A good Network Security Policy reduces network risks by consistently applying authentication and access standards throughout the network in the three company offices. Consistent standards for network security are important in securing the company’s information and are usually needed by regulations and or third-party agreements.
This policy describes steps to ensure appropriate authentication of corporate network users and suitable access for job performance. The policy specifies appropriate use of network accounts and authentication standards.
Read also Network Risk Management
The policy’s scope is all users with access to company-owned or company-provided computers and devices or requiring access to the corporate network and or systems. Includes employees, guests, contractors, and anyone else requiring access to the corporate network. Public access to the company’s corporate website, web applications and other externally reachable corporate internet resources is specifically excluded from this policy.
- Positive ID and coordination with Human Resources is required before intial account setup.
- A user is granted least amount of network access needed to perform job function.
- A user is granted access only if they agree to the Acceptable Use Policy.
- Accounts must be created using the standard format of firstname‑lastname.
- Accounts must be password protected according to the Password Policy.
- Accounts must be for individuals only. Account sharing and group accounts are not permitted.
- User accounts must not be given administrator or ‘root’ access unless this is necessary to perform job function.
- When a legitimate and reasonable need for a user to access the corporate network is demonstrated, temporary guest access is allowed. The guest access is restricted to only those resources that the guest needs at that time, and disabled when the guest’s work is completed.
- Individuals requiring access to confidential data must have an individual, distinct account. This account may be subject to additional monitoring or auditing at the discretion of the Network Manager or executive team, or as required by applicable regulations or third-party agreements.
When an employee no longer works at the company, the employee’s account will be disabled. Human Resources must notify the Network of any staffing change including new employment, employment termination, suspension, promotion, demotion, etc.
User machines must be configured to request authentication against the domain at startup. If the domain is not available or authentication for some reason cannot occur, then the machine should not be permitted to access the network.
Use of Passwords
When accessing the network locally, two-factor authentication is required.
Remote Network Access
Due to the elevated risk of remote access, there will be two-factor authentication as well as adherence to Remote Access Policy.
Screensaver passwords to protect idle computers must be activated after 5 minutes of inactivity.
Read also CIS 523 – Password Management Tips
Minimum Configuration for Access
Users must strictly adhere to corporate standards with regard to antivirus software and patch levels on their machines for network admission control software to grant access.
Authentication credentials must be encrypted during transmission across any network, whether the transmission occurs internal to the company network or across a public network such as the Internet. Any data marked as sensitive and or confidential stored in the computers must also be encrypted.
The logon failure error message will be “the username and or password you supplied were incorrect”. To further guard against password-guessing and brute-force attempts, the company will lock a user’s account after 5 unsuccessful logins. This will require a manual reset by the Network Manager.
Because of remote working especially by sales reps, there will be no time-of-day lockouts.
Applicability of Other Policies
This document is part of the company’s cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
This policy will be enforced by the Network Manager and or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.