1.0 Purpose

One of Voyages Encore Travel Inc.’s objectives is to secure all networks under its control from intrusions and to provide and maintain the security of Voyages Encore Travel Inc.’s infrastructure and data. This policy provides guidelines to ensure the availability and reliability of all resources owned by Voyages Encore Travel Inc..

2.0 Scope

This policy applies to all network infrastructure, both physical and virtual, owned and/or managed by Voyages Encore Travel Inc.. This policy shall apply to the entire network infrastructure, including design, installation, testing, support and management.

3.0 Policy

Voyages Encore Travel Inc. defines a baseline for network configurations between different systems and maintain an inventory of network devices and access points.

Voyages Encore Travel Inc.’s network and infrastructure must be secured against intrusions and network failures that would affect the confidentiality, availability and integrity of its information and information assets.

Connections between Voyages Encore Travel Inc. and the third party (vendors, customers and subsidiaries) should be provided only after a formal risk assessment and authorization.

Voyages Encore Travel Inc.’s networks shall be segregated from external networks by resources (firewalls, security groups, network ACLs (access-control lists), etc.) that allow Voyages Encore Travel Inc.’s network staff to apply rules to determine which network traffic to allow. Voyages Encore Travel Inc. must maintain due care in protecting the customer network interconnecting to its own from threats originating from within Voyages Encore Travel Inc..

3.1 Network Data Security

Appropriate encryption and authentication methods must be used for the transmission of any data traversing an untrusted network or the internet.

Use currently accepted protocols and standards for all network traffic. Any protocols and standards considered obsolete must not be used, and any resources using obsolete protocols must be upgraded as needed.

3.1.1 Sensitive Data

Strong encryption (at least AES with 256-bit keys) and authentication methods (MFA where possible) must be used for the transmission of sensitive data. VPNs (Virtual Private Networks) or SSH  (Secure Shell) tunnels to remote servers are to be used to ensure greater security during transmissions.

3.2 Network Security Management

• Infrastructure owned and managed by Voyages Encore Travel Inc. must be documented and configured securely and designed to secure network traffic between trusted and untrusted network zones.
• Every network resource used in the Voyages Encore Travel Inc.’s network must be appropriately documented and configured and meet the security requirements for their individual purposes. Make appropriate use of internal/private subnets and public subnets/DMZs (demilitarized zones).
• All traffic and protocols must be expressly denied except for those necessary for business purposes.
• Voyages Encore Travel Inc.’s network must be isolated from any unsecured networks, the internet and third-party networks through controls such as firewalls, security groups and ACLs. In addition, intrusion detection and prevention systems must be in place to monitor and alert on unusual activity.

***

Policy Conditions for PCI DSS:

• Voyages Encore Travel Inc. must monitor all traffic at the perimeter of the cardholder data environment (CDE) as well as at critical points in the cardholder data environment and alert authorized personnel to suspected compromises. All intrusion detection and prevention engines, baselines, and signatures must be kept up to date.
• A business justification and approval document must be maintained for the use of insecure services, protocols, ports allowed and security features for such protocols. 

***

3.3 Remote Access

All remote access to Voyages Encore Travel Inc.’s systems must use VPN, be encrypted and use currently accepted encryption protocols. 

All intranet users with connections originating from the Internet shall be authenticated over an encrypted connection. The password policy must be enforced for all applications used over the Internet.

3.4 Third-Party Interconnection

There must be a third-party agreement with vendors, customers or partners before interconnecting with the Voyages Encore Travel Inc. network.

Customer or partner networks interconnecting with the Voyages Encore Travel Inc.’s network must be isolated from each other.

All customer traffic over a dedicated link must be encrypted using appropriate technology, using VPN connections as required by the customer.

Access to customer networks shall be granted only to specific Voyages Encore Travel Inc. employees based on business need and only after proper authorization.

3.5 Logging and Monitoring

Logging must be enabled for all network resources, including logging configuration changes, preferably back to a central source like a syslog server or a centralized log management platform.

All administrator access to the network and network security products must be authorized, logged and monitored. All network services and their usage must be monitored by Voyages Encore Travel Inc.’s IT team. All firewall traffic must be monitored for possible misuse and intrusions.

The use of network resources must be monitored, tuned and projections made for future capacity requirements to ensure required system performance.

Alerts from detection systems must be configured to be sent to the IT team for review and investigation, where applicable.

***

Policy Conditions for PCI DSS:

Voyages Encore Travel Inc. must

• Implement audit trails that link all access to system components to each individual user.
• Implement automated audit trails for all system components
• Maintain detailed records (user identification, type of event, date and time etc.) for each event of all system components.
• Review logs and security events for all system components to identify anomalies or suspicious activity.

***

3.6 Set Correct Time and Date

All network device clocks must be synchronized with the Network Time Protocol (NTP). The appropriate time zone should be set on all equipment.

3.7 Network Resources Configuration

Network configurations for all infrastructure should be stored in a central repository to restore the configuration if required. All changes to the network configuration must be logged and tested before being deployed to production environments. The use of Infrastructure-as-Code tools (CloudFormation, Terraform, etc.) is recommended.

3.8 Physical Router and Switch Security

Physical Security

Routers and switches must be located in a locked room and not accessible to unauthorized personnel. Devices must have adequate cooling, a reliable power supply and/or plug into a right-sized uninterruptible power supply (UPS). Wireless access points should either be in a locked room or located high on the ceiling, where it would be evident if someone were physically accessing the device.

Privilege Access Control

• Routers must be secured with complex passwords for all interfaces, including the Console, AUX, and VTY (telnet/ssh) interfaces (to prevent initial access).
• Privileged access to make configuration changes should be restricted to authorized personnel only.
• Passwords should follow Voyages Encore Travel Inc.’s password policy.
• Access control shall be used to provide separate authentication, authorization, and accounting services for network-based access.
• A Privileged Access Management solution can be implemented to control credentials accessing the device and commands executed when a session is initiated, providing a complete audit of both commands and sessions.

Switch Security

Switch ports should be locked down by configuring port security features allowing access only to the first authorized device connecting to that port.

3.9 Network Design and Audits

• Network design shall allow legitimate traffic to flow through the appropriate zones, segments and/or resources, and unwanted traffic detected and dropped. Firewalls, Virtual Local Area Networks (VLANs) and/or Access Control Lists (ACLs) shall be implemented to achieve this.
• Appropriate use of private and public subnets should be used. Any resource that does not need internet access or does not need direct access to the internet should be in a private subnet.
• Development/testing, production and corporate resources should not be in the same network segments.
• IP phones and IoT devices should be logically separated on the network.
• A network diagram should provide an overview of network resources deployed, network traffic flows and should identify physical and/or logical security controls that are in place to direct legitimate traffic and detect and drop unnecessary or unwanted traffic.
• Firewall policies and ACLs should be tested to ensure that whatever is not permitted is denied. The network should be audited based on the network diagram by conducting vulnerability scans and penetration tests on strategic areas of the network and mitigate identified high risks.

***

Policy Conditions for PCI DSS:

• Prohibit direct public access between the Internet and any system component in the cardholder data environment.
• Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
• Limit inbound Internet traffic to IP addresses within the DMZ.
• Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
• Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
• Permit only “established” connections into the network.
• Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
• Do not disclose private IP addresses and routing information to unauthorized parties.

***

3.10 Develop and Maintain Expertise

Ensure that network support personnel are adequately trained in implementing and supporting a secured network infrastructure through training and drills.

3.11 Patching

Network resources shall be patched and updated on a documented, regular, and timely schedule. Common Vulnerability Scoring System (CVSS) is recommended to be used to aid in setting patching guidelines.

Applicable critical vendor-supplied security patches shall be applied within a defined time frame after release and installation of all other applicable vendor-supplied security patches as per the defined patching schedule.

In addition to the patching guidelines, vulnerabilities and exploitable findings deemed critical by the Voyages Encore Travel Inc., regardless of CVSS score, must be patched as soon as possible.