Sign in Subscribe
By devsecopsbook in security

Network Security Policy

Document Version: 1.0
Last Updated: July 19, 2025
Owner: Information Security Officer
Approved By: Executive Management

1. Purpose

The purpose of this policy is to secure the internal network infrastructure of the organization—including on-premises systems, private clouds, and hybrid components—by defining controls that protect data and services from unauthorized access, disruption, and compromise in line with ISO/IEC 27001 requirements.

2. Scope

This policy applies to:

  • All internal networks (LAN, VLANs, data center networks)
  • Private cloud networks (e.g., OpenStack, VMware)
  • Internal system components (e.g., file servers, databases, authentication servers)
  • Employees, contractors, and devices connected to the internal network

3. Policy Statements

3.1 Network Segmentation

  • Internal networks must be segmented by business function and sensitivity (e.g., HR, Finance, Engineering, DevOps).
  • Production systems must be logically and physically separated from development and test environments.
  • Sensitive systems (e.g., identity stores, financial systems) must reside in isolated VLANs or security zones.

3.2 Access Control

  • Access to internal networks must be authenticated via centralized identity systems (e.g., Active Directory, LDAP).
  • Role-Based Access Control (RBAC) must be enforced, granting users only the minimum network access required.
  • Admin access must be restricted and logged via bastion hosts or jump servers.

3.3 Network Device Hardening

  • Default credentials must be changed, and unused services disabled.
  • Configuration backups of critical switches, routers, and firewalls must be encrypted and stored securely.
  • Only authorized personnel may configure network devices.

3.4 Endpoint Controls

  • Only organization-managed and compliant devices may connect to the internal network.
  • Endpoint protection software (EDR/AV) must be deployed and regularly updated.
  • Device access may be restricted based on network posture checks (e.g., NAC enforcement).

3.5 Monitoring and Logging

  • All internal network traffic must be monitored for anomalies (e.g., lateral movement, port scanning).
  • Logs from internal routers, switches, firewalls, and IDS must be sent to a centralized SIEM system.
  • Log retention must meet audit and compliance requirements (typically 12+ months).

3.6 Patch Management

  • Network devices and internal services must be regularly updated with vendor-released security patches.
  • Patching schedules must be defined and documented, with risk-based prioritization.

3.7 Wireless Networks

  • Internal wireless networks must use WPA2-Enterprise or WPA3 encryption.
  • Corporate wireless must be segmented from guest and BYOD access.
  • MAC address filtering or certificate-based authentication should be used where possible.

3.8 Remote and VPN Access

  • Internal network access from external locations (e.g., remote work) must use VPN with encryption and multi-factor authentication (MFA).
  • VPN traffic must be inspected and logged.
  • Split tunneling is not allowed unless explicitly approved and risk-assessed.

3.9 Physical Security

  • Access to networking infrastructure (e.g., IDFs, MDFs, data centers) must be physically secured and monitored.
  • Cable routing and switch ports must be documented and regularly audited.

3.10 Change Control

  • Any configuration change to the internal network must be reviewed, documented, and approved via the formal change management process.
  • Emergency changes must be documented retroactively and reviewed.

4. Roles and Responsibilities

RoleResponsibility
IT Network TeamMaintain and monitor internal network security
Security TeamOversee policy compliance and threat detection
System OwnersEnsure internal systems are properly segmented and patched
EmployeesUse internal network resources responsibly and securely

5. References

  • ISO/IEC 27001:2022 Annex A Controls
    • A.8.20 – Network security
    • A.5.15 – Access control
    • A.5.7 – Physical security
    • A.8.25 – Secure configuration
    • A.8.21 – Security of network services
    • A.8.16 – Monitoring activities

6. Review and Updates

This policy must be reviewed at least annually or following significant changes to the internal network architecture.

Subscribe to devsecopsbook

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe