network security policies

It is rare that organizations are happy with their security policies. Many will admit to not even having one. To be effective, a security policy should be consistent, relevant, and useable.

Armed with the following information, your organization can either create your first computer network security policy or beef up what you already have. Computer and network security policies define proper and improper behavior; they spell out what is permitted and what is not.

Without a network security policy in place, cybercriminals are more likely to cause a data breach. When structuring your policies, certain types of cybercrime techniques deserve close attention. Due to their popularity among hackers and the difficulties they create for enterprises, incorporating policies surrounding the most common threats is critical.

Before we start, we will cover misconceptions when it comes to setting network security policies.

Common Network Security Policy Misconceptions

A common misconception about network security is that the end goal is to only secure your network of computers. Securing the network is the easy part, however. The ultimate goal should be securing your entire organization.

A key objective of network security is to support the network and computer requirements your business has set, using methods that reduce risk. Security policies are essential in describing what businesses must secure, and the ways they can go about doing it to support their mission. Some tools organizations may use include:

  • Firewalls
  • Virtual Private Network (VPN)
  • Data Loss Prevention (DLP)
  • Network Segmentation
  • Antivirus Software

For any network security tools in use, just remember…security policies should provide a blueprint on what, how, why and by whom. We will dive deeper into this later.

Policy Complexity

Another common misconception is that security policies have to be long and complex to be effective. While we do not want policies to be vague, policies should be the opposite of complex. In fact, complex systems are usually less secure than simple systems. In addition, complex policies are usually ignored.

A good security policy is a set of concise documents, each addressing a specific need. Start by breaking an overall policy into smaller pieces. This will greatly simplify the process of creating effective, consistent, relevant, and useable documents.

This is not to say that the entire set of security policies will or should be just a few pages. This just means that each individual policy should be usable by the target audience.

Policy Review

The last policy misconception is that security policies only have to be written once. Until data breaches and hackers go away completely, managing and evolving security policies never ends.

The threats that organizations face will change over time. As the threats to your business change, so will your company’s business requirements. As the vulnerabilities continue to change, so should network security policies. An outdated policy will be useless against the evolving tactics of cybercriminals. Because of this, the security policy process is never really done. It only lies dormant for a short time.

Network Security Defenses

Network security is an integration of multiple layers of defenses in the network. While there are many different types of network protections, common ones include:

Firewalls: Firewalls put up a barrier between your trusted internal network and untrusted outside networks, such as the Internet. They use a set of defined rules to allow or block traffic. A firewall can be hardware, software, or both. Some solutions offer unified threat management (UTM) devices and threat-focused next-generation firewalls.

Virtual Private Network (VPN): A virtual private network encrypts the connection from an endpoint to a network, often over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to authenticate the communication between device and network.

Data Loss Prevention (DLP): Organizations must make sure that their staff does not send sensitive information outside the network. Data loss prevention (DLP) technologies can stop people from uploading, forwarding, or even printing critical information in an unsafe manner.

Network Segmentation: Software-defined segmentation puts network traffic into different classifications and makes enforcing security policies easier. Ideally, the classifications are based on endpoint identity, not mere IP addresses. You can assign access rights based on role, location, and more so that the right level of access is given to the right people and suspicious devices are contained and remediated.

Antivirus Software: “Malware,” short for “malicious software,” includes viruses, worms, Trojans, ransomware, and spyware. Sometimes malware will infect a network but lie dormant for days or even weeks. The best antimalware programs not only scan for malware upon entry, but also continuously track files afterward to find anomalies, remove malware, and fix damage.

Now that you are understand a few network security defenses, here are some tips on how to get started creating network security policies that are specific to your organization and industry.

Creating Network Security Policies

The first step in writing your policies is to gather a team. Your policy development team should be made up of people who work with your network and the internet but come from different functional areas of the company.

Include some people from the various departments. There is nothing less useful than a painstakingly documented security policy that, when implemented, makes the shipping department unable to track packages, or blocks the sales reps from network resources they need from the road.

Before writing any policies, scope out your business requirements. What regulations apply to your industry? Here are a couple of common ones:

Get familiar with penalties for any non-compliance, as this will help you prioritize your policies and gauge the proper level of discipline for employees who do not adhere to them.

Policy Creation

The first document an organization should draft is a framework which points to each of the policy documents. As the framework draft is created, be sure to specify the initial list of subordinate policies that you should produce next.

Each list will be specific to every organization but will probably include the following subordinate policies:

Computer Acceptable Use: Create a general document covering all computer use by employees and contractors, including desktop, mobile, home PCs, and servers. It is important to regularly apply patches and security updates as they are released. Services that are not in use should also be disabled.

Email: This policy should cover the use of email sent from any company email address and received at any company computer system.

Internet: Internet access policies include automatically blocking of all websites identified as inappropriate for company user. This policy should also include which browsers may be used, how they should be configured, and any other restrictions.

VPN Policy: VPN provides a means to protect data while it travels over an untrusted network. All remote access to the corporate network should be routed through a VPN with a valid corporate-approval, standard operating system, and appropriate security patches. 

Firewall Policy: When a user connects to an insecure open network, such as the internet, they open a doorway for potential risks. One of the best ways to defend against an insecure network is to deploy firewalls at the connection point end.

Incident Response Plan

No policy is complete until it also specifies what to do when defenses fail: what is considered a security incident; who gets called; who is authorized to shut things down if needed; who is responsible for enforcing applicable local laws; who speaks for the company.

A poorly managed incident response plan, to both internal and external audiences, can compound the negative impact of a business interruption. Sparse, inaccurate, or confusing information during an incident not only risks damaging your brand with customers and partners, but it also causes issues that trigger unnecessary and unwelcome scrutiny from compliance regulators.

Flexible Crisis Communications Planning

Most companies tackle the communications outline as part of their larger business continuity plan and disaster recovery planning. Yet, tackling it in a network security policy is key too.

Some name a senior leader as the company’s spokesperson and form an internal team to carry out the details. Others use consultants or vendors who specialize in business continuation planning to lead the effort. Whichever you choose, remember to give the communications plan ample focus and energy before you need it.

Your emergency communications plan must describe how your organization will respond to a business interruption caused by any number of network security incidents.

Paul Kirvan, a business continuity consultant, educator, and author writes in TechTarget.com that an emergency communications plan must be able to:

  • Launch quickly
  • Brief senior management on the situation
  • Identify and inform the company spokesperson of the situation
  • Prepare and issue company statements to the media and other organizations
  • Organize and facilitate broadcast media coverage
  • Provide information about the event and procedural instructions to employees and other stakeholders
  • Communicate with employee families and the local community
  • Adapt to changing events associated with the emergency
Initial Questions to Answer in Your Incident Response Plan:
  • What do you consider a security incident? (You probably will consider web site defacement, or a virus outbreak a security incident. But, is a port scan of all your Internet-facing systems a security incident? How about if they are port scanned once a day for a week? What if you discover the LAN room was left unlocked overnight?)
  • If an incident occurs, who are you going to call? Everyone in the organization should know who to call. Everyone who is on the call list should know what to do with a suspected security incident.
  • When must you call the authorities? Talking with a lawyer or your local police office will help here.
  • Which are your most important systems? Which are most difficult to recover? Which are least important or easiest to recover? If a security incident brings systems down, balancing the importance of each system against how long it takes to recover it will help you prioritize your triage efforts.

LightEdge’s Network Stands Out Above the Rest

When asked about our differentiators against the competition, one of the first answers is always – our network. Our history with network goes all the way back to 1996 when we were founded as an ISP. We spent over two decades making sure our network and infrastructure were scalable, redundant, and secure enough to meet the most challenging IT needs.

Today, we’ve narrowed in our primary focus to our Tier III data centers and compliant cloud offerings, but there’s no doubt our networking heritage still runs strong in all that we execute. All of LightEdge’s facilities and services have been designed around connectivity with proven insight from our networking experts, making us unmatched in the market.

Strengthen your company’s risk mitigation and compliance story with LightEdge’s Managed Security services. With access to LightEdge’s people, processes, and technology, you can reduce vulnerabilities, eliminate blind spots in your security strategy, and quickly respond to security threats when they occur.

LightEdge offers a free risk assessment from our Chief Information Security Officer as a free resource to all of our clients. LightEdge’s highly trained compliance and network security experts take the guesswork out of keeping your business protected. LightEdge’s top priorities include compliance and network security to guarantee that our customer’s data is protected. LightEdge is compliant with:

  • ISO 27001
  • ISO 20000-1
  • SOC 1 Type 2, SOC 2 Type 2 and SOC 3
  • HIPAA
  • PCI DSS 3.2

Have you heard enough? Reach out to one of our LightEdge Network Experts today at: peering@lightedge.com or call 1-877-771-3343.

We have empowered hundreds of organizations across the nation through improved latency, security, and reliability. We are ready to do the same for yours.


Related Whitepaper:

Related Posts

 

Claire Kirk

With a background in compliance & security, cloud hosting, colocation, and business continuity, Claire uses her knowledge and experience to create educational content for end users. A creator at heart, she specializes in B2B marketing with a focus in content creation and technical literacy.