Network Security

The Network Security group will implement and maintain controls required to protect against risk realization and losses associated with security threats to Flosum networks and network resources. Multiple layers of controls to secure, manage and monitor the network environment are required and shall be implemented as appropriate. Controls must exist to protect network devices against unauthorized entry, protect sensitive information as it traverses through the Flosum network and monitor for any unauthorized access that could compromise the confidentiality, integrity or availability of the network infrastructure. In order to appropriately secure the network, prevent unauthorized entry or access, and to mitigate against potential security or operational threats to the Flosum network environment, perimeter controls are required to be implemented. Perimeter controls include, but are not limited to firewalls, routers, intrusion prevention and detection systems, and security information management systems to provide data gathering, notification and analysis. Active management and monitoring of perimeter devices is required to help ensure that current access controls and settings are appropriate based on security and business needs. Additionally, remote access controls must be implemented to further enhance the protection of the Flosum network environment from inappropriate access. Flosum employees remotely accessing the Flosum environment are required to use a firewall, and anti-malware software. Any device accessing the Flosum network environment (including devices located in remote locations) must meet Flosum security requirements for hardware, interoperability and change management. Where possible, operational responsibility for networks should be managed separately from computer operations. To further strengthen and add an additional layer of security, internal and external transmission controls, such as the use of an encrypted protocol, and controls to monitor network activity must be in place to maintain the confidentiality and integrity of information as it traverses in, across, and out of Flosum’s network environment. Monitoring controls must be implemented on Flosum networks to identify and report anomalous activity to appropriate management or response groups. In the event a security related event is identified, timely investigation and remediation is required. Information technology continues to advance and threats against network environments continue to evolve. To help ensure Flosum network environments are appropriately protected against current and evolving threats, periodic reviews of security practices are required. The scope of network testing must include the security of network entry points into Flosum’s network environments to identify and correct any potential weaknesses that could be exploited. Management oversight should be applied to consistently apply the controls across the applicable infrastructure while continuing to optimize the service to the enterprise.

Mobile Device Policy

The use of personal devices to connect to Flosum network resources, not directly associated with satisfying work obligations, is strictly prohibited.

1. Physical devices (i.e. laptops, cell phones, tablets, portable storage media, and other mobile devices) must be securely safeguarded when they are not in use.

2. Lost or stolen Flosum IT Resources must be reported immediately to the appropriate personnel.

3. Confidential or client data cannot be stored on portable devices and/or media unless:

   • Specifically required to achieve a business purpose

   • Authorized by Flosum office of Chief Information Security Officer

   • Such storage is not in violation of regulatory or contractual obligations

   • Appropriate controls are put into place to safeguard the data

4. Flosum confidential or client data must be encrypted if stored on portable devices in accordance with encryption standards.