1. Microsoft Group Policy Active Directory are used to standardize and automate configuration management.
2. No systems are deployed into LifeWIRE environments without approval of the LifeWIRE CTO.
3. All changes to production systems, network devices, and firewalls are approved by the LifeWIRE CTO before they are implemented to assure they comply with business and security requirements.
4. All changes to production systems are tested before they are implemented in production.
5. Implementation of approved changes are only performed by authorized personnel.
6. Tooling to generate an up-to-date inventory of systems, including corresponding architecture diagrams for related products and services, is hosted on Office 365.
- All systems are categorized as production and utility to differentiate based on criticality.
- The Security Officer maintains scripts to generate inventory lists on demand using APIs provided by each cloud provider.
- These scripts are used to generate the diagrams and asset lists required by the Risk Assessment phase of LifeWIRE’s Risk Management procedures (4.3.1).
- After every use of these scripts, the Security Officer will verify their accuracy by reconciling their output with recent changes to production systems. The Security Officer will address any discrepancies immediately with changes to the scripts.
7. All frontend functionality (developer dashboards and portals) is separated from backend (database and app servers) systems by being deployed on separate servers or containers.
8. All software and systems are tested using unit tests and end to end tests.
9. All committed code is reviewed using pull requests to assure software code quality and proactively detect potential security issues in development.
10. LifeWIRE utilizes development and staging environments that mirror production to assure proper function.
11. LifeWIRE also deploys environments locally using Vagrant to assure functionality before moving to staging or production.
12. All formal change requests require unique ID and authentication.
13. LifeWIRE uses the Security Technical Implementation Guides (STIGs) published by the Defense Information Systems Agency as a baseline for hardening systems.
14. Clocks are continuously synchronized to an authoritative source across all systems using NTP or a platform-specific equivalent. Modifying time data on systems is restricted.
15. Security Officer is responsible for managing and maintaining network equipment. Data center equipment is managed directly, as Security Officer has the only permitted access. LifeWIRE owned laptop computers are managed in conjunction with the assigned employee. A network diagram is maintained by the Security Officer on OneDrive and is updated on any changes to the network configuration and is reveiwed at least every 180 days.