Scribd
Upload
40 views

Network_Security_Policy_v3

Uploaded by

Benjamin Essien
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
40 views

Network_Security_Policy_v3

Uploaded by

Benjamin Essien
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Logo Information Technology Department

Procedure Document

Network Security Policy

Version 3.0
< Date>

History Log
Version Date Author
Draft Version 3.0 Aug 2014 ControlCase

Network Security Policy Page 1


Logo Information Technology Department
Procedure Document

Contents
1. Purpose......................................................................................................................................................3
2. Scope.........................................................................................................................................................3
3. Policy.........................................................................................................................................................3

Network Security Policy Page 2


Logo Information Technology Department
Procedure Document

1. Purpose

The purpose of this policy is to ensure protection of <NAME OF THE ORGANIZATION> ’s IT network by
setting up requirements for secure management and to comply with various businesses, contractual and
legal requirements of the organization.

2. Scope

This policy is applicable to all Network systems and devices connected to <NAME OF THE
ORGANIZATION>’s network and to all the personnel using the network.

3. Policy

3.1 <NAME OF THE ORGANIZATION> Administrators shall maintain an up to date network diagrams

that shows the location of network security device and its connections to other systems/devices.

The diagram shall also depict the data flow through these devices.

3.2 <NAME OF THE ORGANIZATION>’s information processing shall happen on secure network.

3.3 <NAME OF THE ORGANIZATION>’s IT network shall be secured against unauthorized access and

intrusions to protect against breach of confidentiality, integrity and availability of information.

3.4 Any configuration changes shall follow change management process with proper approval before

implementing the change and all the changes shall be documented.

Network Security Policy Page 3


Logo Information Technology Department
Procedure Document

3.5 All outbound traffic from <NAME OF THE ORGANIZATION> to external network and vice –versa

must pass through a firewall. The firewall shall not serve as a general purpose host or have

features which weaken security (telnet, rlogin etc). Firewall shall perform traffic filtering to verify

the source and destination IP address.

3.6 A firewall shall be configured at every interconnection of network to control any traffic coming

into and leaving out of the organizations network. All the communications to <NAME OF THE

ORGANIZATION> resources shall take place through firewall. Firewall should be configured:

- At each Internet connection.


- Between any DMZ and the internal network zone (PCI DSS 3.0 Reference – Req 1.1.4a).

3.7 An intrusion detection or prevention systems (IDS / IPS) shall be installed in all the critical points

of <NAME OF THE ORGANIZATION> network segments, where critical systems are placed, to

monitor the inbound and outbound traffic.

3.8 Information security team shall be responsible to identify security requirements and define

relevant network security standards.

3.9 Network administration team shall be responsible for implementing the standards and maintain

network security requirements as defined by the information security engineering.

3.10 Information security team shall define and maintain the security standards for all the network

devices such as firewall, router, switch, IDS/IPS, VPN etc.

3.11 All the network devices shall be configured as per the defined security standards.

Network Security Policy Page 4


Logo Information Technology Department
Procedure Document

3.12 Rule set review shall be carried out for firewall and routers once in six months by the information

security team. All the vulnerabilities / security issues identified as part of the checks shall be

resolved by network Administration team. Also any obsolete / outdated access rule if identified

should be removed from firewall and router (PCI DSS 3.0 Reference – Req 1.1.7a).

It shall be verified during this semi-annual review that the list of services / ports allowed as part

of access rules on firewall and router is updated in ‘Firewall Configuration Standard’ and ‘Router

Configuration Standard’ documents.

3.13 Network Administration team shall ensure that all networking devices, system components and

software have the latest vendor-supplied security patches installed. Install critical security

patches immediately after the release.

3.14 All external connections to <NAME OF THE ORGANIZATION> networks, i.e., connections

between an <NAME OF THE ORGANIZATION> network and a non-<NAME OF THE

ORGANIZATION> network such as internet shall be protected by a firewall.

3.15 All the sensitive data (e.g. Cardholder data) traffic over public channel / internet connection shall

be transmitted always encrypted for secure data communication

3.16 All network and security components shall be configured to provide audit logs for necessary and

continual security monitoring as per <NAME OF THE ORGANIZATION> Audit logging and

Monitoring Policy.

3.17 Access to the network components and security devices shall require strict access control and

authentication as per <NAME OF THE ORGANIZATION> Access Control Policy.

Network Security Policy Page 5


Logo Information Technology Department
Procedure Document

3.18 Remote management of critical servers and network components shall only be done through

proper encrypted channels

3.19 Any remote access to <NAME OF THE ORGANIZATION> network shall be allowed to authorized

users on business need and such access shall always use two-factor authentication.

3.20 Network redundancy shall be built in the environment as per business requirements

3.21 Network components and the cabling of <NAME OF THE ORGANIZATION> network shall be

protected as per <NAME OF THE ORGANIZATION> Physical Security Policy

3.22 Network team shall prepare, update and maintain the diagrams showing the entire network

connectivity in <NAME OF THE ORGANIZATION>. Network diagram shall be updated alteast

annually and/or after changes to network architecture as required to ensure Network Diagram is

kept current (PCI DSS 3.0 Reference – Req 1.1.1b).

3.23 Required documentation in support of all activities related to network and security components

shall be made and maintained

3.24 Minimize single point of failure and the number of entry points into the <NAME OF THE

ORGANIZATION> network.

3.25 Manage remote configuration of the network only through authorized management workstation.

3.26 Access to system control utilities (e.g. scripts, batch files) should be controlled. These utilities

shall be installed on PC’s of and are intended for use by the network administrators / IT support

to assist end user resolves problems.

3.27 Access to the utilities shall be limited to network administrators / IT support personnel only.

These utilities should always be used only after seeking permission from the concerned user.
Network Security Policy Page 6
Logo Information Technology Department
Procedure Document

3.28 While connected to the LAN, all desktops and Laptops shall not be connected to the modem /

Internet data card as well as the LAN simultaneously.

3.29 Information Security Engineering shall impose adequate security controls for protecting the

network before hardware and remote control communication software is installed.

3.30 The use of communication equipment (modems, ISDN cards, Data cards etc) attached directly to

the personal computers is strictly prohibited inside <NAME OF THE ORGANIZATION> premises.

3.31 All network equipment default passwords shall be changed by the administrator at the time of

installation.

3.32 The host operating system shall validate each user prior to allowing network access through SSH.

Once authorized user shall get access to only those systems for which they have been authorized.

3.33 Employees shall avoid access areas on <NAME OF THE ORGANIZATION> network for which they

do not have a valid business need. While networks are intended to share information, it is each

user’s responsibility to exercise judgment over the information they access.

3.34 Mobile and/or employee-owned computers with direct connectivity to the Internet (for example,

laptops used by employees), and which are used to access the organization’s network, will have

personal firewall software installed and active, which must be configured by the organization to

specific standards and not alterable by the employee (PCI DSS 3.0 Reference – Req 1.4.a).

<NAME OF THE ORGANIZATION> prohibits mobile and/or employee-owned computers with

direct connectivity to the Internet from being used to access the organization’s network.( PCI DSS

3.0 Reference – Req 1.4.a) If organization prohibits employee-owned computers with direct
Network Security Policy Page 7
Logo Information Technology Department
Procedure Document

connectivity to the Internet from being used to access the organization’s network then

please use this statement and delete the above point related to use of personnel

firewall.

The <Name of the Responsible area> is the owner of this document and is responsible for
ensuring that this policy document is reviewed in line with the review requirements stated
above.

A current version of this document is available to all members of staff.

This policy was approved by TITLE and is issued on a version controlled basis under his/her
signature

Signature: Date:

Network Security Policy Page 8

You might also like