Tuesday, July 17, 2007

Information Security Policy 101 – Network Configuration Policy



Part 9 in the Information Security Policy 101 Series

Most network configuration policies are fairly straightforward.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Configuration Policy is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the Integrity, Availability, and Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically a Network Configuration Policy applies to all individuals in an organization.

SAMPLE:
Audience
The %ORGANIZATION% Network Configuration Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Configuration Policy
Although many organizations do not have a separate Network Configuration Policy, many of the statements are important enough to communicate in one form or another. Some organizations will include these statements in other information security policies. I prefer to separate.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% IT owns and is responsible for the %ORGANIZATION% network infrastructure and will continue to manage further developments and enhancements to this infrastructure
- To provide a consistent %ORGANIZATION% network infrastructure capable of leveraging new networking developments, all cabling must be installed by %ORGANIZATION% IT or an approved contractor.

Conclusion
Read through the sample policy, and together with the business assessment, determine if a Network Configuration Policy makes sense in your organization.

Download the SAMPLE NETWORK CONFIGURATION POLICY.

Next in the series: “Information Security Policy 101 – “Network Access Policy”

Previous: “Information Security Policy 101 – “Incident Management Policy”

No comments: