Lab Security Policy

1.0 Purpose

Laboratory environments (labs) often require configurations and network access distinct from the standard corporate production environment, potentially introducing unique security risks. This policy establishes the information security requirements necessary to ~~help~~ manage and safeguard lab ~~resources~~resources, ~~and <Company Name> networks by minimizing~~minimize the exposure of critical infrastructure and information ~~assets~~assets, and protect the organization's networks from threats originating from or traversing lab environments. Its purpose is to ~~threats~~ensure ~~that~~labs ~~may~~are ~~result~~operated ~~from~~securely, ~~unprotected~~balancing ~~hosts~~operational ~~and~~needs ~~unauthorized~~with ~~access.~~essential security controls.

2.0 Scope

This policy applies to all employees, contractors, consultants, temporary staff, and other workers atinvolved ~~<Company~~in ~~Name>~~the ~~and~~management, ~~its~~operation, ~~subsidiaries~~or ~~must~~use ~~adhere~~of toorganizational ~~this~~labs. ~~policy.~~It ~~This~~covers ~~policy~~all ~~applies to <Company Name>~~ organization-owned and managed labs, including ~~labs~~those ~~outside~~located ~~the~~internally, ~~corporate~~externally, ~~firewall~~or within a Demilitarized Zone (DMZ).

~~General Requirements~~

~~Lab owning organizations are responsible for assigning lab managers, a point of contact (POC)~~, and applies to all associated systems, networks, equipment, hardware, software, and firmware within these lab environments.

3.0 Policy Statements

3.1 General Lab Management & Responsibility

* **Ownership and Points of Contact (POC):** Each lab must have a ~~back-up~~designated ~~POC~~owning ~~for~~organization/department, ~~each~~a ~~lab.~~primary Lab Manager, and at least one designated backup POC. Lab owners must register and maintain up-to-date POC information with the designated IT authority (e.g., Precision ~~Computer~~Computer) and ~~the~~relevant ~~Corporate~~network/asset ~~Enterprise~~management ~~Management~~teams. ~~Team.~~POCs ~~Lab managers~~(manager or ~~their backup~~backup) must be ~~available around-the-clock~~reachable for ~~emergencies,~~emergencies; ~~otherwise~~otherwise, necessary security actions ~~will~~may be taken without their direct involvement.

**Lab ~~managers~~Manager Accountability:** Lab Managers are ~~responsible~~accountable for the overall security posture of their ~~labs~~lab, and the lab's impact on the corporate production network and any other networks. Lab managers are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined lab managers must do their best to safeguard <Company Name> from security vulnerabilities.

~~Lab managers are responsible for the lab's~~its compliance with all ~~<Company~~relevant ~~Name>~~organizational security ~~policies.~~policies

(including

~~The~~this ~~Lab~~one), ~~Manager~~and isits ~~responsible~~potential ~~for~~impact ~~controlling~~on ~~lab~~other ~~access.~~networks ~~Access~~(corporate or external). They must implement procedures to ~~any~~ensure ~~given~~policy ~~lab~~adherence ~~will~~and ~~only~~safeguard beagainst ~~granted~~vulnerabilities.
* by**Policy ~~the~~Compliance:** ~~lab~~All ~~manager or designee, to those individuals with an immediate business need~~activities within the ~~lab, either short-term or as defined by their ongoing job function. This includes continually monitoring the access list to ensure that those who no longer require access to the~~ lab ~~have their access terminated.~~

~~All user passwords~~ must comply with ~~<Company~~applicable ~~Name>'s~~organizational ~~Password~~policies, ~~Policy.~~including

but

~~Individual~~not ~~user~~limited ~~accounts~~to onAcceptable ~~any~~Use, Data Classification, Password, and Audit Logging policies.
* **Immediate Access for Security/Support:** Lab Managers must grant immediate access to lab ~~device~~equipment ~~must~~and besystem ~~deleted~~logs ~~when~~upon norequest ~~longer~~to authorized ~~within three (3) days. Group account passwords on lab computers (Unix, windows, etc) must be changed quarterly (once every 3 months).~~

PC-based lab computers must have <Company Name>'s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removedpersonnel from the ~~network~~designated ~~until~~IT ~~they~~authority ~~are~~(e.g., ~~verified~~Precision asComputer) ~~virus-free.~~or ~~Lab~~Network ~~Admins/~~Support Organization for security investigations or operational support.

3.2 Access Control

* **Physical Access:** Lab Managers are responsible for ~~creating procedures that ensure anti-virus software is run at regular intervals,~~controlling and ~~computers~~managing ~~are~~physical ~~verified~~access asto ~~virus-free.~~

their

~~Any~~labs. ~~activities~~Access shall only be granted to individuals with a documented, immediate business need. Access lists must be reviewed regularly, and access promptly terminated when no longer required.
* **Logical Access:**
* Individual user accounts on lab devices must comply with the ~~intention~~organization's Password Policy.
* Individual user accounts must be disabled or deleted within three (3) days of authorization removal.
* Passwords for shared or group accounts on lab systems must be changed at least quarterly and meet complexity requirements defined in the Password Policy.

3.3 Host and System Security

* **Anti-Virus/Malware:** All PC-based lab computers capable of running such software must have organization-standard, supported anti-virus/anti-malware protection installed, configured for regular scans, and kept up-to-date (software and definitions). Infected systems must be immediately isolated from all networks until verified clean. Lab Managers must implement procedures to ~~create~~ensure ~~and/~~this.
* **Malicious Activity:** Intentionally creating or ~~distribute~~distributing malicious programs ~~into <Company Name>'s networks~~ (~~e.g.,~~ viruses, worms, ~~Trojan~~malware) ~~horses,~~is ~~e-mail bombs, etc.) are~~strictly prohibited, ~~in accordance with~~per the Acceptable Use Policy.
* **Patching:** Systems within labs should be patched according to organizational vulnerability management standards, especially if connected to other networks. Systems that cannot be patched require compensating controls and potential isolation.

No3.4 ~~lab~~Data ~~shall~~Security ~~provide~~and ~~production~~Service ~~services.~~Restrictions

* **Prohibition of Production ~~services~~Services:** ~~are~~Labs ~~defined~~must asnot ~~ongoing~~host ~~and~~ongoing, ~~shared~~shared, ~~business~~ business-critical services that generate revenue ~~streams~~ or provide primary customer ~~capabilities.~~capabilities ~~These~~("production ~~should~~services"). Such services must be managed by aappropriate ~~<proper~~production support> ~~organization.~~

organizations.
*

In**Data ~~accordance~~Classification ~~with~~Restrictions:** Information classified as Highly Confidential or Restricted (or equivalent high-sensitivity classifications per the Data Classification ~~Policy, information that~~Policy) is ~~marked as <Company Name> Highly Confidential or <Company Name> Restricted is~~generally prohibited on lab ~~equipment.~~

equipment

~~Immediate~~unless ~~access~~the tolab ~~equipment~~has specific approvals and ~~system~~security ~~logs~~controls commensurate with that data sensitivity level.
* **Audit Logging:** Lab systems must ~~be granted to members of Precision Computer and the Network Support Organization upon request, in accordance~~comply with the Audit ~~Policy.~~Logging Policy where applicable, especially for systems connected to corporate networks or handling sensitive test data.

~~Precision~~3.5 ~~Computer will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.~~

Internal Lab Network Security ~~Requirements~~(Labs connected behind corporate firewall)

~~The~~* ~~Network~~**Firewall ~~Support~~Segregation:** ~~Organization~~All internal labs must ~~maintain~~be asegregated ~~firewall device between~~from the corporate production network via a firewall managed by the designated Network Support Organization or IT authority.
* **Network Monitoring and ~~all~~Intervention:** ~~lab equipment.~~

The Network Support Organization and/or designated IT authority (e.g., Precision ~~Computer~~Computer) reserve the right to monitor traffic and interrupt lab connections that negatively impact the corporate production network ~~negatively~~ or pose a security risk.

~~The~~**IP ~~Network~~Address ~~Support~~Management:** ~~Organization must record all~~All lab IP ~~addresses, which are~~addresses routed within ~~<Company~~organizational ~~Name>~~networks ~~networks,~~must be registered in ~~Enterprise~~the ~~Address~~central ~~Management~~IP ~~database~~address ~~along~~management system with current ~~contact information for that lab.~~

~~Any~~ lab ~~that~~POC ~~wants~~information.
* to**External ~~add~~Connections:** anAdding direct external ~~connection~~network ~~must~~connections ~~provide~~(e.g., aInternet, ~~diagram~~partner ~~and~~networks) ~~documentation~~requires ~~to Precision Computer with~~documented business justification, ~~the~~network ~~equipment,~~diagrams, and formal review and approval by the IPdesignated ~~address~~IT ~~space~~authority ~~information.~~(e.g., Precision ~~Computer~~Computer) ~~will~~*before* ~~review~~implementation.
* ~~for~~**Prohibition ~~security~~of ~~concerns~~Cross-Connections:** ~~and~~Devices ~~must~~(wired ~~approve~~or ~~before~~wireless) ~~such connections are implemented.~~

~~All traffic between the corporate production and~~within the lab ~~network must go through a Network Support Organization maintained firewall. Lab network devices (including wireless)~~ must not ~~cross-connect~~create unauthorized connections that bypass the designated firewall between the lab and production networks.

~~Original~~**Firewall Configuration Control:** Initial firewall configurations and ~~any~~subsequent changes ~~thereto~~require review and approval by the designated IT authority (e.g., Precision Computer).
* **Prohibition of Disruptive Activities:** Labs must benot ~~reviewed and approved by Precision Computer. Precision Computer may require security improvements as needed.~~

~~Labs are prohibited from engaging~~engage in activities like unauthorized port scanning, network auto-discovery, or traffic ~~spamming/flooding, and other similar activities~~flooding/spamming that could negatively impact ~~the~~ corporate ~~network and/~~or ~~non-<Company Name>~~external networks. ~~These~~Such ~~activities~~testing must be ~~restricted~~contained strictly within the ~~lab.~~

isolated

lab environment.
* **Inter-Lab Traffic:** Traffic between ~~production~~lab networks ~~and lab networks, as well as traffic~~or between ~~separate~~labs ~~lab~~and ~~networks,~~production ismay be permitted based on approved business ~~needs~~needs, provided it is properly secured (e.g., via firewall rules) and ~~as long as the traffic~~ does not introduce unacceptable risk or negatively impact onnetwork ~~other networks.~~performance. Labs must not advertise ~~network~~ services that ~~may~~could ~~compromise~~conflict with production ~~network~~services.
* ~~services~~**Auditing orRights:** ~~put~~The ~~lab~~designated ~~confidential~~IT ~~information~~authority at(e.g., ~~risk.~~

Precision ~~Computer~~Computer) reserves the right to audit ~~all~~lab ~~lab-related~~network ~~data~~traffic, configurations, and administration ~~processes~~processes.
* at**Gateway ~~any~~Device ~~time,~~Security:** ~~including but not limited to, inbound and outbound packets, firewalls and network peripherals.~~

~~Lab~~ Lab-owned gateway devices ~~are~~(routers, ~~required~~firewalls) tomust comply with ~~all <Company Name> product~~relevant security ~~advisories~~advisories/patching requirements and ~~must~~should authenticate administrative access against ~~the~~central ~~Corporate~~authentication ~~Authentication~~servers ~~servers.~~

where

~~The~~feasible. ~~enable~~Enable/privileged ~~password~~access ~~for all lab owned gateway devices~~passwords must be ~~different~~unique, ~~from~~comply ~~all other equipment passwords in~~with the ~~lab.~~Password ~~The~~Policy, ~~password must~~and be inrestricted ~~accordance~~to authorized administrators.

3.6 Security for Labs with ~~<Company~~Non-Organizational ~~Name>'s~~Personnel ~~Password~~Access ~~Policy.~~(e.g., Training ~~The password will only be provided to those who are authorized to administer the lab network.~~Labs)

In* ~~labs~~Labs where non-~~<Company Name>~~organizational personnel have physical access ~~(e.g.,~~must ~~training~~*not* ~~labs),~~have direct connectivity to the corporate production ~~network~~network.
* ~~is not allowed. Additionally, no <Company Name>~~Organizational confidential information ~~can~~must not reside on ~~any~~systems ~~computer equipment in~~within these labs.
* Connectivity ~~for authorized personnel from~~*from* these labs ~~can be allowed to~~*to* the corporate production network ~~only~~for ifauthorized personnel must use secure, authenticated ~~against~~methods approved by the ~~Corporate~~designated ~~Authentication~~IT ~~servers,~~authority (e.g., Precision Computer), such as client VPNs, SSH tunnels, or temporary authenticated access lists ('lock and ~~key), SSH, client VPNs, or similar technology approved by Precision Computer.~~key').

~~Lab~~3.7 networks with external connections are prohibited from connecting to the corporate production network or other internal networks through a direct connection, wireless connection, or other computing equipment.

DMZ Lab Security Requirements

~~New~~* **Approval:** Establishing new DMZ labs ~~require~~requires astrong business justification and executive (VP-level ~~approval~~or ~~from~~higher) ~~the~~approval. ~~business~~Significant ~~unit. Changes~~changes to ~~the~~existing DMZ lab connectivity or purpose ofrequire ~~an existing DMZ lab must be reviewed~~review and ~~approved~~approval by the designated IT authority (e.g., Precision Computer ~~Team.~~Team).
*

**Physical

Security:** DMZ labs must bereside ~~in a~~within physically ~~separate~~secure, dedicated spaces (room, cage, or ~~secured~~locked ~~lockable rack~~racks) with ~~limited~~strictly ~~access.~~controlled Inaccess ~~addition,~~lists maintained by the Lab ~~Manager~~Manager.
* ~~must~~**Network ~~maintain~~Management:** ~~a list of who has access to the equipment.~~

DMZ lab ~~POCs~~personnel ~~must~~are ~~maintain~~responsible for managing network devices ~~deployed in~~within the ~~DMZ~~ lab up to the ~~network support organization~~demarcation point defined by the Network Support Organization.
* **Prohibition of ~~demarcation.~~

Internal

Connections:** DMZ labs ~~must~~are ~~not~~strictly ~~connect~~prohibited from having any direct or logical connection (e.g., IPsec tunnel, wireless bridge, multi-homed host) to corporate internal ~~networks,~~networks.
* ~~either~~**Internet ~~directly,~~Firewall:** ~~logically (for example, IPSEC tunnel), through a wireless connection, or multi-homed machine.~~

An approved ~~network~~firewall, ~~support~~managed ~~organization~~by the Network Support Organization or IT authority, must ~~maintain a firewall device~~exist between the DMZ lab and the Internet. ~~Firewall devices~~Configurations must be ~~configured~~ based on the principle of least ~~privilege access principles and the DMZ lab business requirements. Original firewall configurations and subsequent changes must be~~privilege, reviewed and approved by the IT authority (e.g., Precision Computer ~~Team.~~Team), ~~All~~and all Internet traffic ~~between~~must traverse this firewall. Bypassing the firewall is prohibited.
* **Device Standardization:** Routers and switches within the DMZ lab ~~and the Internet must go through the approved firewall. Cross-connections that bypass the firewall device are strictly prohibited.~~

~~All routers and switches~~ (not used for ~~testing~~testing) ~~and/or training must~~should conform to ~~the~~applicable ~~DMZ~~organizational ~~Router~~standards.
* ~~and~~**Secure ~~Switch~~Host ~~standardization~~Configuration:** ~~documents.~~

Operating systems of ~~all~~ hosts ~~internal~~providing toservices within the DMZ ~~lab running Internet Services~~ must ~~be configured~~adhere to ~~the~~ secure ~~host installation and~~baseline configuration standards published by the designated IT authority (e.g., Precision Computer ~~Team.~~

Team).
*

**Secure Administration:** Remote administration must beutilize ~~performed~~secure, ~~over secure~~encrypted channels (~~for~~e.g., ~~example,~~SSH, ~~encrypted~~IPsec ~~network connections using SSH~~VPN) or ~~IPSEC)~~dedicated, orout-of-band ~~console access independent from the DMZ~~management networks.

**No Open Proxies:** DMZ lab devices must not be anconfigured as open ~~proxy~~proxies to the Internet.
*

**Security

Intervention:** The Network Support Organization ~~and~~and/or designated IT authority (e.g., Precision ~~Computer~~Computer) reserve the right to interrupt DMZ lab connections if a security ~~concern~~risk ~~exists.~~is identified.

4.0 Compliance

4.1 Compliance Measurement

The designated IT authority (e.g., Precision Computer ~~team~~team) will verify compliance towith this policy through various methods, including ~~but~~network ~~not~~scans, ~~limited~~vulnerability ~~to,~~assessments, ~~periodic~~configuration audits, physical inspections (walk-~~thrus,~~thrus), ~~video~~review ~~monitoring,~~of ~~business~~access ~~tool reports, internal~~logs and procedures, internal/external audits, and ~~feedback~~investigation of security incidents.

4.2 Exceptions/Waivers

Requests for waivers or exceptions to ~~the policy owner.~~

~~Any exception to the~~this policy must be ~~approved~~formally documented with business justification, risk assessment, and proposed compensating controls. Exceptions require review and advance approval by the designated IT authority (e.g., Precision Computer ~~Team~~Team) inon ~~advance.~~a case-by-case basis.

An4.3 ~~employee~~Enforcement

~~found~~

Non-compliant labs may face network isolation or disconnection. Failure by Lab Managers or personnel to ~~have~~adhere ~~violated~~to this policy may beresult ~~subject to~~in disciplinary action, up to and including termination of ~~employment.~~employment or contract.

~~Audit~~5.0 ~~Policy~~Definitions

* **DMZ (Demilitarized Zone):** A perimeter network segment logically placed between an internal network and an external network (like the Internet), designed to host external-facing services while protecting the internal network.
* **Firewall:** A network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
* **Lab Manager:** The individual assigned primary responsibility for the operation, management, and security of a specific laboratory environment.
* **POC (Point of Contact):** An individual designated as a contact person for a specific lab or function.
* **Production Services:** Ongoing, shared, business-critical IT services essential for core operations, revenue, or customer functions, typically managed under stricter change control and support agreements than lab environments.

* Acceptable Use Policy

Audit Logging Policy
* Data Classification Policy

Password Policy
* Physical Security Policy
* Remote Access Policy
* Change Management Policy
* Vulnerability Management Policy
* Wireless Security Policy

~~The following definition and terms can be found in the SANS Glossary located at:~~

~~https://www.sans.org/security-resources/glossary-of-terms/~~

~~DMZ~~

~~Firewall~~