Purpose
The purpose of this policy is to establish the technical guidelines for network security and to communicate the controls necessary for a secure network infrastructure. The network security policy will provide the practical mechanisms to support the company’s comprehensive set of security policies.
Scope
This policy applies to all employees, contractors, subcontractors, consultants, temporaries, guests, and any third party that uses eOne Solutions information assets or information resources and services.
Policy
Network Device Configuration
- Authentication on Network devices must be configured according to eOne Solutions Password Management Policy. Special considerations are to be made due to the nature of the device.
- Administrative access to systems must be limited to only those with a legitimate business need.
Network Documentation
The company requires that network documentation be updated at least quarterly or after big changes. At a minimum, network documentation should include:
- eOne Solutions Network diagram
Networking Devices
Network devices’ configuration checks should be implemented consistently. The following requirements apply to the company’s implementation of network devices:
- Network devices must provide secure administrative access (through encryption) with management access limited to only networks where management connections would be expected to originate.
- Clocks on all network devices should be synchronized using NTP or other means.
- Access control lists must be implemented on network devices that prohibit direct connections to the devices. Connections to the router should be limited to the greatest extent possible.
- Unused services and ports must be disabled on network devices.
- Access to administrative ports on the network devices must be restricted to known management hosts and otherwise blocked with a firewall or access control list.
Servers
The following requirements apply to Company servers:
- Unnecessary files, services, and ports should be removed or blocked.
- Servers, even those meant to accept public connections, must be protected by a firewall or access control list.
- A standard installation process should be developed for the company’s servers.
- Management access to servers must be available only to authorized users from a protected network perimeter or a specified list of IP addresses.
Security Assessments
Security testing be performed on the following recurring schedules:
- Vulnerability Scanning must be performed biweekly
- Penetration Testing must be performed at least once per year
System administrators are responsible for the patch management process.
Disciplinary actions
Employees who violate this policy may face disciplinary consequences in proportion to their violation. Management will determine how severe an employee’s offense is and take the appropriate action.
Change, Review, and Update
This policy shall be reviewed once every year unless the owner considers an earlier review necessary to ensure that the policy remains current. Changes to this policy shall be exclusively performed by the Information Security Manager and approved by the IT Committee.
Responsibility
This is the responsibility of the Information Security Manager to maintain and make sure everyone is aware of this policy.
Revisions
- 19 September 2024
- This policy will be reviewed for continued completeness, relevance, and accuracy at yearly intervals or less.
Need to contact us?
If there are any questions regarding this Network Security Policy, you may contact us using the information below.
4170 41st Avenue South, Suite 101
Fargo, ND 58104
USA
+1 888-319-3663