Network security policy is a document describing company's strategy towards maintaining confidentiality, integrity, availability and traceability (CIAT) of network assets. It is one of the most important parts of root policy, which in most cases is information security policy.
In this post I will shortly overview necessary parts of a Network Security policy and details that you may want to focus on.
Information security policy states methods to maintain the fulfillment of globally acknowledged information security objectives:
Confidentiality- Only authorized person should have access to information
Integrity- Information should maintain its intended form
Availability- Information should be available whenever it is required by authorized person
Traceability- Actions of a person should be traceable solely to this entity.
In an ideal situation on the first day at your job you will be 'greeted' with existing information security policy including a list company's assets, risk assessment methods, types of information, access levels and etc. But what if you are required to create a network security policy in a large company without having root documents, guidelines and there are no lists or maps of network assets? Well you might have to work harder smarter than you have thought.
Before beginning to work on network security policy, you are advised to ensure that your work is coordinated with CISO and company's stakeholders. Without coordination, your work might be doomed to fail even if the final version looks great.
The first step for securing something is to have a knowledge of what is that you intend to secure. Yes we want to secure company's asset called a network, but what are the composites of network? what are the small assets and particles that make network a NETWORK?
Depending on the company the first hardest part of understanding a network structure is communicating with network administrators. In order to research network composites you will have to maintain good communication with network administrators and those employees who take part in network monitoring. Advice:
Don't be afraid to ask questions, even those you think will make you look like a non-professional. Ask every question that might give you a complete understanding of a matter or a hint about a new asset you never knew existed.
Remember that there is no way you might have had knowledge about network assets of the company in which you just started working.
Handshake before email - The most vital part is to present yourself to other employees, from whom you will have to gain information, in person. A nice handshake will make your way towards email communications less awkward and thus more comfortable.
Always keep in mind that you are paid to gain a knowledge of company's assets.
Keep communication formal - send emails to respective employees and add your boss, in most cases CISO, in CC if allowed by companies policy.
In ideal situation at some point, sooner the better, you will have a list of all network assets (routers, switches, servers and etc.), with applicable threats based on there configuration and risk levels that you will have to assign by yourself.
In my opinion most appropriate risk assessment method is using annual loss expectation (ALE), single loss expectancy (SLE) and annualized rate of occurrence (ARO).
ALE - How much loss you could expect in a year
SLE - How much you can expect to lose at one time
ARO - Rate at which an event may occur in year
The formula is
Let me explain this method with a example:
You are developing a network security policy for a large company. Your company's network asset, for example a server, generates 25,000$ per hour in revenue. The probability of this web server to fail during the year is 25% (probability maybe calculated based on the average of occurrences that appeared in the past years). A failure might lead to three hours of downtime and cost 5,000$ in components to correct. So what would be an ALE?
The SLE is 80,000$ (25,000$ x 3 hours + 5,000$) and the ARO is 0.25. There fore ALE is 20,000$ (80,000$ x 0.25).Meaning that your company should expect 20,000$ loss per year.
Writing a Policy
First part of the policy is to define the purpose of your policy. In this section you will have to define company's general strategy towards network security, in other words state a will of stakeholders, that network assets should be secured and risks should be mitigate in order to maintain confidentiality, integrity and availability of network assets.You should define in details what does CIAT mean in regard of network assets. It is also a good practice to define minimum security requirements that will apply for every network asset (encryption of connection, disallow unauthorized access).
Define who will use your policy and what is the area of a company which will be under influence of your document. Usually the scope includes employees, contractors, temporary workers, network devices and types of communication.
Risk Assessment Methods
In this part you will just have to copy the risk assessment document into the network security policy. Remember to keep your copied material in a simple and understandable form, there is absolutely no need of having bunch of text, rows or columns. Simpler = Better
The major part of your document. This part should indicate details about network security. Details might include:
- What user authorization methods are acceptable in network? TACACS+ or RADIUS?
- Syslog server should always be up and backed up
- All communications should be encrypted but how?
- Network should be protected with firewall and network blades. Which firewall?
- Who are the major manufacturers for network equipment? CISCO or Huawei? In which network segment and why?
- Who has a root access or secret access to routers and switches?
- Which services should network never use? Say NO to telnet and embrace SSHv2, however keep in mind that SSHv1 and SSHv2 dont stack. Use one of them.
- All network devices should use login banners. Consult with company;s legal house and draft a single and easy to understand network banner, stating that unauthorized access to your equipment is prohibited.
- How are access lists created, who manages them.
- IDS and IPS management
These are the major topics you will have to dial with in this section but of course there is much more to include in this section depending on your company's infrastructure and requirements.
In order to make a policy useful you need to enforce it. In this section define how you will enforce your policy. Start from network administrators, ask them to configure network assets according to your policy and negotiate on dates. Define that applicable parties should provide you with a report on weekly, daily or monthly basis describing which parts of this policy are being implemented.
Monitoring and Audits
In order to ensure that the policy is working as you intended you will have to monitor how the policy works and conduct audits every 6 months. The ways of conducting audits is totally up to you and your company, however it is a good practice to test network assets for proper configurations and maintain a separate document where you will fill the information about pros and cons of this configuration. Keep in mind that you security policy will require regular amendments and the "Network Security Policy for v1.0" might not be the ultimate one.
Related Standards and Policies
This section is important for your audience. They should be aware of what other documents are that are considered to be important for your policy. Here you should list Information Security Policy, CISCO Router and Switch Security Standard, Firewall Policy, Server Policy, Incident Response Policy and etc.
Network Security Checklist:
- Risk Assessment - Assets, risks and threats
- Security Policy
- Revision of Security Policy
Network Security Policy Checklist:
- Title - Network Security Policy of XYZ
- Author - John Doe
- Version - v1.0
- Policy Enforcement
- Monitoring and Audits
- Related Standards and Policies