Overview and Purpose

The [variable: Covered Organization] network infrastructure is a central utility for all users of the company's Information Resources. To help protect the connections of people, systems, and data on which so much of our business relies, this Network Configuration Security Policy establishes rules for the maintenance, expansion and use of the network infrastructure. These rules are intended to preserve the integrity, availability, and confidentiality of critical business information.

Coverage

All individuals with access to [variable: Covered Organization] Information Resources.

Definitions

General Terminology * Information Resources

Roles and Functions

• Information Resources Manager (IRM)
• Information Security Officer (ISO)
• Information Services Department

Policy

• [variable: Covered Organization] IT owns and is responsible for the network infrastructure, including developments and enhancements to this infrastructure
• To provide a consistent network infrastructure capable of exploiting new networking developments, all cabling must be installed by [variable: Covered Organization] IT staff or approved contractor(s).
• All network connected equipment must be configured to a specification approved by [variable: Covered Organization] IT management.
• All hardware connected to the [variable: Covered Organization] network is subject to IT management and monitoring standards.
• Changes to the configuration of active network management devices must not be made without the approval of [variable: Covered Organization] IT management.
• The [variable: Covered Organization] network infrastructure supports a well-defined set of approved networking protocols. Any use of non-sanctioned protocols must be approved by [variable: Covered Organization] IT management.
• The networking addresses for the supported protocols are allocated, registered and managed centrally by the [variable: Covered Organization] IT department.
• All connections of the network infrastructure to external third party networks are the responsibility of [variable: Covered Organization] IT. This includes connections to external telephone networks.
• Network firewalls must be installed and configured following the [variable: Covered Organization] IT-approved standards.
• The use of departmental firewalls is not permitted without written authorization from [variable: Covered Organization] IT management.
• Users must not extend or re-transmit [variable: Covered Organization] network services with routers, switches, hubs, or wireless access points, etc., without prior approval from IT management.
• Users must not install network hardware or software that provides network services without prior approval from IT management.
• Users may not alter network hardware in any way.

Enforcement

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: covered Organization] Information Resources access privileges, civil, and criminal prosecution.

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

• [variable: internal documents (with links, if available)]
• [variable: external documents (with links, if available)]

Policy Support Contact

• [variable: title (not personal name) of role responsible for overseeing this procedure]
• [variable: Contact information of office responsible for overseeing this procedure]

References

Policy Source Document(s)

• Federal Agency Security Practices, US Government, National Institute of Standards and Technology (NIST)