Although it is
Your encryption security policy should define not only the supported encryption standards you will use to protect data across your network, but the encryption mechanisms and standards you will use to protect the data on your servers or with your applications (for example, encrypting e-mail messages). Your encryption policy should also define the types of data that require encryption to ensure that everyone
Your analog/ISDN security policy should define the various analog line devices such as modems, fax machines, and computer connections. It should contain a procedure that defines how this type of access should be
Your antivirus policy should address running virus protection on all your desktops and servers as well as your e-mail servers and gateway systems. In addition to defining where to run virus protection, your antivirus policy should provide specific configuration requirements, including requiring on-demand scanning, regularly scheduled scanning operations, and periodic updates and upgrades. Your antivirus policy should also provide information regarding blocking e-mail attachments as well as a statement preventing disk sharing and downloading of unauthorized files.
Your audit, vulnerability assessment, and risk assessment policy should define the procedures and tools that will be used for auditing and testing your network. It should address questions regarding obtaining the
Your dial-in policy should require that all users explicitly request dial-in access and that all
Your DMZ policy should define the configuration requirements of all systems that exist in the DMZ, including disabling services and defining the types of equipment that can be placed in the DMZ. Your DMZ policy should require that systems in the DMZ be patched in a more rapid fashion than other systems, due to their close proximity to external threats, and identify who is responsible for the equipment to ensure this occurs. Your DMZ policy should also define how remote administration will be performed, if it is permitted at all, to ensure that only secure remote administration occurs. All communications between systems on the internal network and the DMZ should also be defined in this policy, requiring secure content updates, and so on. Your DMZ policy should define an exhaustive and
Your extranet policy should define that all extranet connections require a security review and business case to justify them. Your extranet connections should also require a point of contact for all remote connections and should grant access only to the specific resources required for the extranet users to perform their jobs. All traffic traversing the extranet connections should be encrypted to prevent eavesdropping on the data. Finally, your security policy should require that any network diagrams and documentation be updated prior to any new devices being implemented.
Your wireless communications policy should define the equipment that will be used and require that all wireless equipment be registered with the information technology (IT) department to allow for easier tracking of these resources. Your wireless communications policy should require not only explicit authorization from IT for all wireless access, but also a business case and justification for granting access. It should also define the encryption and authentication requirements of all wireless connections. Your service set identifier (SSID) should not contain any organizational information because SSIDs are easily read by external users, which would allow them to know that they found an access point on your network. Because wireless networks are so
Your VPN policy should specify the permitted hardware, software, technologies, and protocols used to provide VPN access to your network. It should define the encryption and authentication mechanisms that will be used to secure the VPN. In addition, it should clearly state that only authorized users are allowed to use the VPN connection, and it should assign the responsibility of ensuring this occurs with the users. The policy should also define how the VPN connection will be established, identifying whether split tunneling is permitted, what the idle timeouts are, and whether the user can access local resources and VPN resources at the same time. Your VPN policy should also require that all remote systems
Your firewall security policy should define the network- and software-based firewalls that should be implemented on your network. It should also define the types of firewalls that will be implemented and how they should be configured, including what services and protocols will be run. Details regarding ingress and egress filtering, including configuration examples, should also be defined in the policy. In addition, your policy needs to define how remote administration should be performed and what authentication mechanisms and logon banners should be used. Finally, your security policy should require that any network diagrams and documentation be updated prior to any new devices being implemented. We will look at hardening firewalls in much more detail in Chapter 3.
Your router and switch security policy should define how your routers and switches should be configured and deployed throughout your network. The types of remote administration and authentication mechanisms, including logon banners, should be defined. In addition, permitted protocols and services should be identified with configuration requirements, and
Your remote access policy should define the types and
Your password policy should define the requirements not only of passwords but for SNMP community strings, preshared keys, and any other manual/text-based authentication mechanism that exists on your network. The password policy should define the minimum lengths of passwords, how often passwords must change, whether passwords can be reused, whether a user must log on to change their password, and how many incorrect passwords are required for an account lockout. It should also stipulate what the password requirements are (for example, requiring
Your IDS/IPS security policy should define how your IDS/IPS should be deployed as well as where it should be located. It should also define the types of traffic you are going to monitor for and what actions will be taken when a specified traffic pattern has been identified. Your IDS/IPS security policy should also address remote administration and authentication of users authorized to manage the system. In addition, the security policy should define how often the signatures are updated and provide a mechanism for implementing high-risk signatures in a rapid fashion. The policy should also address what type of auditing and reporting will be performed on the system and who is authorized to view the
Your content-filtering/Internet policy should define who is allowed to access the Internet and what types of access are permitted. In addition, the policy should identify the
Your enterprise-monitoring policy should define the monitoring and management protocols and technologies that will be used on your network, including SNMP, RMON, NetFlow, and Syslog. The policy should require that all management occur using secure and authenticated sessions, where possible, and IPsec encapsulation in all other cases. The policy should also define the logging policy for all resources on your network, including who can review the logs and what gets done with the information in the logs. The policy should identify the types of network events that may occur and what to do when an event is triggered. The management stations that are allowed to monitor your network should also be defined in your policy as well as who has access to those management
The acceptable-use policy (AUP) is one of the most important policies on your network because it defines what the acceptable usage of organizational resources is. The policy should define, among other things, whether users can share passwords; install applications; copy data for archiving or other purposes; use instant messaging
Your network connection policy should address the connectivity of devices on the network, including what types of devices can be connected to the network, who can connect the devices to the network, and what the process is to request a device be connected to your network. The policy should also define what to do in the event that a network device is down or
Your network documentation policy should define who is responsible for keeping your network documentation and diagrams up to date. It should also define where and how the diagrams are stored and who has access to the information. It should also define the data classification that all your network documentation and diagrams should be considered as. For example, your network diagrams are as