Standard
Policy
Procedure
Code of Practice
Work Instruction
TITLE
Document reference
Page
Review date
Version
Issued by
Approved by
NETWORK SECURITY POLICY
NETWORK SECURITY POLICY
(For circulation of internal use only).
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
Page 1 of 13
September 2019
1.0
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Review date
Version
Issued by
Approved by
NETWORK SECURITY POLICY
Table of Contents
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
Page 2 of 13
September 2019
1.0
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Review date
Version
Issued by
Approved by
Document reference
TITLE
Page 3 of 13
September 2019
1.0
NETWORK SECURITY POLICY
DOCUMENT INFORMATION
Document Name
Network Security Policy
Document Reference No.
190910 FRS_IT – NSP.1.0
Document Version No.
1.0
Document Effective Date
Document Owner
DOCUMENT CONTROL
Name
Role
Position
Nguyen The Hung
Author
IT Manager
Date
REVISION HISTORY
Document Name:
Document Type:
Policy
Review Date:
Next Review Date:
Version
Reviewer
Details of Change
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
Date
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
Page
Review date
Version
Issued by
Approved by
Page 4 of 13
September 2019
1.0
NETWORK SECURITY POLICY
INTRODUCTION
This Policy details the overall framework for network security requirements that must be followed by all Company’
employees and entities in order to protect Company network from unauthorized access. Network Security consists
of provisions of controls to detect, monitor and prevent unauthorized access, misuse, modification or denial of
services of Company computer network and other networked resources.
Network Security Policy (NSP) will assits to prevent the IT assets loss/damage due to network security incident and
reduce the associate risks of unauthorized access to Company IT Assets and Systems.
Being supported by a suite of other IT Policies document, the Network Security Policy will cover a wide range of
information security aspects, which must be read and complied with, by Company’ employees, as listed in the
Appendix.
PURPOSE
The IT Security Policy is created and maintained for purpose of control the network security performance (such as
firewall and intrusion detection/prevention system) to detect and/or prevent the intrusion attacking, unauthorized
access or other inappropriate activities on Company network system and networked-connect resources, thereby
helping to ensure the Confidentiality, Integrity and Availability of IT Assets and Systems that held by Company.
ROLES AND RESPONSIBILITIES
NSP is applied to the Company’ network system, network devices, networked-connect resources, and other
procedures/processes to operate/manage/control and monitor thereof.
It is responsibility of IT Manager to maintain the policy and provide guidance to the business on the policy
implementation.
Company’ employees must obtain insight in any local standards and legislation (particularly when dealing with
personal data) and where applicable develop additional policies to the other relevant policies and to ensure overall
compliance.
Please contact with IT Manager for any instances where local legislation or regulation would contradict with any
requirements stated in the Company IT policies.
SCOPE
This Policy applies to:
-
All networked-connect systems, devices and IT assets in Company,
All business data and information that managed, processed or stored by Company, or its service providers,
regardless of whether it being processed electronically or in paper (hard copy) form,
All providers of Information Technology services to Company,
All users of Information Technology Assets, Systems and Networks in Company,
Authorized third parties connecting to Company Networks.
Note: Network devices are subject to the Set of Information Security policies, for example, network devices should
be configured in line with the secure configuration section of the Vulnerability Management policy and in line with
the access control section of the Access Control policy.
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Review date
Version
Issued by
Approved by
Document reference
TITLE
Page 5 of 13
September 2019
1.0
NETWORK SECURITY POLICY
REVIEW
The NSP will be reviewed as part of an overall management review of the effectiveness of the Company’ security
programme during its impelementation and lifecycle.
Also, due to a security/network security incident and/or changes to organizational or technical infrastructure, the
NSP must be reviewed in response accordingly.
ASSOCIATED RISK DEFINITION
All components of IT Assets, Systems and Network has a value to the Company. However, some of them are more
sensitive to risks because of the content or importance to the ongoing business operations. This sensitivity or risk is
driven by the need to maintain the Confidentiality, Integrity and Availability in term of IT Assets, Systems and
Networks as defined in table below:
Confidentiality
Confidentiality refers to preventing information disclosure, even authorized or unauthorized, to
unauthorized individuals or other IT Systems/Networks.
Integrity
In the major of Information Security, the Integrity means maintaining and assuring the
accuraccy, completeness, consistency and timeliness of IT Assets, Systems and Network over
their entire lifecycle and preventing the modification from unauthorized.
Availability
For any IT Assets and Systems to serve their own purpose, the Assets and Systems must be
available when needed. Ensuring Availability also involves to the preventing of other security
relevant such Denial-of-Service (DoS) attack, or malware/malicious code which may break
normal operations.
These are collectively known and called as CIA in IT Security.
CLASSIFICATIONS
The requirements in the Policy Requirements chapter will provide more details about requirements around IT
Assets and Systems, and linked to Assets Classification Schema – see table below – which requires that each
network asset, equipment, device, etc. should be given an appropriate classification label. Please note, this is
intended only as a guidance, therefore, business knowledge is vital in accurately depicting the level of risks and
classifications.
Assets Classification Schema
Level
Classification Label
Definition
Level 1
Standard
The base level of security that applies to all IT assets and systems unless stated
otherwise. If no other classification is given, it is assumed that “Standard”
classification applies.
Level 2
Confidential
The label “Confidential” will be applied to the IT Assets/Systems whose
confidentiality, integrity and availability are critical to the ongoing business
operation and business reputation.
Level 3
Restricted
The label “Restricted” will be applied to the IT Assets/Systems that processed the
data which is bound by specific standard or legislation, for example:
- Personal information (information that identifies an individual) and would be
-
bound by the requirements of Data Protection Act/Regulation.
Payment Card information that would be bound by the requirements of
Payment Card Industry Data Security Standard (PCI DSS).
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Review date
Version
Issued by
Approved by
Document reference
TITLE
Page 6 of 13
September 2019
1.0
NETWORK SECURITY POLICY
DEVIATION FROM POLICY REQUIREMENTS
Any decisions to deviate from requirements that settled out in this Policy must be approved by Company Senior
Management Team.
Compliance is mandaroty for:
-
IT Assets, Systems or Network that processing the Payment Industry Card (PCI) related data (for example,
Credit Card details)
Data protection regulation such as UK Data Protection Act and EU Data Protection Directive/EU Global Data
Protection Regulation.
Other local Law and Legislation that may applied to Information Technology.
POLICY REQUIREMENTS
Primary goal objectives of the Network Security Policy (ITSP) are to help to ensure that:
-
Protect the integrity of Company network,
Mitigate the risks and losses associated with network security threats to computing resources,
Secure the network access for Company’ authorized users,
Detect and prevent unauthorized access from both authorized and unauthorized people.
Depending on the Assets Classification category applicable from previous chapter, the requirements settled out
below will describe the security conditions which Company’ must comply with, by using the following sections:
-
Network Architecture,
Netwokr device logging and monitoring,
Firewalls,
Internet facing applications,
Remote connections,
And Wireless network.
CONTROL AREA
REQUIREMENTS
REFERENCE
NETWORK ARCHITECTURE
Standard Requirements
-
Confidential Requirements
Network diagram and architecture must be documented and updated in timely
manner or due to significant change in network architecture and topology.
IT Policy
Network segmentation using both physical and logical configuration, must be in
place to separate internal network into subnetworks to segregate internal
netwwork systems and devices to the external-facing services.
Logging and Monitoring Policy
-
It is required to enable the “trust-relationship” (or delegation) between systems
according to business requirements.
-
A formal change management process must be placed to manage and record all
modifications or addition to the network architecture, with respective approvals.
-
Each change must be combined with a back-out plan (failback or rollback) to
ensure that network system be able to restore to “Last Known-Good Configuration”
in case of failure occurred.
-
Change implementation must be scheduled to ensure that no unplanned events
impact occurs to business operations.
As Standard, plus:
-
Network architecture must include the determination of network traffic flows (at
least, logical level) between end-user and network resources where confidential
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
IT Security Policy
Vulnerability
Policy
Management
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Review date
Version
Issued by
Approved by
Document reference
TITLE
Page 7 of 13
September 2019
1.0
NETWORK SECURITY POLICY
data and information being stored/processed.
Restricted Requirements
As Confidential, plus:
-
Network architecture must include the determination of network traffic flows (both
physical and logical level) between end-user and network resources where
restricted data and information being stored/processed.
NETWORK DEVICE LOGGING AND MONITORING
Standard Requirements
-
All externally accessible devices (for example, firewall or internet router at network
boundaries) must be monitored and labeled as “Confidential” system, with
following conditions:
o Logging must be enabled,
o
o
o
o
Confidential Requirements
Restricted Requirements
Auditing must be configured to send an alert notification to IT Systems
Administrator about a network security incident,
Log files must be protected out of unauthorized deletion or modification from
both authorized and unauthorized people.
Predefined events must be monitored and alerted automatically once such
event occurs.
Identified events will be used for correlation actions and analysis to detect
other unusual patterns.
-
The log for critical network device such firewall must be reviewed regularly to
determine whether security incidents and breaches have occurred.
-
Security events must be tracked (in the Risk Register record) and managed
accordingly to ensure that the issues has been resolved and mitigated as best as
possible.
As Standard, plus:
-
Such network systems and devices that labelled as “Confidential” must be protect
from intrusion attacking by implemeting Intrusion Detection/Prevention System
(ID/PS) at network boundaries.
-
IDPS must be configured to monitor and report on – network activities for
malicious actions or policy violations.
-
It is recommended to implement a security incident simulation environment to test
Company security readiness in responding to security incident(s).
As Confidential, plus:
-
It is required to audit the network device logging and monitoring
procedure/process to validate the Company readiness in responding to security
incident(s).
-
It is required to set up the Firewall at Company network boundaries.
-
All access to and from Company trusted network, must only take place through
approved securely network access points (both wired and wireless) that are
managed by an approved firewall.
-
The firewall must be configured to:
o Permit connectivity for required and authorized services/protocols/ports.
FIREWALL
Standard Requirements
Where possible, a banner must be configured to display a warning message about
unauthorized access to firewall.
o
o
o
o
o
o
o
o
Permit connectivity from identificable devices/equipment.
Disable all non-required services/protocols/ports.
Include a “Deny-all” at the end of the rule set, which create a rule to deny all
network traffic from any source to any destination using any service and
protocol and port.
Alert the System Administrator about gateway integrity violation.
Alert the System Administrator about network attacking.
Check and log the source’s IP addresses/protocols/services used and ports.
Check and log the destination’s IP addresses/protocols/services used and
ports.
Record the state information about a network communications passed through
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
“Need-to-Know” and “Need-toHave” principal.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Document reference
TITLE
NETWORK SECURITY POLICY
o
Confidential Requirements
Restricted Requirements
Page
Review date
Version
Issued by
Approved by
firewall (for example, outgoing port command, incoming traffic, downloaded
bandwidth, etc.).
Log all activity on Firewall.
-
Refer to the section “Network Architecture” above, a formal change process must
be placed to adapt and manage all critical changes that could be impacted to
Firewall configuration and operation.
-
Firewall configuration must be reviewed regularly to ensure that adequate
protection is provided.
-
Firewall configuration must be auto-backup to ensure that in order system crashed,
the configuration can be restored and system downtime can be minimized.
-
The backed up configuration must be stored in safe location with access restriction
to authorized people only.
-
The firmware (hardware management built-in application) and attack patterns
must be configure to be updated.
As Standard, plus
-
The Firewall must be configured to be managed from authorized, approved and
trusted IP address only.
-
All network traffic from and to untrusted networks must be controlled and
managed by the Firewall/Intrusion Detection/Prevention System.
-
All network packets typically used to executed a “Denial-of-Service” must be
rejected/dropped from Firewall (for example, ICMP Echo, UDP and TCP Echo,
Chargen packets, etc.).
-
Configuration of all network equipment and devices must be protected from
unauthorized access and disclosured.
As Confidential, plus
-
Deny all incoming and outgoing network traffic where the source/destination
addresses are khown as “spoofed”
-
Specified source/destination and IP address/protocols/ports must be blocked or
restricted.
-
Where possible, the Two-factors authentication must be enabled/applied on the
Firewall to protect from accesing by unauthorized individuals.
INTERNET FACING APPLICATION
Standard Requirements
-
Internet facing application system (if applicable) must be protected by multiple
layers of security which included but not limited:
o Access control,
o
o
o
o
o
o
Confidential Requirements
Network segmentation to limit the accessing through network,
Anti virus/malware,
Patch management and system hardening,
Logging and monitoring,
Implementing the Secure Socket Layer (SSL) on the Internet facing application
server.
It is required to perform security testing, at least annualy.
As Standard, plus:
-
Restricted Requirements
Secure configuration of network devices such Firewall, Switch, Routers, etc.
Where the Internet facing application server involves by other Third-parties, it is
required to place the “Assurance Agreement” between Company and Third-parties
to ensure about the Confidentiality, Integrity and Availability of Internet facing
application server.
As Confidential, plus:
-
Digital signatures must be applied to authenticate the source of accessing to the
application where e-commerce transactions being processed (for example,
Payment online, Social or Tax online transactions, etc.).
-
Access to internal Company’ Internet facing application system must be performed
via a secure mechanism (for example, through Firewall) and/or a method of serving
the application contents without accessing directly to Company’ internal network
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
Page 8 of 13
September 2019
1.0
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Review date
Version
Issued by
Approved by
Document reference
TITLE
NETWORK SECURITY POLICY
system (for example, running the application over through VPN connection).
REMOTE CONNECTIONS
Standard Requirements
-
The remote connection to Company’ network must be restricted to authorized
person only.
-
Non-approved cloud based solution (for example, Dropbox, OneDrive, Google
Drive) is prohibited to use for storing Company data and information.
-
The connection used to remote connect must:
o Be protected, for example, using Secure Socket Layer (SSL) encryption,
o
Confidential Requirements
Restricted Requirements
Where possible, be authenticated by 2-Factors authentication method (for
example, VPN + token ring or VPN + user name and password).
Remote connection must be tested and verified for security as a part of security
management and risk management process.
As Standard, plus:
-
Where remote connection by Third parties (both internal and external Company’)
is required, an Access Agreement must be placed to determine roles and
responsibilities of Third parties during remote connection session.
-
All activities during a remote connect session to a confidential system must be
logged at both network and application level.
As Confidential, plus:
-
Remote connect to the restricted system is strongly limited to explicitly authorized
and approved person only.
-
All activities during a remote connect session to restricted system must be logged
at both network, application and server level.
-
Wireless network for Guests usage (for example, Company’ users using nonCompany equipment, or non-Company’ users using non-Company equipment)
must be segmented physically/logically and must not be connected to internal
Company network.
-
It is required to set the pass-phrase to access to Wireless network. And the passphrase must follow the standard that settled out in the IT Policy, Chapter Security.
-
Wireless connect to internal Company’ network is prohibited.
WIRELESS NETWORK
Standard Requirements
Confidential Requirements
As Standard, plus:
Restricted Requirements
Bluetooth connection must only be used on non-sensitive device which contains
non-confidential/restricted data and information.
Wireless network will not be provided to connect to Confidential systems.
As Confidential, plus:
-
Wireless network will not be provided to connect to Restricted systems.
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
Page 9 of 13
September 2019
1.0
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Review date
Version
Issued by
Approved by
Document reference
TITLE
Page 10 of 13
September 2019
1.0
NETWORK SECURITY POLICY
APPENDIX 1: ADDITIONAL IT POLICIES SET
Policy Name
Description
IT Policy
Set the requirements for all IT activities within Company entities, by all Company’
employees.
Access Control
Set the requirements for creating and maintaining user access to IT Assets and
Systems.
Logging and Monitoring
Set the requirements for what activities must be logged and monitored on which
IT Assets, Systems and Network.
Vulnerability Management
Set the requirements for performance of security vulnerability scanning and
patching on Application, Operating System and other critical devices.
Data Leakage Prevention
Set the requirements for data transfer over flash storage, electronic mail
messagem file transfer service in respect of sensitive data movements.
Third Party Outsourcing
Set the requirements for engagement and continuous monitoring over third
parties who provide IT Services which impact to critical business data and
information.
Malware Protection
Set the requirements for malware, computer viruses and malicious codes
protection on Company network and devices.
Network Security
Set the requirements for intrusion detection/prevention and monitoring on
Company network. Also defines how might we maintain and manage the firewall
and secure network infrastructure.
Application Security
Set the requirements for how might we secure Company applications.
Website Control
Set the requirements for securing creation and monitoring the Company web
presence.
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
Standard
Policy
Procedure
Code of Practice
Work Instruction
Page
Review date
Version
Issued by
Approved by
Document reference
TITLE
Page 11 of 13
September 2019
1.0
NETWORK SECURITY POLICY
APPENDIX 2: ASSETS/SYSTEMS CLASSIFICATION EXAMPLE
Level
Classification Label
Examples
Level 1
Standard
Generic information
Level 2
Confidential
-
Level 3
Restricted
Typical Risks
Financial Statements (Pre-release),
Business disruption:
Product Details, Product Structure,
-
Price List, Contracts,
Board of Directors papers,
Loss of delivering capability,
Loss of payment processing or
revenue collection.
Mergers and Acquisitions Documents,
Reputational damage,
Audit Documents,
Loss of commercial advantage,
IT Documents, IT Systems Configuration,
Customers disatisfaction.
Production System,
Payment Card Processing documents,
Fines and Public Censure,
HR, Salary, Pension Records,
Reputational damage.
Customer Record which identify individuals identifiers such as
name, home address, date of birth, etc.
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
APPENDIX 3: ASSETS/SYSTEM INVENTORY EXAMPLE
Asset
Business Area
Description
Key fields
Classification
Location
Owner
Custodian
Likelihood x Impact point
File Server
All
Primary storage device for all Company
documents
All
Confidential
Server room - HCMC
Office
IT Manager
IT
16 points (Critical Area)
Firewall
All
Primary security firewall at network
boundary to protect local network and
devices from attacking.
Security
Confidential
Server room – HCMC
Office
IT Manager
IT
16 points (Critical Area)
Marketing Data
Marketing
All data related to Marketing
All
Confidential
File Server
Marketing
Marketing
Manager
9 points (High Area)
Price List
Sales
Customer details
Confidential
File Server
Sales
Manager
Sales Manager
9 points (High Area)
Sales Computer
Restricted
(Data
Protection Act)
File Server
HR Manager
HR Manager
12 points (Critical Area)
Confidential
File Server
Finance
Finance
16 points (Critical Area)
Pricing plan
Employee and HR
Data
HR
Financial Statement
Finance
All
Pre-release
Explanation
HR Computer
Finance Computer
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.
APPENDIX 4: IMPACT AND LIKELIHOOD ANALYSIS MATRIX
The hardcopy of this ducument is marked as UNCONTROLLED version. CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access.