What Belongs in a Network Security Policy

Access policy Defines all access privileges and responsibilities to network assets by specifying acceptable use rules for users, network operations staff, and management. These policies should cover adding devices to a network, adding software to systems, modifying software and OS settings, and how and by whom external connections to the network are to be made. The policies should specify any required connect warning messages about “authorized usage and monitoring.” Parts of the access policy might become part of acceptable use policy (next).

Acceptable use policy Which user practices and behaviors are acceptable and which are not. This policy often includes technologies, including telephones, cell phones, pagers, copiers, fax machines, computers, access to the Internet, and so forth.

Privacy policy Defines what are reasonable privacy expectations regarding monitoring of e-mail and access to users’ files.

Remote access policy Defines how remote users and telecommuters will access the organization networks. This policy might be further broken down to cover specific technologies, such as ISDN access policy, DSL access policy, and cable modem access policy.

Wireless access policy Defines if and under what circumstances a wireless devices or devices can be used with the company network.

Antivirus policy Defines which tools will be used and how they’ll be implemented.

Password policy Defines what passwords will look like and how often they must be changed, and it should authorize audits of password files to ensure compliance.

Authentication policy A more comprehensive form of the password policy that defines a local access password policy and establishes guidelines for remote authentication processes, which might include OTPs and the devices that generate them.

Router and switch security policy Defines minimal security configuration for all routers and switches connecting to a production network.

Accountability policy Defines the responsibilities of users, network operations staff, and management. This should cover guidelines for routine monitoring, scheduled and unscheduled audits, and guidelines for incident handling (what to do, what not to do, and who to contact in case an intrusion is suspected).

IT system and network maintenance policy Defines how internal and external maintenance people are allowed to handle and access company technology. This should address if, and under what conditions, remote maintenance is allowed and how such access is controlled. If outsourcing is allowed, how it should be managed and the processes that need to be followed should be defined.

Violations reporting policy Defines the types of violations that must be reported and to whom the reports are made. Remember, a low-key atmosphere and even anonymous reporting can result in a greater likelihood that a suspected violation will be reported.The policy should include specific contact information for users, staff, and management for each type of policy violation. Guidelines should include how to handle outside queries about a security incident, detailing who should be responding, and defining the procedures depending on where the contact is from. There may be a different policy or contact person when working with an interested third party, law enforcement, or the media. Defines the procedures if the security incident involves information that might be considered confidential or proprietary. If appropriate, any cross-references to security procedures company policies and/or applicable laws and regulations.