File Transfer Protocol (FTP) Server Standard T1-307-PR1

1.0 Purpose and Scope 1.1 The purpose of this document is to describe the requirements for installing and maintaining file transfer servers at AECOM. 1.2 From time to time, AECOM requires the ability to deliver data to external parties in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained throughout the transfer. In order to ensure that our process prevents unauthorized access, unauthorized use, and disruptions in service only technologies which are approved by AECOM will be employed. 1.3 This AECOM FTP Server Standard applies to all AECOM business units, and individuals who employ external file transfer facilities.

1.4 Certain business systems or applications may have stricter requirements based on regulation or business need and may impose stronger standards than those mandated in this document.

2.0 Terms and Definitions 2.1 AECOM IT Environment: Hardware (including computers, storage devices, peripherals and networking equipment) and software including applications, operating systems, utilities and tools used by all employees and 3rd parties in performance of work on behalf of AECOM. 2.2 AECOM Private Network: The AECOM IT Environment that is inside Internet-facing firewalls. 2.3 Certificate Authority: An entity that issues digital certificates 2.4 File Transfer Protocol (FTP): A protocol used to transfer files over a TCP/IP network. 2.5 FTP Server: A computer server program that provides file transfer services to client computers. 2.6 FTPS: File Transfer Protocol over a Secure Socket Layer. 2.7 File Transfer Utility: A software program designed to transfer files from one computer to another computer. 2.8 Hyper Text Transfer Protocol Secure (HTTPS): A protocol for accessing a secure web server, whereby all data transferred is encrypted. 2.9 Routable IP Address: An IP address that can be reachable by or routed to by anyone on the Internet. 2.10 Secure Shell (SSH): A program to log on to another computer over a network, to execute commands or transfer data to the remote machine, providing strong authentication and secure communications over insecure channels. 2.11 SFTP: File Transfer Protocol over a Secured Shell

2.12 SIEM: Security Information and Event Management (SIEM) is a process that provides log collection, normalization, rules-based correlation, alerting, and reporting. SIEM also provides a consolidated view of security-related system and device activity over a given time period. 3.0 References 3.1 Center for Internet Security (CIS): https://www.cisecurity.org/ 3.2 T1-105-PR1, Vulnerability Management Standard 4.0 Standard 4.1 When using file transfer utilities to exchange files with external parties outside of the AECOM Private Network, approved encryption technologies must be used. AECOM Information Security has approved the following options: FTPS, SFTP, SSH, and HTTPS. Other encryption technologies may be used if approved

FTP Standard (T1-307-PR1) Revision 0 May 2016 PRINTED COPIES ARE UNCONTROLLED. CONTROLLED COPY IS AVAILABLE ON COMPANY INTRANET. Page 1 of 2 © 2016 AECOM Restricted

by AECOM Information Security. Unsecured FTP shall not be used at any time when exiting the AECOM Private Network or transiting to a routable IP address within the enterprise. 4.2 Additional requirements may be imposed for transfer of certain types of sensitive or restricted data. Regulatory or client requirements must be considered. 4.3 Requirements for hardening file transfer servers are listed below.

 At a minimum, the Center for Internet Security (CIS) hardening standards for operating systems shall be applied to any server which allows data to be transferred from the AECOM internal enterprise to the Internet.  Installing the operating system from an IT approved source  Applying all vendor supplied patches  Removing unnecessary software, system services, and drivers  Setting security parameters, file protections and enabling audit logging  Disable anonymous access  Where applicable, enable blind put so the sender cannot read the receiving server’s directory  Vulnerability scan of the system before deployment and all level 3, 4, and 5 vulnerabilities (as defined in the Vulnerability Management Standard) remediated  Inclusion in the monthly vulnerability scanning pool and a named point of contact identified to the AECOM patching team for remediation issues  Logs must be forwarded to SIEM system.  Install and keep updated a certificate from the AECOM Certificate Authority. This certificate shall not have an expiration greater than one calendar year from the date of issue

5.0 Records None

6.0 Attachments None

FTP Standard (T1-307-PR1) Revision 0 May 2016 PRINTED COPIES ARE UNCONTROLLED. CONTROLLED COPY IS AVAILABLE ON COMPANY INTRANET. Page 2 of 2 © 2016 AECOM Restricted