5/2/2021 Network Security

Policy Guidelines

Homann, Laura R.
CNIT 383-583
Table of Contents

ACCEPTABLE USE POLICY................................................................................................................3

USER ACCOUNT MANAGEMENT.....................................................................................................3

NETWORK ACCESS POLICY..............................................................................................................3

INTERNET ACCESS..............................................................................................................................4

SERVER AND DESKTOP SECURITY.................................................................................................4

SOFTWARE LICENSING......................................................................................................................5

MOBILE DEVICES................................................................................................................................5

REMOTE ACCESS.................................................................................................................................5

GUEST ACCESS....................................................................................................................................6

MALWARE PROTECTION...................................................................................................................6

CHANGE MANAGEMENT...................................................................................................................7

Page 2 of 7
 ACCEPTABLE USE POLICY

 All information obtained through network usage is considered protected information and

shall not be shared outside of the organization.

 Sharing of personal information is unacceptable.

 Organization names and images cannot be applied to social media or other media outlets

without authorization.

 Use of company devices for malicious or illegal activity is strictly prohibited.

USER ACCOUNT MANAGEMENT

 Passwords must meet organizational requirements and be updated every 90 days.

o Requirements: minimum 8 characters, include capital letter, special characters, and

non-repeating numerals.

 Sharing of username and password information is prohibited.

 Users will be authenticated and identity must be confirmed prior to establishing a network

username and password.

 Account access is limited to business procedure and shall not be used for personal use.

 All users are required to complete bi-annual risk mitigation meetings and trainings.

 Do not print system items unless absolutely necessary.

 Do not forward internal confidential emails to recipients outside of the organization.

 Accounts with no use in a 60 day period will be locked.

NETWORK ACCESS POLICY

 All users must be employed by the organization. Any exceptions will require pre-approval

from management.

Page 3 of 7
 VPN access is required to access network from outside of the firewall.

 VPN approval and two-factor identification are required for remote network connections.

INTERNET ACCESS

 Internet usage shall be limited to work related activities. And information that can be used to

increase work related knowledge.

 Social media accounts may be accessed through company internet access. Unless the account

is a work sponsored site.

 All downloaded material must be reviewed and approved to maintain network security.

 Internet access may not be used to send confidential or sensitive information.

 Access to offensive, illegal, or volatile information and materials is prohibited.

SERVER AND DESKTOP SECURITY

 Operating systems are defined and administered by Information Technology staff and may

not be adjusted.

 Changes to administrative settings are only allowed by approved Information Technology

staff.

 All devices will be encrypted using a full disk encryption application provided by the

organization.

 Devices must remained locked when not in use.

 Any loss or damage to a device owned by the organization should be reported immediately to

the Information Technology department.

 Software must remain updated, including but not limited to antivirus, firewall, and

encryption applications.

Page 4 of 7
 Installation of any application must be approved by management and installed by a

technology professional.

SOFTWARE LICENSING

 All software must be licensed by the organization and remain up-to-date.

 Installed software is only for use within the organization for work related activities.

 Sharing or licenses or copying software programs for personal use is prohibited.

 Users must connect to the internal network weekly to ensure all patches and changes are

applied to devices.

MOBILE DEVICES

 All mobile devices must be approved by the organization for network use.

 Passcodes must consist of a minimum of 6 digits and be updated every 90 days.

 Two-factor identification is required for network access from areas outside the firewall.

 Loss of any device that is approved for external network access should be reported

immediately.

 Automatic device back-ups should be performed nightly to minimize risk of data loss.

 Applications installed on company owned mobile devices require business approval before

installation on device.

 Staff must complete training on device and network security prior to receiving mobile device

approval.

REMOTE ACCESS

 All staff must attend training and pass assessments for safe external network access prior to

being approved for VPN usage.

Page 5 of 7
 Any device used to access the network must have up-to-date anti-virus protection and remote

reset ability.

 Usernames and passwords may not be shared with anyone, including family members and

must be updated regularly following User Account Management guidelines.

 Devices should be reviewed and approved by Information Technology staff prior to VPN

usage.

 Staff are responsible for the security of their personal devices and will be held accountable

for any information reaches that may occur due to inappropriate usage.

GUEST ACCESS

 Guest access is limited to individuals and contractors who require network access to

complete steps related to contractual obligations.

 All guest will submit applications for access and be evaluated on a case-by-case basis.

 Guests are required to abide by password and network security guidelines and policies.

 Guest accounts that have not been used in a 7 day period will be automatically disabled.

MALWARE PROTECTION

 Any device used to access network information, both inside and outside the organization

must have up-to-date antivirus and antimalware software installed.

 Internal devices should be connected to the internet at all times to ease installation of

antivirus and antimalware updates.

 External devices must be connected to the network weekly to verify all updates are installed

and the newest protection is applied to the device.

Page 6 of 7
 Failure to maintain up-to-date protection will result in restricted access to the network until

device has been updated.

CHANGE MANAGEMENT

All network or application changes will follow a five-stage change management procedure.

 Step 1: Initiate and Administrate

o Create and document the planned change as a formal change request.

 Step 2: Review and Authorize

o The change is reviewed and approved. The level of review is dependent on the

change request type and the risk/impact.

 Step 3: Coordinate

o If the change request risk/impact is major or significant, the change request requires

Change Approval Board review prior to implementation.

 Step 4: Implement

o The change is deployed into the controlled testing environment. Testing must be

complete and documented prior to migration of change to production environment.

 Step 5: Close and Audit

o The post implementation review is assessed and the formal change request is closed.

Page 7 of 7