Network Security Policy
2 Network security policy At all connection points between the internal network and an insecure external network (such as the Internet) effective measures, such as a firewall, must be put in place to ensure that only authorised network traffic is allowed. Where possible, multiple layers of protection will be used to ensure that the failure of a single device does not expose the network to attack. For example, network firewalls (e.g. on a router) will be supplemented by host-based software firewalls on servers and client computers in order to provide several levels of firewall protection. Servers that are intended to be accessed from the Internet (such as web servers) must be connected to a separate area of the firewall (referred to as a De-Militarised Zone, or DMZ) in order to provide additional protection for the internal network. Where information is to be transferred over a public network such as the Internet, strong encryption techniques must be used to ensure the security of the data transmitted. Access to wireless networks must be secured using a strong password. A guest wireless network may be provided for visitors. This must be physically separate from all internal networks (including internal wireless networks) and secured using a firewall. The ability to connect devices to a wireless network using the WPS (WiFi Protected Setup) button on the access point or router itself must be disabled. Wireless access point admin logon passwords must always be changed from the default to a strong password. Network equipment in remote offices will be housed in secure cabinets, which must be locked at all times. Wireless access points located in public areas must be hidden from view where possible and must be placed in positions where access by the public is difficult, e.g. in or near the ceiling. A lockable protective casing must be installed where an access point is located in an unprotected public area, e.g. a car park. Where there is a requirement for remote access across the Internet to the internal network, a Virtual Private Network (VPN) will be used. Two-factor authentication (e.g. using a phone app or via a text message) must be used so that knowledge of a password on its own is not enough to gain access. Remote access must be granted on an “as required� basis rather than for all users by default. Admin passwords to network devices must be changed on installation of the device to a strong password of at least eight characters. Access to router and firewall settings across the Internet must be restricted to defined IP addresses, or using two-factor authentication, or where available, both. Such access must be supported by a documented business case which is approved by management.
Version 1
Page 9 of 11
[Insert date]
