Network Management Policy, version 1.0.0

Purpose

The purpose of the (District/Organization) Network Management Policy is to establish the rules for the maintenance, expansion, and use of the network infrastructure.

Audience

The (District/Organization) Network Management Policy applies to individuals who are involved in the configuration, maintenance, or expansion of the (District/Organization) network infrastructure.

Policy

General

  • (District/Organization) IT owns and is responsible for the (District/Organization) network infrastructure and will continue to manage further developments and enhancements to the infrastructure.
  • To provide a consistent network infrastructure capable of leveraging new networking developments, all cabling must be installed by (District/Organization) IT or an approved contractor.
  • Information security requirements must be included in any new information system or enhancements to the existing system.
  • Appropriate technical solutions must be implemented to protect Confidential information from unauthorized transfer, modification, or disclosure (i.e. next-gen firewalls, IDS/IPS, DLP).
  • A map or diagram of the network and data flow, including external connections, must be maintained. This map or diagram must be updated after any changes to the network occur. This diagram should be reviewed every 6 months to ensure it continues to represent the network architecture
  • All systems on the network must be authenticated. Connections to the network must be authorized by IT.
  • All hardware connected to the (District/Organization) network is subject to (District/Organization) IT management and monitoring standards.
  • Documented baseline configurations must be maintained for all Information Resources that create, collect, store, and/or process confidential or internal information and all network connected resources must be configured to these specifications.
  • Operating procedures for activities associated with information processing must be documented and made available to personnel who need access to them.
  • Resource usage must be monitored to ensure the required system performance.
  • Information processing facilities must address redundancy sufficient to meet availability requirements.
  • Changes to the configuration of active network management devices must be made according to the Change Control Policy.
  • The (District/Organization) network infrastructure supports a well-defined set of approved networking protocols. Any use of non-sanctioned protocols must be approved by (District/Organization) IT Management.
  • All connections of the network infrastructure to external third party networks are the responsibility of (District/Organization) IT.
  • Groups of information services, users and information systems must be segregated on the network. The perimeter of each domain should be well defined and based on the relevant security requirements.
  • Network devices must be installed and configured following (District/Organization) implementation standards.
  • The use of departmental network devices is not permitted without the written authorization from (District/Organization) IT Management.
  • Personnel are not permitted to access or alter existing network hardware in any way.

Wireless Networking

  • All wireless access points or devices that provide access to the (District/Organization) wireless network must be approved by management.
  • Wireless access points must be placed in secure locations.
  • Wireless networks must be segmented using appropriate technical controls.
  • Authentication settings (passwords, encryption keys, etc.) must be changed on a periodic basis as well as anytime it is suspected that such information has been compromised or if anyone with knowledge of the information leaves the organization.
  • All wireless network traffic must be encrypted in accordance with the (District/Organization) Encryption Policy and supporting standards, regardless of information sensitivity.
  • The (District/Organization) Wireless Network must not be used inappropriately; in particular, persons must not use the network to:
    • Intercept or attempt to intercept other wireless transmissions for the purposes of eavesdropping.
    • Access or run utilities or services which might negatively impact on the overall performance of the network or deny access to the network, e.g. RF jamming, Denial of Service (DoS).
  • (District/Organization) wireless network users must not tamper with network access points or security settings.
  • Users must not connect to another wireless network and the (District/Organization) wireless network simultaneously.
  • (District/Organization) will conduct scans of wireless access points and identify all authorized and unauthorized wireless access points at least quarterly.

Definitions

See Appendix A: Definitions

References

  • ISO 27002: 6, 9, 11, 12, 13, 17
  • NIST CSF: PR.AC, PR.DS, PR.IP, PR.PT, DE.CM
  • (District/Organization) Change Control Policy
  • (District/Organization) Vulnerability Management Policy
  • (District/Organization) Asset Management Policy
  • (District/Organization) Identity and Access Management Policy
  • (District/Organization) Encryption Policy

Waivers

Waivers from certain policy provisions may be sought following the (District/Organization) Waiver Process.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties. 

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Version History

VersionModified DateApproved DateApproved ByReason/Comments
1.0.0February 2018 SecurityStudioDocument Origination
     
     
     

Download Network Management Policy template