Operations Management Policy

This Operational Management Policy is for effectively managing and operating Netspective Communications LLC’s business processes, systems, and resources. The purpose of this policy is to ensure efficiency, reliability, and compliance with relevant standards and regulations, while promoting continuous improvement and aligning with Netspective Communications LLC objectives.

This document presents the information technology and information security policies exclusively for the purpose of Netspective Communications LLC’s information technology. We have incorporated international information technology standards into this document. Additionally, Netspective Communications LLC has diligently and attentively exercised an acceptable level of professional due diligence to ensure the quality and adequacy of the information stated in this document.

Operational Procedures and responsibilities

• The Information Security Department shall initiate or direct the development of processes, procedures, guidelines, and standards in accordance with Netspective Communications LLC’s operational activities.
• The Information Security Department shall coordinate with the related departments to take appropriate action and ensure that all employees are aware of the security measures taken when operating Netspective Communications LLC’s information assets.
• We shall implement adequate technical controls to protect connected systems and safeguard the confidentiality and integrity of critical business information that passes over public networks, using appropriate technologies.
• We shall have formal change management procedures in place to document and control all changes to equipment, software, or procedures.
• In cases where segregation of duties is not applicable within Netspective Communications LLC, we must have other controls in place to compensate, such as monitoring activities and conducting maintenance and review of audit trails.
• The use of live data (real data in the production environment) in the test environment of Netspective Communications LLC is strictly prohibited.
• Netspective Communications LLC shall establish capacity management for the following:
  • Workstations
  • Printers, scanners
  • Uninterruptible Power Supplies (UPS)
  • Network bandwidth
  • CPU and memory of servers
  • Licensed software
  • Personnel
• Netspective Communications LLC shall develop a yearlong business plan and forecast capacity needs based on the requirements.
• The IT Department shall ensure that all changes are rigorously applied and tested in a Test Environment before authorizing the change for the Production Environment.
• We shall define a documented procedure for the transfer of software from development to the operational environment.

System Planning and Acceptance

• Netspective Communications LLC shall identify capacity requirements for all new and ongoing activities.
• Netspective Communications LLC must ensure that the requirements and criteria for accepting new systems are clearly defined, agreed upon, documented, and tested.
• We must consider the following criteria:
  • Performance and system capacity requirements
  • Error recovery, restart procedures, and contingency plans
  • Preparation and testing of routine operating procedures
  • Implementation of agreed-upon security controls
  • Business continuity arrangements
  • Ensuring that the installation of new IT hardware does not adversely affect existing systems, especially during peak processing times (e.g., daytime)
  • Ensuring that the introduction of new hardware does not impact the overall security of Netspective Communications LLC’s systems and environment
  • Providing training for the operation or use of new equipment
  • Ensuring warranties and support for maintenance are in place
• Addressing the performance and capacity requirements of new systems shall be part of the planning and acceptance phase.

Protection from malware [FII-SCF-010-END-04]

• Netspective Communications LLC shall establish a well-defined mechanism to prevent, detect, and resolve infected systems from Malicious Code in a proper and timely manner.
• Netspective Communications LLC must ensure the installation and activation of internationally recognized, centrally managed antivirus software at all times.
• Controls shall be implemented to prevent the transmission of malicious and mobile code to users connected to Netspective Communications LLC’s IT infrastructure.
• Before connecting any device to Netspective Communications LLC’s information assets, it must undergo scanning for Malicious Code.
• Every possible and practical measure shall be taken to prevent the introduction of Malicious Code into Netspective Communications LLC’s information systems and network. Measures against Malicious Code shall include, but not be limited to:
• Implementing Malicious Code prevention, detection, and repair mechanisms at points where Malicious Code can be introduced into the Netspective Communications LLC network.
• Establishing a process to update the Malicious Code detection mechanisms promptly with the latest product and signatures.
• Deploying daily updates of Malicious Code definition files through automated/manual means and configuring systems to prevent users from disabling antivirus tools.
• Installing Malicious Code protection software on any new potential point of entry and ensuring existing points of entry are covered by such software.
• The use of removable media drives and flash memories via USB connection to desktops/laptops shall be disabled unless a valid business justification exists. If connected, the anti-Malicious Code software must automatically scan such devices.
• The Information Security Officer shall be responsible for ensuring the active and non-disabling status of the Malicious Code detection infrastructure at all potential entry points.
• Every new user shall receive Malicious Code detection and prevention instructions, including:
• Not opening files attached to emails from unknown, suspicious, or untrustworthy sources.
• Exercising caution when downloading files from the Internet, testing them with Netspective Communications LLC’s anti-Malicious Code software, and ensuring the source is legitimate and reputable.
• Regularly backing up files.
• Exercising caution and refraining from opening, downloading, or executing any files or email attachments when in doubt.
• The installation of unauthorized or illegal software on any Netspective Communications LLC systems is strictly prohibited.
• Users are prohibited from changing the configuration of, removing, deactivating, or tampering with any Malicious Code prevention/detection software installed on the systems they use.
• The IT Department shall implement necessary technical measures to restrict user privileges from changing the configuration of, removing, deactivating, or tampering with any Malicious Code prevention/detection software installed on the systems they use.
• In cases where the main anti-Malicious Code local server is inaccessible, the Information Security Department shall provide instructions to users on how to install anti-Malicious Code updates in a suitable format, specify a timeframe, and ensure users follow all instructions from the IT Department.
• Users must immediately report all incidences of Malicious Code detected by the installed Malicious Code protection software, as well as any abnormal or unusual system behavior, to the IT Department. This policy applies even when automated means are deployed, such as server-based antivirus solutions for centralized collection of antivirus detection and cleaning incidents.
• Additionally, users must check media exchanged with other departments and organizations for Malicious Code before using them with their own systems.
• Malicious Code protection software shall be configured to automatically scan all PCs, servers, laptop computers, and other components of Netspective Communications LLC’s information systems architecture periodically to detect potential Malicious Code.
• The Information System Department shall perform full system scans weekly to detect potential viruses and Malicious Code.

Information Back-Up [FII-SCF-003-BCD-11]

• The Information Security Officer must identify backup and restoration requirements for all Netspective Communications LLC systems in close interaction and coordination with the System and Data Owners. This process should consider legal and regulatory implications, vendor recommendations, and other relevant factors. The criticality of the data being backed up is a crucial factor in determining the backup and restoration requirements.

• The Application Owners must determine the criticality of the data within their respective applications.

• The backup and restoration requirements of each system will determine the type of backups, the backup schedule, and the level of protection for the backup media based on the criticality of the information being backed up.

• All software, data (including databases), user configuration information, and hardware configuration information (if applicable) for applications and operating systems shall be backed up according to the procedures recommended by the vendor/implementer.

• Restoration of backups should require specific and appropriate authorization and must be performed following the Backup and Restoration Procedure.

• The following information should be backed up:

  • Business applications (data and program files) and operating systems on servers.
  • System logs.

Network Log

• Network elements (data and programs).

• Data on workstations.

• Regular examination of backup media must ensure the readability of the data.

• Backup media should be replaced immediately upon encountering an error or at predefined time intervals, whichever occurs earlier.
• The backup media must be appropriately labeled and numbered either automatically by the backup system or manually by the Administrator performing the backup.
• Storage of backups:
  • On-site: On-site data backups should be kept in safe custody, preferably outside the server room and in a fireproof cabinet.
  • Off-site: Off-site data backups should be stored at a designated off-site location. Whenever the backup media is transported to and from the off-site location, it must be carried in a sealed and tamper-proof envelope or pouch.
• The Administrator must maintain backup logs either in manual registers or as reports generated by the system (operating systems or applications) in printed form.
• Whenever possible, backups containing sensitive information should be encrypted.

Logging and Monitoring [FII-SCF-007-MON-01]

• The Information Security Officer should ensure the implementation of specific and adequate levels of audit trails in applications and databases based on the criticality of the data.
• The Information Security Officer must record and retain detailed audit trails of user account creation, deletion, and revocation of access rights for a minimum of 5 years.
• All system transaction services must log user account information and digitally sign the logs to prevent repudiation of user transactions.
• Netspective Communications LLC should monitor the following events on system components to detect anomalies, potential vulnerabilities, or security incidents. Expert analysis of this data should be conducted:
  • Successful and failed logon and logoff attempts.

Failed logon

Successful Login

• System restart, shutdown, success, and failure events.
• Success and failure events related to security policy changes.
• Success and failure events related to user and group management.
• Success and failure events related to file and object access.
• Success and failure events related to the use of user rights.
• Departures from normal usage patterns, including system load at different times of the day, number of running processes, CPU utilization, unusual successes or denials of connections, success and error messages from firewalls, multiple access attempts, and access to unusual ports.
• All event details on other information systems should be logged and stored for 6 months for ordinary systems.
• Netspective Communications LLC must ensure that all system administrators are not granted permission to modify or deactivate logs of their own activities.
• Netspective Communications LLC must ensure that the date and time stamp of the audit trails for all online system components are synchronized to facilitate the tracking of users’ identities and online activities.
• To maintain the accuracy of security log file data, all server and network device clocks must be synchronized using the internationally accepted Network Time Protocol (NTP).

Control of operational software - installation

• Securely harden all systems (operating systems, databases, and other system software) in accordance with International Best Practice Standards.
• Deploy appropriate Host Intrusion Detection technologies to discover unauthorized system activity, create automated alerts, and generate detailed log files for subsequent investigations.
• Do not use servers hosting sensitive Netspective Communications LLC applications and data as shared resources for unrelated applications, services, or databases.
• Implement end-point security controls to restrict the use of system devices and peripherals such as removable hard drives, USB thumb drives, CD writers, smartphones, or other portable data storage devices.
• Ensure that notebook computers issued by Netspective Communications LLC for housing or accessing Netspective Communications LLC information or services have Personal Firewall and Anti-Spyware software deployed, in addition to antivirus protection, and comply with relevant Netspective Communications LLC policies.
• Only authorize Netspective Communications LLC administrators to perform updates to operational software, applications, and program libraries.
• Prevent the execution of information systems in development within the operational environment.
• Maintain formal documented configuration control procedures within Netspective Communications LLC.
• Consider business requirements and security implications when making decisions to upgrade to new releases.
• Log all attempts to access operational software, and periodically review the logs.
• Centrally compile and maintain all source codes in a controlled manner within a Software Library.
• Avoid unnecessary disclosure of system configuration information that could be useful to attackers by: suppressing the server field in HTTP headers that identifies the web server’s brand and version, ensuring that directories of files on the web server are not indexed, and preventing the viewing of source code of server-side executables and scripts (e.g., Common Gateway Interface (CGI) scripts and ASP files) via a web browser.
• For web-developed applications, review the source of HTML, JavaScript, and other client-side scripting languages to eliminate unnecessary information such as developer names, disabled functionality, details about CGI functions and parameters, and third-party tools that may contain known vulnerabilities. Additionally, review error messages returned by the web application to avoid revealing undesirable information.
• Ensure that IT Operations staff does not have access to program source codes or the ability to modify programs’ behavior by changing configuration parameters. The Information Security Officer and the IT Department should oversee this.
• Control and document access to program source code in Netspective Communications LLC. Access should only be granted with documented authorization from program owner management.
• Maintain accurate and up-to-date records of program source libraries.

Technical Vulnerability Management [FII-SCF-027-VPM-01.1]

• The Information Security Officer is responsible for taking necessary steps to ensure the security of Netspective Communications LLC infrastructure. Initially, the Information Security Officer, with the assistance of the technical network staff, will define specific technical measures to prevent interception, unauthorized access, and/or misappropriation. These measures will be periodically reviewed and maintained. They will be based on the specific technology solution adopted for Netspective Communications LLC infrastructure and may include, but are not limited to:
  • Implementing firewalls to secure the Netspective Communications LLC LAN.
  • Using secure VLAN.
  • Employing encryption.
  • Utilizing PINs.
  • Implementing audit trails to analyze usage, and so on.
• Netspective Communications LLC must enable comprehensive audit trails that allow for tracking the online identity and activities of users. This includes audit trails for web and application servers, as applicable. The date and time stamp of the audit trails for all online system components, such as Netspective Communications LLC applications and databases, web servers, Firewalls, and ISP’s proxy servers and firewalls, must be synchronized to facilitate the tracking of user identity and online activities.
• Before installing new available patches, they must be tested and evaluated in the Production environment of Netspective Communications LLC.

Information systems audit [FII-SCF-005-CPL-04]

• The Information Systems owners shall carefully plan and perform audits of operational information systems at periodic intervals (at least annually) to minimize the risk of disruptions to business processes.
• If system audits require access to the system or data or involve the use of software tools and utilities, they shall be conducted with the knowledge, cooperation, and consent of the owners of the information system. Relevant precautions shall be taken to protect the information system and data from damage or disruptions resulting from the audit or audit tools.
• The person(s) conducting the audit shall be independent of the audited activities.
• Netspective Communications LLC shall conduct internal and independent audits of its information systems.
• At least once a year, Netspective Communications LLC shall commission one or more information security audits of its information systems by engaging a properly qualified external independent audit firm.