Network Security Policy
Cyber Essentials Toolkit: Version 4 ©CertiKit
Network Security Policy
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document describes the organisation’s policy regarding how computer networks will be secured and managed.
Areas of Cyber Essentials addressed The following areas of the Cyber Essentials scheme are addressed by this document: • •
Control 1: Office Firewalls and Internet Gateways Control 2: Secure Configuration
General guidance This document is intended to document the principles used in designing and implementing the security of your network. There are many ways of constructing networks and you will need to tailor this policy to represent how yours is structured to provide security for your organisation. As this is a policy, the level of detail should not be too specific, but the policy may be supported by lower-level documentation such as network diagrams and procedures.
Review frequency Due to the rate of change of technology, we would suggest this document is reviewed at least annually and ideally every six months.
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): Version 1
Page 2 of 11
[Insert date]
Network Security Policy
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Version 1
Page 3 of 11
[Insert date]
Network Security Policy
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 11
[Insert date]
Network Security Policy
DOCUMENT REF
CYB-DOC-01-1
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Network Security Policy
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 11
DATE
[Insert date]
Network Security Policy
Contents 1
Introduction .................................................................................................................. 8
2
Network Security Policy ................................................................................................ 9
3
Conclusion .................................................................................................................. 11
Version 1
Page 7 of 11
[Insert date]
Network Security Policy
1 Introduction The use of networks is an essential part of the day-to-day business of [Organization Name]. Networks not only connect many business processes together internally, but they also link the organisation with its suppliers, customers, stakeholders and the outside world. The organisation’s networks have evolved to become the circulatory system of the company, transporting information to where it needs to go and enabling business to be carried out effectively. But the fact that so much information runs through our networks makes them a target for those who would try to steal that information and disrupt our business. Therefore, these networks need to be protected to ensure that the security of our vital information is assured. The effective protection of our networks requires that we adopt good practices in information security covering the design, implementation, operation and management of them, and that we ensure everyone involved follows these practices. This policy sets out [Organization Name]’s rules and standards for network protection and acts as a guide for those who create and maintain our IT infrastructure. This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document: • • • •
Mobile Device Policy Software Policy Anti-Malware Policy Password Policy
Version 1
Page 8 of 11
[Insert date]
Network Security Policy
2 Network Security Policy At all connection points between the internal network and an insecure external network (such as the Internet) effective measures, such as a firewall, must be put in place to ensure that only authorised network traffic is allowed. Where possible, multiple layers of protection will be used to ensure that the failure of a single device does not expose the network to attack. For example, network firewalls (e.g. on a router) will be supplemented by host-based software firewalls on servers and client computers in order to provide several levels of firewall protection. Servers that are intended to be accessed from the Internet (such as web servers) must be connected to a separate area of the firewall (referred to as a De-Militarised Zone, or DMZ) in order to provide additional protection for the internal network. Where information is to be transferred over a public network such as the Internet, strong encryption techniques must be used to ensure the security of the data transmitted. Access to wireless networks must be secured using a strong password. A guest wireless network may be provided for visitors. This must be physically separate from all internal networks (including internal wireless networks) and secured using a firewall. The ability to connect devices to a wireless network using the WPS (Wi-Fi Protected Setup) button on the access point or router itself must be disabled. Wireless access point admin logon passwords must always be changed from the default to a strong password. Network equipment in remote offices will be housed in secure cabinets, which must be locked at all times. Wireless access points located in public areas must be hidden from view where possible and must be placed in positions where access by the public is difficult, e.g. in or near the ceiling. A lockable protective casing must be installed where an access point is located in an unprotected public area, e.g. a car park. Where there is a requirement for remote access across the Internet to the internal network, a Virtual Private Network (VPN) will be used. Two-factor authentication (e.g. using a phone app or via a text message) must be used so that knowledge of a password on its own is not enough to gain access. Remote access must be granted on an “as required” basis rather than for all users by default. Admin passwords to network devices must be changed on installation of the device to a strong password of at least eight characters. Access to router and firewall settings across the Internet must be restricted to defined IP addresses, or using two-factor authentication, or where available, both. Such access must be supported by a documented business case which is approved by management.
Version 1
Page 9 of 11
[Insert date]
Network Security Policy
Where possible, a single supplier policy will be used for network hardware. An exception will be made where the use of multiple vendor hardware may increase the level of security provided, e.g. by using two different firewalls. Network routing will be based on [Insert manufacturer, for example, Cisco] routers. [Insert manufacturer, for example, Cisco] Gigabit switches will be used as standard for connecting devices to the network. Switch ports will be configured to be disabled until required. More basic network devices, such as hubs, will not be used due to their inherent security weaknesses. The network protocol IPv4 (Internet Protocol Version 4) will be used on internal networks. However, new network devices purchased must support IPv6 (Internet Protocol Version 6, its successor) in preparation for the future. The internal network address range used will be 192.168.0.0 – 192.168.254.254. IP addresses and associated network information for desktop and laptop computers will be automatically assigned using a DHCP (Dynamic Host Configuration Protocol) server. Only network protocols and ports that are explicitly required on a specific server will be enabled by default in order to reduce the attack surface. These must be supported by a documented business case which is approved by management and reviewed on regular basis. This is especially true for servers within the DMZ of the firewall(s).
Version 1
Page 10 of 11
[Insert date]
Network Security Policy
3 Conclusion Network security is a cornerstone of [Organization Name]’s defences against many of the threats with which we are faced. Only by designing effective security into every new system and network from the beginning can effective control be maintained, and risk reduced. Combined with watchful monitoring of the network itself and the tools put in place to manage it, this should ensure that the number and severity of network security incidents is minimised and our exposure from those that do occur is not as great as it otherwise might have been.
Version 1
Page 11 of 11
[Insert date]