Network Management Policy

Network Management Policy

Netspective Unified Process
 

The purpose of a network management policy is to effectively managing and maintaining a computer network infrastructure. [FII-SCF-016-NET-01]

KEY RESPONSIBILITIESS

  • The Chief Information Officer has been delegated day-to-day responsibility for policy compliance by the Management.

  • The Manager of Technology will assume responsibility for information security within their area of business and will be directly accountable to the Chief Information Officer (CIO) for Citrus information findings that are non-compliant with this policy.

  • Business and System owners, including Netspective Communications LLC Staff, have the responsibility to implement the administrative and technical controls that support and enforce this policy.

  • All those outlined in the policy are responsible for complying by adopting the process and procedures that support this policy.

NETWORK DEVICE CONFIGURATION

  • Documented standards/procedures will cover the configuration of network devices, including:

    • Security architecture principles

    • Standard security management practices

    • Restricting access to network devices

    • Vulnerability and patch management

    • Changes to routing tables and settings in network devices

    • Regular review of network device configuration and set-up.

  • Security controls applied to network devices must incorporate security architecture principles.

  • Network devices must adhere to standard security management practices, which include:

    • Restricting physical access to network devices to authorized staff.
    • Hardening the operating system(s) that support them.
    • Applying a comprehensive set of management tools.
    • Keeping network devices up to date.
    • Monitoring network devices.

Network Log

  • Network devices should be configured (typically based on a standard secure build) to:

    • Log security-related events in a form suitable for review and record them on a separate system.
    • Integrate with access control mechanisms in other devices.
    • Use a predefined secure set-up upon boot.
    • Ensure that passwords are not sent in clear text form.
  • Access to network devices must be restricted to authorized network staff, using access controls that support individual accountability, and protected from unauthorized access.

  • A process should be in place to address vulnerabilities in network devices, which includes:

    • Monitoring them for known vulnerabilities.
  • Issuing instructions to network staff on the action to be taken if a network device fails.

  • Testing patches for network devices and applying them in a timely manner.

  • Network devices performing routing must be configured to prevent unauthorized or incorrect updates by:

    • Verifying the source of routing updates.
    • Verifying the destination of routing updates.
    • Protecting the exchange of routing information.
    • Encrypting the routing information being exchanged.
  • Regular reviews of network devices are necessary to verify configuration settings, evaluate password strengths, and assess activities performed on the network device.

PHYSICAL NETWORK MANAGEMENT

  • Documented standards/procedures will cover the configuration of network devices, including:

    • Configuring telecommunications cables
    • Attaching identification labels to communications equipment
    • Locking data centers and communication devices
    • Providing alternative feeds or routing
  • To protect network access points, disable them on the network device until required.

  • Documentation should support networks and include:

    • Network configuration diagrams, showing nodes and connections
    • An inventory of communications equipment, software, links, and services provided by external parties
    • One or more diagrams of in-house cable runs for each physical location
    • Details about analogue telephone lines
  • Keep network documentation up to date, ensure it is readily accessible to authorized individuals, subject it to supervisory review, and generate it automatically using software tools.

External Network Connections

  • The Netspective Communications LLC should establish documented standards/procedures for managing external network access to the information systems and networks, which should specify that:
    • Identify external connections.
    • Configure information systems and networks to restrict access.
    • Document details of external connections.
    • Remove external connections when they are no longer required.
  • Design information systems and networks accessible by external connections to:
    • Utilize an agreed set of security controls for information formats and communication protocols.
    • Conceal computer or network names and topologies from external unauthorized parties.
    • Protect sensitive information stored on information systems and transmitted to external party locations.
  • Ensure that information systems and networks accessible by external connections:
    • Restrict external network traffic to only specified parts of information systems and networks.
    • Restrict connections to defined entry points.
    • Verify the source of external connections.
    • Log security-related activity.

Network Log

Application logs

  • Ensure that devices meet minimum security configuration requirements, including:
    • Running up-to-date malware protection.
  • Having the latest systems and software patches installed.
  • Running an up-to-date host-based (or personal) firewall with a predetermined standard configuration.
  • Restrict external access to information systems and networks by:

    • Establishing ‘Demilitarized Zones’ (DMZs) between untrusted networks, such as the Internet and internal networks.
    • Routing network traffic through firewalls or proxy firewalls.
    • Limiting the methods of connection.
    • Granting access only to specific business applications, information systems, or specified parts of the network.
  • Provide external access using a dedicated remote access server that:

    • Provides reliable and complete authentication for external connections.
    • Provides information for troubleshooting.
    • Logs all connections and sessions, including details of call start/stop time, call duration, and user. Tracking helps identify possible information security breaches.
  • Ensure that external access to information systems and networks is subject to strong authentication.

  • Identify unauthorized external connections by:

    • Performing manual audits of network equipment and documentation to identify discrepancies with records of known external connections.
    • Employing computer and network management and diagnostic tools.
    • Checking accounting records of bills paid to telecommunications suppliers and reconciling them against known connections.
  • Prevent unauthorized external access or when no longer required by removing or disabling:

    • Computer and network connections.
    • Equipment.
    • Control settings.

FIREWALLS

  • Protect networks from malicious traffic on other networks or subnetworks.

  • Establish documented standards/procedures for managing firewalls (or similar devices capable of filtering network traffic, such as switches and routers), which should cover:

    • Filter specific types or sources of network traffic.
    • Block or otherwise restrict particular types or sources of network traffic.
    • Develop predefined rules (or tables) for filtering network traffic.
    • Protect firewalls against attack or failure.
    • Limit the disclosure of information about networks and network devices.
    • Apply security architecture principles during configuration.
    • Document and regularly review firewall rules.
  • Use firewalls to check:

    • Destination IP addresses and protocol ports.
    • Information about the state of associated communications.
    • Properties about the communications that are known indicators of compromise.
  • Incorporate security architecture principles in firewall configuration (e.g., Policy 6 ‘secure by design’, ‘defense in depth’, ‘secure by default’, ‘default deny’, ‘fail secure’, ‘secure in deployment’, and ‘usability and manageability’).

  • Configure firewalls to:

    • Protect communication protocols that are prone to abuse.
    • Block network packets typically used to execute ‘denial of service’ attacks.
    • Deny incoming traffic where the source address is known to have been ‘spoofed’.
    • Deny outgoing traffic where the source address is known to have been ‘spoofed’.
  • Configure firewalls to block or otherwise restrict communications based on specified source/destination:

    • Addresses.
    • Ports.
  • Base filtering of network traffic on predefined rules (or tables) that:

    • Have been developed by trusted individuals and are subjected to supervisory review.
    • Are based on the principle of ‘least access’.
    • Use clear, consistent naming conventions.
    • Are grouped into sets to help manage and understand long rule sections.
    • Are documented (with version control) and kept up to date.
    • Take into account an information security policy, network standards/procedures, and user requirements.
  • Use automated filtering of network traffic based on:

    • Security industry-reviewed information.
    • Good practice, default filtering rules that update as the security landscape changes.
    • The premise of security over connectivity.
  • Before applying new or changed rules to firewalls, test and verify their strength and correctness, and obtain sign-off from authorized groups.

  • Protect firewalls against attack by:

    • Restricting administrator access to a limited number of authorized, skilled individuals, such as firewall administrators.
    • Encrypting administrator access.
    • Restricting administrator access to a central point.
    • Preventing disclosure of information about them on the network.
  • Document firewall configurations and include justification for:

    • Standard services, protocols, and ports that are permitted to pass through the firewall.
    • Services, protocols, and ports that are inherently susceptible to abuse.
  • Regularly review firewall configurations (e.g., quarterly) to ensure that:

    • Each firewall rule is approved and signed off by a business owner.
    • Expired or unnecessary rules are removed.
    • Conflicting rules are resolved.
    • Unused/duplicate objects (e.g., networks or information systems) are removed.
    • System administrators responsible for firewall management are aware of the current configurations, security policies, and operational procedures.

REMOTE MAINTENANCE

  • Manage access to critical systems and networks by external individuals for remote maintenance purposes by:

    • Defining and agreeing on the objectives and scope of planned work.
    • Authorizing sessions individually.
    • Restricting access rights so that they do not exceed those required to meet the objectives and scope of planned work.
    • Logging all activity undertaken.
    • Requiring the use of unique authentication credentials for each implementation (rather than vendor default credentials).
    • Requiring that access credentials be assigned to individuals, rather than shared.
    • Revoking access privileges and changing passwords immediately after agreed maintenance is complete.
    • Performing an independent review of remote maintenance activity.
  • Implement access controls to protect diagnostic ports on network equipment.

  • Ensure that external suppliers’ IT and information security staff sign Non-Disclosure Agreements (NDAs)/confidentiality clauses or incorporate them into their employment contracts before being granted access to the Netspective Communications LLC’s applications, systems, or networks.

Wireless Access

  • Apply security architecture principles to ensure wireless access to the network is secure.
  • Obtain prior agreement from the IT Director before any individual or group attaches their own wireless access point to the BU network.
  • Establish documented standards/procedures for controlling wireless access to the network, including:
    • Placing and configuring wireless access points (hardware devices that connect the wireless network to a wired network).
    • Implementing methods to limit access to authorized users.
    • Using encryption to protect information during transit.
    • Validating authentic wireless access points using certificates.
    • Maintaining an inventory of authorized wireless access points with documented business justifications for each access point.
    • Detecting unauthorized wireless access points and immediately disconnecting them from the network.
  • Configure wireless access points to operate at the minimum power setting required for the desired range.
  • Place wireless access points in locations that minimize the risk of interference.
  • Centrally configure and manage wireless access points.
  • Protect wireless access through multiple layers of access control, including:
    • Network access control.
    • Device authentication.
    • User authentication.
  • Safeguard wireless access by:
    • Encrypting communications between computing devices and wireless access points.
    • Using dedicated wireless networks, segregated by a virtual local area network (VLAN) and a firewall, for noncorporate device access.
    • Regularly changing encryption keys.
    • Conducting scans of the wireless network to identify unauthorized wireless access points and devices.
  • Implement additional security controls, such as virtual private networks (VPNs), for critical wireless access connections.

VOICE OVER IP (VOIP)

  • Establish documented standards/procedures for VoIP applications and the underlying technical infrastructure, which should include:

    • Applying general network controls for VoIP.
    • Implementing VoIP-specific controls.
  • Apply general network security controls for VoIP, including:

    • Utilizing bandwidth monitoring tools capable of recognizing VoIP traffic.
    • Deploying resilient and redundant network components.
    • Implementing firewalls capable of filtering VoIP traffic.
    • Restricting access to authorized devices for VoIP networks.
  • Implement VoIP-specific controls, such as:

    • Segregating voice traffic through the use of virtual local area networks (VLANs).
    • Hardening VoIP devices.
    • Conducting vulnerability scans on VoIP networks.
    • Encrypting sensitive VoIP traffic.
    • Monitoring events related to VoIP.
  • Ensure adherence to these standards/procedures for VoIP applications and the associated technical infrastructure.


Approved by
Ajay Kumaran Nair on August 22, 2023 |
Last Updated by
Arun K R on August 22, 2023