Secure Configuration Policy

Key details

  • Policy became operational on: 4 January 2019
  • Next review date: 1 April 2023

This policy is to ensure that hardware and software utilised by Kick Digital are as secure as possible. As a general principle, Kick Digital IT systems shall be locked down as much as possible without inhibiting Kick Digital business requirements.

Least Privilege

Access to Kick Digital IT systems shall be on the basis of ‘Least Privilege’. This applies to administrator and user access to:

  • Hardware – servers.
  • Software – Operating Systems and Applications.
  • Data.
  • Network Configurations.
  • Protocols.
  • Security features – e.g. Anti-Virus, Intrusion Detection Systems, Firewalls, Switches and Routers.

Secure Configuration Approach

Kick Digital controlled systems and services shall be assessed to determine exactly what business functionality is required; all unnecessary functionality shall be removed and default configurations updated.

Kick Digital secure configuration approach shall aim to:

  • Prevent the introduction of unauthorised applications/software or malicious code.
  • Limit the ability for the unauthorised export of data onto peripheral devices or removable media.
  • Ensure least privilege of access to services and applications.
    Improve the efficiency and accuracy of patching and update services.

Baseline Configuration

Baseline security configurations shall be developed to ensure a consistent build status for all client and server systems.

Protective monitoring shall be in place to detect any attempt to modify the configuration of client and server systems.

All client systems shall be configured to boot up to a secure state. It should not be possible to modify the boot configuration.

Host System Lockdown

Client and server systems shall be locked down to remove, prevent or limit access to unnecessary physical and logical communications ports (e.g. USB, TCP/IP), removable media (e.g. CD/DVD drives), network communications interfaces (e.g. Infrared, Bluetooth, and Wireless).

Operating System Lockdown

Operating systems should be locked down to remove or prevent access to unnecessary applications and services.

Client and server systems should only host the applications required to carry out the business processes.