Network security experts agree that well-run corporations need a written security policy. This document lays down a comprehensive network security policy that will be compliant with the company’s WAN structure. It should be noted that network, security considering the magnitude and significance of the issue, should be the responsibility of a dedicated individual –The Information Security Officer as accountability is a key aspect in the effective and successful implementation of the policy. The human resources management division should make sure that all policy instructions and guidelines are communicated to all members of staff using the Internet (including e-mails) and other network facilities and that all policy requirements are complied with. An effective code of conduct guidelines aligned with organizational information security policies in terms of network usage needs to be developed and approved by the management and should be adhered to by all employees.
The Network Security Policy
The network security policy presented in this document has been divided into three parts. The first part deals with issues concerning network hardware and peripherals. The second section deals with access control issues and the third section goes into the details of information and document usage and processing.
Hardware and Peripherals
All procurement of new hardware systems or new peripherals for already present systems has to be compliant with Information security and aligned with organizational policies and technical norms. Requests for purchases should be founded on User Requirement Specifications and should be by business objectives.
All purchase requests must be structured in the form of a Request for Procurement document and this should be thoroughly evaluated before the purchase process.
All supplies should be properly and effectively tested and accepted as per standards before being put into operational use.
An Uninterruptible Power Supply failsafe mechanism has to be designed and implemented to maintain continuous power supply to critical equipment.
Use of public telephone lines through modems/ ISDN/ DSL connection for transmission of sensitive and confidential data will be permitted only in case more secure transmission channels are exhausted and the transmission has to be authorized by both the sender as well as the recipient.
A dedicated team constituted by proficient engineers should be accountable for the installation and maintenance of network cabling to warrant the reliability of cabling and other network hardware. All unexploited wall sockets are to be sealed off with proper documentation of their status.
Usage of removable media such as Diskettes and CD’s will be restricted to authorized personnel only for the installation, modification, and up-gradation purposes. Other individuals are required to seek authorization before removable media usage.
Any movement of hardware equipment between organizational sites is to be executed and monitored by authorized personnel only.
Individuals using business center facilities provided by service providers for organizational business purposes should ensure organizational security by removing or deleting relevant data entered into such systems.
Access Control
Access Control norms for networked systems must be carefully designed and approved by the management of the organization. These norms need to strike a balance between restrictions to ensure protection against illegitimate access and unimpeded access to achieve business goals.
Access rights or privileges to network systems would be granted to authorized personnel based on requirements and would be recorded in a highly confidential document such as the Access Control Logs.
Persons using networked systems should always secure their workstations before leaving them.
The choice of passwords, their usage, and management as the principal means of access control approaches should strictly be following best practice procedures. Above all, the password should not be shared with any person in any situation.
Physical access to highly sensitive sites is to be strongly protected through stringent identification and authentication processes.
All-access to network systems is to be logged and tracked to safeguard against potential abuse.
Remote access control procedures should make use of rigorous identity detection, authentication, and encryption processes.
Information Processing
All systems hardware, software, and communication networks should be appropriately configured and effectively protected both against unauthorized physical as well as networked intrusion.
Persons using the networked system should take great precautions while downloading data and files from the internet to protect systems against harmful content.
While transmitting sensitive or confidential information the use of digital signatures wherever feasible is encouraged.
E-mail usage is strictly restricted to business purposes and terms and conditions of the usage policy should be compatible with other modes of business communication. Attachment of data with the e-mail will only be permissible after acceptance of information classification and scanning for viruses or other harmful codes.
Inward-bound emails are to be handled with utmost precaution because of the intrinsic information security risk associated with them. Attachments should be scanned for harmful content before the opening of emails.
Data retention durations are in strict accordance with legal and business needs and all employees must comply with such norms.
Unsolicited emails are to be handled with care and should not be communicated with.
Personnel in charge of handling intranet, extranet, and internet access should make sure that the organizational network is protected from harmful external interference by installing at least an adequately configured firewall.