To ensure that a secure method of network connectivity between ASCL and all third parties and to provide a formalized method for the request, approval and tracking of such connections.

2.0 SCOPE

External company data network connections to ASCL can create potential security exposures if not administered and managed correctly and consistently. These exposures may include non-approved methods of connection to the ASCL network, the inability to shut down access in the event of a security breach, and exposure to hacking attempts. This policy applies to all new Third Party Network Connection requests and any existing Third Party Network Connections. When existing Third Party Network Connections do not meet all of the guidelines and requirements outlined in this document, they will be re-engineered as needed.

3.0 DEFINITIONS

1. A "Network Connection" is defined as one of the connectivity options listed in Section B. below.

2. "Third Parties" is defined as ASCL Partners, Vendors, Suppliers and the like.

4.0 THIRD-PARTY CONNECTION REQUESTS AND APPROVALS

All requests for Third Party connections must be made using the appropriate method based on the support organization. The required information is outlined in the Third Party Connection Request - Information Requirements Document (Annexure I). All information requested on this form must be completed prior to approval and sign off. It is Company's responsibility to ensure that Company has provided all of the necessary information and that such information is correct.

All Third Party connection requests must have the ASCL Vice president (Networks) level signature for approval. In some cases approval may be given at a lower level with pre-authorization from the appropriate ASCL Security Manager. Also, all Third Parties requesting a Network Connection must complete and sign the ASCL Non-Disclosure Agreement.

As a part of the request and approval process, the technical and administrative contact within Company's organization or someone at a higher level within Company will be required to read and sign the "Third Party Connection Agreement " and any additional documents, such as the ASCL Non-Disclosure Agreement.

5.0 THIRD-PARTY (PARTNER) ACCESS POINTS

When possible, Third Party (Partner) Access Points (PAPs should be established in locations such that the cost of the access is minimized. Each PAP should consist of at least one router with leased line with Frame Relay and/or ISDN capability.

6.0 SERVICES PROVIDED

In general, services provided over Third Party Network Connections should be limited only to those services needed, and only to those devices (hosts, routers, etc.) needed. Blanket access will not be provided for anyone. The default policy position is to deny all access and then only allow those specific services that are needed and approved by ASCL pursuant to the established procedure.

In no case shall a Third Party Network Connection to ASCL be used as the Internet connection for the Third Party.

The standard set of allowable services are listed below:

1. File Exchange via ftp - Where possible, file exchange via ftp should take place on the existing ASCL ftp servers (ftp-eng.ASCL.com for engineering-related work or ftp.ASCL.com for all other work). IT supported Third Party connections have additional FTP services provided by a server in on the Partners Network.

2. Electronic Mail Exchange - Business-related email exchange between ASCL and Third Parties may be conducted over the Network Connection as needed. Mail from Third Party sites to non-ASCL addresses will not be allowed over the Network Connection.

3. Telnet Access - Telnet access will be provided to specific ASCL hosts, as needed. Employees from Third Parties will only be given accounts on the specific ASCL hosts that are needed.

4. Web Resource Access - Access to internal web resources will be provided on an as-needed basis. Access will be provided by mirroring the appropriate web resources to a web server that resides on the Partners Network. Access to ASCL's public web resources will be accomplished via the normal Internet access for the Third Party.

5. Access to Source Code Repositories This access will be decided on case by case basis.

6. Print Services - Print services can be provided to ASCL IT-supported Third Party connections by via two print spoolers on the ASCL Partners Network. ASCL-owned printers, that boot off the print spoolers will be located on the ASCL -extended network at the Third Party sites.

7. NT File Exchange - File exchange will be provided by NT file servers located on the ASCL Partners Network. Each Third Party needing NT File exchange will be provided with a separate folder that is only accessible to that Party and the necessary people at ASCL.

7.0 ASCL EQUIPMENT AT THIRD PARTY SITES

In many cases it may be necessary to have ASCL-owned and maintained equipment at a Third Party site. All such equipment will be documented on the Third Party Connection Request - Information Requirements Document. Access to network devices such as routers and switches will only be provided to ASCL support personnel. All ASCL-Owned Equipment located at Third Party sites must be used only for business purposes. Any misuse of access or tampering with ASCL-provided hardware or software, except as authorized in writing by ASCL, may, in ASCL's sole discretion, result in termination of the connection agreement with the Third Party. If ASCL equipment is loaned to a Third Party, the Third Party will be required to sign an appropriate ASCL Equipment Loan Agreement, if one is required.

8.0 PROTECTION OF COMPANY PRIVATE INFORMATION AND RESOURCES

The ASCL network support group responsible for the installation and configuration of a specific Third Party Connection must ensure that all possible measures have been taken to protect the integrity and privacy of ASCL confidential information. At no time should ASCL rely on access/authorization control mechanisms at the Third Party's site to protect or prohibit access to ASCL confidential information.

Enable-level access to ASCL-owned/maintained routers on Third Party premise will only be provided to the appropriate support organization. All other business personnel (i.e. Partner Site local technical support personnel) will have restricted access/read-only access to the routers at their site and will not be allowed to make configuration changes.

ASCL shall not have any responsibility for ensuring the protection of Third Party information. The Third Party shall be entirely responsible for providing the appropriate security measures to ensure protection of their private internal network and information.

9.0 AUDIT AND REVIEW OF THIRD PARTY NETWORK AND CONNECTIONS

All aspects of Third Party Network Connections - up to, but not including Company's firewall, will be monitored by the appropriate ASCL network support group. Where possible, automated tools will be used to accomplish the auditing tasks. Monthly reports should be generated on the Partners Authentication database showing the specific login entries and the appropriate ASCL POC.

Each ASCL Partner POC will receive a copy of the monthly reports showing all of the accounts pertaining to his/her area. Copies of the reports will also be mailed to the department directors.

All Third Party Network Connections will be reviewed on a quarterly basis and information regarding specific Third Party Network Connection will be updated as necessary. Obsolete Third Party Network Connections will be terminated.

10.0 COMPLIANCE

1. Audits will be performed on a regular basis by authorized organizations within ASCL.

2. Audits will be managed by the internal audit group or the ASCL Information Security Department, in accordance with the Audit Policy. The ASCL Information Security Department will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification.

3. Every effort will be made to prevent audits from causing operational failures or disruptions.

11.0 ENFORCEMENT

Any person bound by this policy who intentionally and/or knowingly violates this policy shall be subject to action deemed fit by the Governing Board of the Asian School of Cyber Laws and shall also be liable to pay adequate and prompt compensation. Such action shall not preclude adequate civil and / or criminal remedy as per the applicable law.

12.0 DEFINITIONS

1. DMZ (De-militarized Zone): A network segment external to the corporate production network.

2. Server: For purposes of this policy, a Server is defined as an internal ASCL Server. Desktop machines and Lab equipment are not relevant to the scope of this policy.

13.0 REVISION HISTORY

This document is created on 12-02-2002 and has been last updated on 1-03-2003. Please note that this document is updated on a regular basis and the latest version can be obtained from:

In accordance with the Network Connection Policy, all requests for Third Party Network Connections must be accompanied by this completed Information Requirements Document. This document should be completed by the ASCL person or group requesting the Network Connection.

1. Contact Information
   • Requester Information
     
     
     • Name:
       
     • Department Number:
       
     • Manager's Name:
       
     • Director's Name:
       
     • Phone Number:
       
     • Email Address:

   • Technical Contact Information
     
     
     • Name:
       
     • Department:
       
     • Manager's Name:
       
     • Director's Name:
       
     • Phone Number:
       
     • Pager Number:
       
     • Email Address

   • Back-up Point of Contact:
     
     
     • Name:
       
     • Department:
       
     • Manager's Name:
       
     • Director's Name:
       
     • Phone Number:
       
     • Pager Number:
       
     • Email Address

   • Problem Statement/Purpose of Access

     What is the desired end result? Company must include a statement about the business needs of the proposed connection.

   • Scope of Needs

     In some cases, the scope of needs may be jointly determined by the supporting organization and the Third Party.

   • What services are needed?
     • What are the privacy requirements (i.e. do you need encryption)?
       
     • What are the bandwidth needs?
       
     • How long is the connection needed?
       
     • Future requirements, if any.

   • Third Party Information

     • Third Party Name
       
     • Management contact (Name, Phone number, Email address)
       
     • Location (address) of termination point of the Network Connection (including building number, floor and room number)
       
     • Main phone number
       
     • Local Technical Support Hours (7X24, etc).
       
     • Escalation List
       
     • Host/domain names of the Third Party
       
     • Names (Email addresses, phone numbers) of all employees of the Third Party who will use this access. If not appropriate to list the names of all employees, then provide a count of the number of employees who will be using the connection.

   • What type of work will be done over the Network Connection?

     • What applications will be used?
       
     • What type of data transfers will be done?
       
     • How many files are involved?
       
     • What are the estimated hours of use each week?
       
     • What are peak hours?

   • Are there any known issues such as special services that are required? Are there any unknown issues at this point, such as what internal ASCL services are needed?

   • Is a backup connection needed? (e.g., are there any critical business needs associated with this connection?)

   • What is the requested installation date? (Minimum lead-time is 60 days)

   • What is the approximate duration of the Third Party Network Connection?

   • Has a Non-Disclosure Agreement been sign with the Third Party or the appropriate employees of the Third Party?

   • Are there any exiting Network Connections at ASCL with this company?

   • Other useful information