickly provisioned or tailored to meet unique requirements. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds customers expectations. Carpathia qualifies as a small business. Contact Carpathia at 1.888.200.9494, or visit www.carpathia.com for more information. References to other products are made to show compatibility. All companies and/or products mentioned in this document are registered or trademarked by their respective organizations. The inclusion of third party products does not infer endorsement by these parties, unless otherwise noted.

CARPATHIA.COM

21000 Atlantic Boulevard | Suite 500 | Dulles, VA 20166

703.840.3900 / 1.888.200.9494