Wednesday, July 18, 2007

Information Security Policy 101 – Network Access Policy

Part 10 in the Information Security Policy 101 Series

This is now the 10th entry into the “Information Security Policy 101” series. Are these policies starting to blur at all? Are they all starting to look the same? Believe it or not, the policies look similar on purpose and there are statements in one that may be found in another (also on purpose). The repetition can make things a little boring for the information security personnel, but it really does help “normal” people retain the information.

The Network Access Policy is found in many organizations, or at least the language of the policy statements. Often I will find Network Access Policy statements included in an Acceptable Use Policy instead. Tomayto tomahto.

As always…

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Network Access Policy is to establish the rules for the access and use of the %ORGANIZATION% network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Network Access Policy aptly applies to any person or entity that access the organization’s network either locally or through a WAN, VPN, modem, wireless, etc.

The %ORGANIZATION% Network Access Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Access Policy
The Network Access Policy is a simple policy that should outline some basic ground rules that people need to follow when using the organization’s network.

NOTE: Although the statements in a policy may seem basic and common sense to the author, don’t assume that they are for everyone.

STORY: I once had a user complain to me that a policy I wrote for a client company was too simple and common sense.


- Remote users may connect to the %ORGANIZATION% corporate networks only after formal approval;
- Remote users may connect to %ORGANIZATION% Information Resources using only the protocols approved by %ORGANIZATION% IT;

The Network Access Policy is simple and you may be able to get away with ditching it in favor of adding the required statements to your Acceptable Use Policy. This decision is up to you. The business assessment exercise could help you in this decision. I almost always separate the policy statements for easy-of-reference, simplified reviews and changes, and reinforcement through repetition.


Next in the series: “Information Security Policy 101 – Password Policy”

Previous: “Information Security Policy 101 – “Network Configuration Policy”


Andy, ITGuy said...

I don't suppose you have all of the policy blogs and related materials in a nice and easy to print format do you?

The Trusted Toolkit said...

That would be way too nice! ;)

About the best I have right now is the "Labels" link on the left side.

I was planning on creating a summary post with the easy to print stuff included at the end of the series. What are your thoughts? I am always open to suggestions!