Published MasterControl documents frequently use JavaScript.

If you are seeing this message, your viewer

either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
1. Purpose
1.1. The purpose of this policy is to define the baseline security requirements of the Information
Technology systems and supporting infrastructure.

2. Scope
2.1. This policy applies to all Company Information Technology systems and infrastructure.

3. References

3.1. None

4. Definitions

4.1. Audit Log – a chronological record of system activities, including records of system accesses
and operations performed during a defined period of time.

4.2. Audit Record – an individual entry in an audit log related to an audited event.

4.3. Cryptographic Mechanisms – a means to render data unintelligible except to intended recipients.

4.4. Default Credentials – the vender defined username and password for a given system.

4.5. Malicious code protection – a program specifically designed to detect many forms of malware
and prevent them from infecting computers, as well as cleaning computers that have already
been infected.

4.6. Security Patch – a solution to resolve a flaw or weakness in a system.

4.7. Sensitive Company Information – any company owned information that, if disclosed, could
impact legal or regulatory compliance; or data that is critical to the business operations.

5. Responsibilities
5.1. Chief Information & Digital Officer is responsible for owning and administering this policy and for
establishing and maintaining the Cybersecurity program.
5.2. Information Risk Committee is responsible for risk management and policy decisions and for
approving exceptions to this policy.
5.3. Business Insights & Technology Solutions (BI&TS) Leaders are responsible for implementing the
controls outlined in this policy.

6. Policy

6.1. Audit Records

6.1.1. Audit records should include the following information: user making the change, date and
time stamp, link to the records, original value, new value and, where possible, the reason
for the change.

6.1.2. Audit records should be retained in a secure location and protected for modification.

6.1.3. The system should provide a warning to assigned personnel when allocated audit record
storage volume exceeds a pre-defined maximum threshold.

Page 1 of 3
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
6.1.4. System clocks shall synchronize time against authoritative time servers.

6.1.5. Audit records shall be maintained for a minimum of ninety (90) days.

6.2. Configuration Management

6.2.1. Documented baseline configurations based on industry standards shall be created to

ensure that basic security controls are implemented across the environment and minimally
include the following: Malicious code protection, security patch management strategy,
removal of default credentials.

6.2.2. The baseline configuration documents shall be reviewed at least annually for accuracy
and to ensure the relevant and current security controls are included.

6.2.3. An assessment of the security impact of changes to the configuration shall be conducted
prior to the change being implemented.

6.2.4. Only essential capabilities may be included as part of the baseline configuration;
unnecessary ports, protocols, services, and software shall be removed or disabled.

6.2.5. Systems and infrastructure that cannot meet the baseline security control requirements
outlined in this policy shall not connect to the corporate network and must remain
standalone.

6.3. Vulnerability Management

6.3.1. Annual assessment shall be performed to identify vulnerabilities in the computing

environment.

6.3.2. A standard process to document, rate, prioritize, track and mitigate vulnerabilities shall be
implemented.

6.4. Transmissions Controls

6.4.1. Cryptographic Mechanisms shall be used to prevent unauthorized disclosure of Sensitive

Company Information.

6.4.2. Firewalls shall be implemented between public networks and internal systems to restrict
the flow of network traffic to only that which is required.

6.5. Protection of Information at Rest

6.5.1. Cryptographic Mechanisms shall be implemented to prevent unauthorized disclosure and

modification of sensitive information during storage.

6.6. Media Protection

6.6.1. Specific authorization and approval shall be granted prior to using portable media devices.

6.6.2. Approved portable media devices shall be stored in a secure manner.

6.6.3. Media devices shall be destroyed or sanitized using approved procedures once their use
is no longer required.

Page 2 of 3
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
6.6.4. Chain of custody shall be maintained whenever physically transporting unencrypted
media.

6.7. Manufacturing Systems

6.7.1. Manufacturing systems and infrastructure that do not meet the baseline security controls
required by this policy shall not connect to the network and must remain standalone.

6.7.2. Manufacturing systems and infrastructure that meet the baseline security controls outlined
in this policy shall connect to a separate network segment that is isolated from the
corporate network.

6.8. Monitoring and Compliance

6.8.1. Annual assessments of baseline security controls shall be performed to identify risks and
issues.

6.8.2. Remediation plans shall be reviewed and monitored by the Information Risk Committee.

6.9. Exceptions to Policy

6.9.1. Exceptions to this policy require approval of the Chief Information & Digital Officer and the
Information Risk Committee.

7. Attachments

7.1. None

8. Revision History

Revision No. Change Description

1 New to MasterControl

Page 3 of 3
 Signature Manifest

Document Number: POLICY­0307 Revision: 1

Title: Baseline Security Controls Policy
All dates and times are in UTC.

POLICY­0307 ­Baseline Security Controls Policy

 

DCC Review

Name/Signature Title Date Meaning/Reason

Megan Vernak
Director, Product Monitoring 08 Sep 2020, 03:03:10 PM Approved
(MEGAN.VERNAK)

Create/Revise

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
08 Sep 2020, 08:12:49 PM Complete
(ELIZABETH.BUNTING)

Peer Collaboration

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
08 Sep 2020, 08:14:45 PM Complete
(ELIZABETH.BUNTING)

Doc Control Review

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
08 Sep 2020, 08:19:45 PM Complete
(ELIZABETH.BUNTING)

Manager Training Approval

Name/Signature Title Date Meaning/Reason

Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer

Pat Roche (PAT.ROCHE) 08 Sep 2020, 09:21:26 PM Approved

either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.

Author/Department Approval

Name/Signature Title Date Meaning/Reason

Pat Roche (PAT.ROCHE) 08 Sep 2020, 09:22:38 PM Approved
Elizabeth Bunting
08 Sep 2020, 09:26:09 PM Approved
(ELIZABETH.BUNTING)

Final QA Approval

Name/Signature Title Date Meaning/Reason

Megan Vernak
Director, Product Monitoring 09 Sep 2020, 12:21:46 PM Approved
(MEGAN.VERNAK)

Training
 Training

Name/Signature Title Date Meaning/Reason

Tom Kowal (TOM.KOWAL) 09 Oct 2020, 04:28:55 PM Approved

Change Control Approval

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
09 Oct 2020, 04:38:46 PM Approved
(ELIZABETH.BUNTING)

Set Dates

Name/Signature Title Date Meaning/Reason

Erica Mohamed
09 Oct 2020, 05:02:24 PM Approved
(ERICA.MOHAMED)

Notification

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
09 Oct 2020, 05:02:26 PM Email Sent
(ELIZABETH.BUNTING)

Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.