Tải bản đầy đủ

Network Security Policy

Standard
Policy
Procedure
Code of Practice
Work Instruction

TITLE

Document reference

Page
Review date
Version
Issued by
Approved by

NETWORK SECURITY POLICY

NETWORK SECURITY POLICY
(For circulation of internal use only).


The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.

Page 1 of 13
September 2019
1.0


Standard
Policy
Procedure
Code of Practice
Work Instruction

Document reference

TITLE

Page
Review date
Version
Issued by
Approved by

NETWORK SECURITY POLICY

Table of Contents

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.

Page 2 of 13
September 2019
1.0


Standard
Policy
Procedure
Code of Practice
Work Instruction


Page
Review date
Version
Issued by
Approved by

Document reference

TITLE

Page 3 of 13
September 2019
1.0

NETWORK SECURITY POLICY

DOCUMENT INFORMATION
Document Name

Network Security Policy

Document Reference No.

190910 FRS_IT – NSP.1.0

Document Version No.

1.0

Document Effective Date
Document Owner

DOCUMENT CONTROL
Name

Role

Position

Nguyen The Hung

Author

IT Manager

Date

REVISION HISTORY
Document Name:
Document Type:

Policy

Review Date:
Next Review Date:

Version

Reviewer

Details of Change

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.

Date


Standard
Policy
Procedure
Code of Practice
Work Instruction

Document reference

TITLE

Page
Review date
Version
Issued by
Approved by

Page 4 of 13
September 2019
1.0

NETWORK SECURITY POLICY

INTRODUCTION
This Policy details the overall framework for network security requirements that must be followed by all Company’
employees and entities in order to protect Company network from unauthorized access. Network Security consists
of provisions of controls to detect, monitor and prevent unauthorized access, misuse, modification or denial of
services of Company computer network and other networked resources.
Network Security Policy (NSP) will assits to prevent the IT assets loss/damage due to network security incident and
reduce the associate risks of unauthorized access to Company IT Assets and Systems.
Being supported by a suite of other IT Policies document, the Network Security Policy will cover a wide range of
information security aspects, which must be read and complied with, by Company’ employees, as listed in the
Appendix.

PURPOSE
The IT Security Policy is created and maintained for purpose of control the network security performance (such as
firewall and intrusion detection/prevention system) to detect and/or prevent the intrusion attacking, unauthorized
access or other inappropriate activities on Company network system and networked-connect resources, thereby
helping to ensure the Confidentiality, Integrity and Availability of IT Assets and Systems that held by Company.

ROLES AND RESPONSIBILITIES
NSP is applied to the Company’ network system, network devices, networked-connect resources, and other
procedures/processes to operate/manage/control and monitor thereof.
It is responsibility of IT Manager to maintain the policy and provide guidance to the business on the policy
implementation.
Company’ employees must obtain insight in any local standards and legislation (particularly when dealing with
personal data) and where applicable develop additional policies to the other relevant policies and to ensure overall
compliance.
Please contact with IT Manager for any instances where local legislation or regulation would contradict with any
requirements stated in the Company IT policies.

SCOPE
This Policy applies to:
-

All networked-connect systems, devices and IT assets in Company,
All business data and information that managed, processed or stored by Company, or its service providers,
regardless of whether it being processed electronically or in paper (hard copy) form,
All providers of Information Technology services to Company,
All users of Information Technology Assets, Systems and Networks in Company,
Authorized third parties connecting to Company Networks.

Note: Network devices are subject to the Set of Information Security policies, for example, network devices should
be configured in line with the secure configuration section of the Vulnerability Management policy and in line with
the access control section of the Access Control policy.
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.


Standard
Policy
Procedure
Code of Practice
Work Instruction

Page
Review date
Version
Issued by
Approved by

Document reference

TITLE

Page 5 of 13
September 2019
1.0

NETWORK SECURITY POLICY

REVIEW
The NSP will be reviewed as part of an overall management review of the effectiveness of the Company’ security
programme during its impelementation and lifecycle.
Also, due to a security/network security incident and/or changes to organizational or technical infrastructure, the
NSP must be reviewed in response accordingly.

ASSOCIATED RISK DEFINITION
All components of IT Assets, Systems and Network has a value to the Company. However, some of them are more
sensitive to risks because of the content or importance to the ongoing business operations. This sensitivity or risk is
driven by the need to maintain the Confidentiality, Integrity and Availability in term of IT Assets, Systems and
Networks as defined in table below:
Confidentiality

Confidentiality refers to preventing information disclosure, even authorized or unauthorized, to
unauthorized individuals or other IT Systems/Networks.

Integrity

In the major of Information Security, the Integrity means maintaining and assuring the
accuraccy, completeness, consistency and timeliness of IT Assets, Systems and Network over
their entire lifecycle and preventing the modification from unauthorized.

Availability

For any IT Assets and Systems to serve their own purpose, the Assets and Systems must be
available when needed. Ensuring Availability also involves to the preventing of other security
relevant such Denial-of-Service (DoS) attack, or malware/malicious code which may break
normal operations.
These are collectively known and called as CIA in IT Security.

CLASSIFICATIONS
The requirements in the Policy Requirements chapter will provide more details about requirements around IT
Assets and Systems, and linked to Assets Classification Schema – see table below – which requires that each
network asset, equipment, device, etc. should be given an appropriate classification label. Please note, this is
intended only as a guidance, therefore, business knowledge is vital in accurately depicting the level of risks and
classifications.
Assets Classification Schema
Level

Classification Label

Definition

Level 1

Standard

The base level of security that applies to all IT assets and systems unless stated
otherwise. If no other classification is given, it is assumed that “Standard”
classification applies.

Level 2

Confidential

The label “Confidential” will be applied to the IT Assets/Systems whose
confidentiality, integrity and availability are critical to the ongoing business
operation and business reputation.

Level 3

Restricted

The label “Restricted” will be applied to the IT Assets/Systems that processed the
data which is bound by specific standard or legislation, for example:

- Personal information (information that identifies an individual) and would be
-

bound by the requirements of Data Protection Act/Regulation.
Payment Card information that would be bound by the requirements of
Payment Card Industry Data Security Standard (PCI DSS).

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.


Standard
Policy
Procedure
Code of Practice
Work Instruction

Page
Review date
Version
Issued by
Approved by

Document reference

TITLE

Page 6 of 13
September 2019
1.0

NETWORK SECURITY POLICY

DEVIATION FROM POLICY REQUIREMENTS
Any decisions to deviate from requirements that settled out in this Policy must be approved by Company Senior
Management Team.
Compliance is mandaroty for:
-

IT Assets, Systems or Network that processing the Payment Industry Card (PCI) related data (for example,
Credit Card details)
Data protection regulation such as UK Data Protection Act and EU Data Protection Directive/EU Global Data
Protection Regulation.
Other local Law and Legislation that may applied to Information Technology.

POLICY REQUIREMENTS
Primary goal objectives of the Network Security Policy (ITSP) are to help to ensure that:
-

Protect the integrity of Company network,
Mitigate the risks and losses associated with network security threats to computing resources,
Secure the network access for Company’ authorized users,
Detect and prevent unauthorized access from both authorized and unauthorized people.

Depending on the Assets Classification category applicable from previous chapter, the requirements settled out
below will describe the security conditions which Company’ must comply with, by using the following sections:
-

Network Architecture,
Netwokr device logging and monitoring,
Firewalls,
Internet facing applications,
Remote connections,
And Wireless network.

CONTROL AREA

REQUIREMENTS

REFERENCE

NETWORK ARCHITECTURE
Standard Requirements

-

Confidential Requirements

Network diagram and architecture must be documented and updated in timely
manner or due to significant change in network architecture and topology.

IT Policy

Network segmentation using both physical and logical configuration, must be in
place to separate internal network into subnetworks to segregate internal
netwwork systems and devices to the external-facing services.

Logging and Monitoring Policy

-

It is required to enable the “trust-relationship” (or delegation) between systems
according to business requirements.

-

A formal change management process must be placed to manage and record all
modifications or addition to the network architecture, with respective approvals.

-

Each change must be combined with a back-out plan (failback or rollback) to
ensure that network system be able to restore to “Last Known-Good Configuration”
in case of failure occurred.

-

Change implementation must be scheduled to ensure that no unplanned events
impact occurs to business operations.

As Standard, plus:

-

Network architecture must include the determination of network traffic flows (at
least, logical level) between end-user and network resources where confidential

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.

IT Security Policy
Vulnerability
Policy

Management


Standard
Policy
Procedure
Code of Practice
Work Instruction

Page
Review date
Version
Issued by
Approved by

Document reference

TITLE

Page 7 of 13
September 2019
1.0

NETWORK SECURITY POLICY
data and information being stored/processed.

Restricted Requirements

As Confidential, plus:

-

Network architecture must include the determination of network traffic flows (both
physical and logical level) between end-user and network resources where
restricted data and information being stored/processed.

NETWORK DEVICE LOGGING AND MONITORING
Standard Requirements

-

All externally accessible devices (for example, firewall or internet router at network
boundaries) must be monitored and labeled as “Confidential” system, with
following conditions:
o Logging must be enabled,

o
o
o
o

Confidential Requirements

Restricted Requirements

Auditing must be configured to send an alert notification to IT Systems
Administrator about a network security incident,
Log files must be protected out of unauthorized deletion or modification from
both authorized and unauthorized people.
Predefined events must be monitored and alerted automatically once such
event occurs.
Identified events will be used for correlation actions and analysis to detect
other unusual patterns.

-

The log for critical network device such firewall must be reviewed regularly to
determine whether security incidents and breaches have occurred.

-

Security events must be tracked (in the Risk Register record) and managed
accordingly to ensure that the issues has been resolved and mitigated as best as
possible.

As Standard, plus:

-

Such network systems and devices that labelled as “Confidential” must be protect
from intrusion attacking by implemeting Intrusion Detection/Prevention System
(ID/PS) at network boundaries.

-

IDPS must be configured to monitor and report on – network activities for
malicious actions or policy violations.

-

It is recommended to implement a security incident simulation environment to test
Company security readiness in responding to security incident(s).

As Confidential, plus:

-

It is required to audit the network device logging and monitoring
procedure/process to validate the Company readiness in responding to security
incident(s).

-

It is required to set up the Firewall at Company network boundaries.

-

All access to and from Company trusted network, must only take place through
approved securely network access points (both wired and wireless) that are
managed by an approved firewall.

-

The firewall must be configured to:
o Permit connectivity for required and authorized services/protocols/ports.

FIREWALL
Standard Requirements

Where possible, a banner must be configured to display a warning message about
unauthorized access to firewall.

o
o
o
o
o
o
o
o

Permit connectivity from identificable devices/equipment.
Disable all non-required services/protocols/ports.
Include a “Deny-all” at the end of the rule set, which create a rule to deny all
network traffic from any source to any destination using any service and
protocol and port.
Alert the System Administrator about gateway integrity violation.
Alert the System Administrator about network attacking.
Check and log the source’s IP addresses/protocols/services used and ports.
Check and log the destination’s IP addresses/protocols/services used and
ports.
Record the state information about a network communications passed through

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.

“Need-to-Know” and “Need-toHave” principal.


Standard
Policy
Procedure
Code of Practice
Work Instruction

Document reference

TITLE

NETWORK SECURITY POLICY

o

Confidential Requirements

Restricted Requirements

Page
Review date
Version
Issued by
Approved by

firewall (for example, outgoing port command, incoming traffic, downloaded
bandwidth, etc.).
Log all activity on Firewall.

-

Refer to the section “Network Architecture” above, a formal change process must
be placed to adapt and manage all critical changes that could be impacted to
Firewall configuration and operation.

-

Firewall configuration must be reviewed regularly to ensure that adequate
protection is provided.

-

Firewall configuration must be auto-backup to ensure that in order system crashed,
the configuration can be restored and system downtime can be minimized.

-

The backed up configuration must be stored in safe location with access restriction
to authorized people only.

-

The firmware (hardware management built-in application) and attack patterns
must be configure to be updated.

As Standard, plus

-

The Firewall must be configured to be managed from authorized, approved and
trusted IP address only.

-

All network traffic from and to untrusted networks must be controlled and
managed by the Firewall/Intrusion Detection/Prevention System.

-

All network packets typically used to executed a “Denial-of-Service” must be
rejected/dropped from Firewall (for example, ICMP Echo, UDP and TCP Echo,
Chargen packets, etc.).

-

Configuration of all network equipment and devices must be protected from
unauthorized access and disclosured.

As Confidential, plus

-

Deny all incoming and outgoing network traffic where the source/destination
addresses are khown as “spoofed”

-

Specified source/destination and IP address/protocols/ports must be blocked or
restricted.

-

Where possible, the Two-factors authentication must be enabled/applied on the
Firewall to protect from accesing by unauthorized individuals.

INTERNET FACING APPLICATION
Standard Requirements

-

Internet facing application system (if applicable) must be protected by multiple
layers of security which included but not limited:
o Access control,

o
o
o
o
o
o
Confidential Requirements

Network segmentation to limit the accessing through network,
Anti virus/malware,
Patch management and system hardening,
Logging and monitoring,
Implementing the Secure Socket Layer (SSL) on the Internet facing application
server.

It is required to perform security testing, at least annualy.

As Standard, plus:

-

Restricted Requirements

Secure configuration of network devices such Firewall, Switch, Routers, etc.

Where the Internet facing application server involves by other Third-parties, it is
required to place the “Assurance Agreement” between Company and Third-parties
to ensure about the Confidentiality, Integrity and Availability of Internet facing
application server.

As Confidential, plus:

-

Digital signatures must be applied to authenticate the source of accessing to the
application where e-commerce transactions being processed (for example,
Payment online, Social or Tax online transactions, etc.).

-

Access to internal Company’ Internet facing application system must be performed
via a secure mechanism (for example, through Firewall) and/or a method of serving
the application contents without accessing directly to Company’ internal network

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.

Page 8 of 13
September 2019
1.0


Standard
Policy
Procedure
Code of Practice
Work Instruction

Page
Review date
Version
Issued by
Approved by

Document reference

TITLE

NETWORK SECURITY POLICY
system (for example, running the application over through VPN connection).

REMOTE CONNECTIONS
Standard Requirements

-

The remote connection to Company’ network must be restricted to authorized
person only.

-

Non-approved cloud based solution (for example, Dropbox, OneDrive, Google
Drive) is prohibited to use for storing Company data and information.

-

The connection used to remote connect must:
o Be protected, for example, using Secure Socket Layer (SSL) encryption,

o

Confidential Requirements

Restricted Requirements

Where possible, be authenticated by 2-Factors authentication method (for
example, VPN + token ring or VPN + user name and password).

Remote connection must be tested and verified for security as a part of security
management and risk management process.

As Standard, plus:

-

Where remote connection by Third parties (both internal and external Company’)
is required, an Access Agreement must be placed to determine roles and
responsibilities of Third parties during remote connection session.

-

All activities during a remote connect session to a confidential system must be
logged at both network and application level.

As Confidential, plus:

-

Remote connect to the restricted system is strongly limited to explicitly authorized
and approved person only.

-

All activities during a remote connect session to restricted system must be logged
at both network, application and server level.

-

Wireless network for Guests usage (for example, Company’ users using nonCompany equipment, or non-Company’ users using non-Company equipment)
must be segmented physically/logically and must not be connected to internal
Company network.

-

It is required to set the pass-phrase to access to Wireless network. And the passphrase must follow the standard that settled out in the IT Policy, Chapter Security.

-

Wireless connect to internal Company’ network is prohibited.

WIRELESS NETWORK
Standard Requirements

Confidential Requirements

As Standard, plus:

Restricted Requirements

Bluetooth connection must only be used on non-sensitive device which contains
non-confidential/restricted data and information.
Wireless network will not be provided to connect to Confidential systems.

As Confidential, plus:

-

Wireless network will not be provided to connect to Restricted systems.

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.

Page 9 of 13
September 2019
1.0


Standard
Policy
Procedure
Code of Practice
Work Instruction

Page
Review date
Version
Issued by
Approved by

Document reference

TITLE

Page 10 of 13
September 2019
1.0

NETWORK SECURITY POLICY

APPENDIX 1: ADDITIONAL IT POLICIES SET
Policy Name

Description

IT Policy

Set the requirements for all IT activities within Company entities, by all Company’
employees.

Access Control

Set the requirements for creating and maintaining user access to IT Assets and
Systems.

Logging and Monitoring

Set the requirements for what activities must be logged and monitored on which
IT Assets, Systems and Network.

Vulnerability Management

Set the requirements for performance of security vulnerability scanning and
patching on Application, Operating System and other critical devices.

Data Leakage Prevention

Set the requirements for data transfer over flash storage, electronic mail
messagem file transfer service in respect of sensitive data movements.

Third Party Outsourcing

Set the requirements for engagement and continuous monitoring over third
parties who provide IT Services which impact to critical business data and
information.

Malware Protection

Set the requirements for malware, computer viruses and malicious codes
protection on Company network and devices.

Network Security

Set the requirements for intrusion detection/prevention and monitoring on
Company network. Also defines how might we maintain and manage the firewall
and secure network infrastructure.

Application Security

Set the requirements for how might we secure Company applications.

Website Control

Set the requirements for securing creation and monitoring the Company web
presence.

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.


Standard
Policy
Procedure
Code of Practice
Work Instruction

Page
Review date
Version
Issued by
Approved by

Document reference

TITLE

Page 11 of 13
September 2019
1.0

NETWORK SECURITY POLICY

APPENDIX 2: ASSETS/SYSTEMS CLASSIFICATION EXAMPLE
Level

Classification Label

Examples

Level 1

Standard

Generic information

Level 2

Confidential

-

Level 3

Restricted

Typical Risks

Financial Statements (Pre-release),

Business disruption:

Product Details, Product Structure,

-

Price List, Contracts,
Board of Directors papers,

Loss of delivering capability,
Loss of payment processing or
revenue collection.

Mergers and Acquisitions Documents,

Reputational damage,

Audit Documents,

Loss of commercial advantage,

IT Documents, IT Systems Configuration,

Customers disatisfaction.

Production System,
Payment Card Processing documents,

Fines and Public Censure,

HR, Salary, Pension Records,

Reputational damage.

Customer Record which identify individuals identifiers such as
name, home address, date of birth, etc.

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.


APPENDIX 3: ASSETS/SYSTEM INVENTORY EXAMPLE
Asset

Business Area

Description

Key fields

Classification

Location

Owner

Custodian

Likelihood x Impact point

File Server

All

Primary storage device for all Company
documents

All

Confidential

Server room - HCMC
Office

IT Manager

IT

16 points (Critical Area)

Firewall

All

Primary security firewall at network
boundary to protect local network and
devices from attacking.

Security

Confidential

Server room – HCMC
Office

IT Manager

IT

16 points (Critical Area)

Marketing Data

Marketing

All data related to Marketing

All

Confidential

File Server

Marketing

Marketing
Manager

9 points (High Area)

Price List

Sales

Customer details

Confidential

File Server

Sales
Manager

Sales Manager

9 points (High Area)

Sales Computer
Restricted
(Data
Protection Act)

File Server

HR Manager

HR Manager

12 points (Critical Area)

Confidential

File Server

Finance

Finance

16 points (Critical Area)

Pricing plan
Employee and HR
Data

HR

Financial Statement

Finance

All
Pre-release

Explanation

HR Computer
Finance Computer

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.


APPENDIX 4: IMPACT AND LIKELIHOOD ANALYSIS MATRIX

The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×