Developing a network security policy (and its companion network security policies) begins with establishing guidelines for creating, reviewing, revising, and retaining your information security policies and procedures.
Since information is accessed and stored on your network, information security policy and network security policy are companion terms that frequently appear in Google search results and data protection white papers.
The following nine guidelines for developing a network security policy will help you improve current policies and set priorities if you’re just getting started.
One – Develop a Network Security Policy Based on Your Regulatory Requirements
Your network security policy may follow one or several compliance frameworks since regulatory requirements are broadly applicable, industry-specific, and vary by geography.
For instance, an independent money management boutique with a single location in Austin, Texas, may follow Gramm-Leach-Bliley Act (GLBA) requirements to develop a security policy.
Conversely, a public medical device manufacturer in California that markets healthcare solutions globally may create a security policy that incorporates a combination of requirements:
- Sarbanes-Oxley Act (SOX)
- Health Insurance Portability and Accountability Act (HIPAA/HITECH)
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
Each requirement provides a proven sheet of music and documented best practices.
Learn More: The Ultimate Guide to Regulatory Requirements
Two – Include Administrative, Physical, and Technical Security Safeguards in Each Security Policy
People, processes, and technology are integral to your security. Companies with in-house IT departments may have a Chief Technical Officer, a Network Services Manager, and a Cloud Specialist.
Companies that outsource IT support have more extensive technical resources at their managed service provider or MSP.
In-house IT and your MSP can collaborate to develop administrative, physical, and technical security safeguards:
- Require companywide participation in ongoing Cyber Security Awareness Training. (Administrative)
- Prohibit unauthorized access to your office. (Physical)
- Implement Password Management and Multi-Factor Authentication (MFA) to protect corporate file shares and cloud applications. (Technical)
Three – Engage Company Leadership to Improve Network Security Policy Buy-In
Don’t relegate approval of your network security policy or policies to the IT department. Since “IT” covers a wide range of complex technical domains that may be difficult for owners and the C-Suite to grasp, in-house IT and MSPs need to master the art of the executive summary.
The terminology for IT reports varies, but some of the following documents are foundational pieces of a network security policy:
- Strategic IT Roadmaps
- Network Diagrams
- IT Project Plans
- Employee Directories
- Warranty & Maintenance/Renewal Masters
- Vendor Directories
- Critical Asset Lists
A Strategic IT Roadmap usually includes every other category mentioned above. Your IT department or MSP will organize this document with high-level recommendations, supporting exhibits, and implementation priorities based on strategy, risk, budget, and business impact.
I’ve been in the MSP business since 2003, and the best Strategic IT Roadmaps make it easy for everyone to buy into the vision.
Learn More: Strategic IT Roadmap
Four – Invite the Appropriate Management Personnel Across Individual Business Units into the Network Security Policy Conversation
Your network security policy affects every department in your organization. Do you have a technology steering committee that represents the interests of each business unit in your enterprise?
Each department has operating nuances to balance with its risk tolerance. For instance, the finance department has a shortlist of approved users who can only access share files and financial data during business hours.
The marketing department is another story. The creative team can work on projects 24/7 from any location, and your sales team can access every file that contains marketing collateral, email templates, and presentations.
The three individuals in your finance department are willing to navigate multiple steps to access your network, while the sales and marketing team will demand looser authentication requirements.
Learn More: Network Security
Five – Review Network Security Policies Periodically
Network endpoints are in the cloud, on servers, mobile devices, and anywhere technology connects with the internet. The potential to introduce changes is high.
It’s easy for your team members to subscribe to new Software as a Service (SaaS) applications and neglect security protocols. Even signing up for a single-user trial subscription can undermine safety protocols.
Last year it was okay to use a personal Dropbox account. This year the practice is verboten.
Is your policy current and complete? We recommend annual reviews to stay ahead of environmental and operational changes that affect your security assets.
Learn More: Cybersecurity Effectiveness Checklist
Six – Give all Members of Your Implementation Team Access to the Network Security Policy
Everyone implementing your network security policy should be reading from the same sheet of music.
Context is critical for your project team. Like commercial builders and subcontractors following a construction blueprint with input from architects, electricians, and engineers, your IT staff or MSP needs granular details.
Avoid information silos, and you’ll keep everyone on track.
Seven – Present an Employee-Facing Network Security Policy to Every New Hire During Onboarding
A network security policy is usually a book with many sections, including a chapter called “Acceptable Use Policy” or AUP.
AUPs contain rules governing the way employees use technology in the workplace. Typical requirements cover:
- All employees must utilize Last Pass for password management
- Your manager must approve social media access
- Data storage in public cloud services is forbidden
- Please don’t use personal email accounts for company business
- New employees must take Cyber Security Awareness Training
Learn More: Acceptable Use Policy
Eight – Set Periodic Network Security Policy Reminders and Revisions for all Members of Your Workforce
In the spirit of section five, make sure regular changes to your network security policy are communicated in real-time, if possible.
If your management team sets new parameters for approving third-party software vendors, department heads need that memo immediately.
According to Anchore CEO Saïd Ziouani, “Sixty-four percent of companies reported impact from experiencing a software supply chain attack in the last 12 months, while only 46% indicate they have a significant focus on securing the software supply chain.”
Since getting everyone to pay attention is challenging, reminders and revisions should be frequent using multiple platforms. A combination of face-to-face, video calls, email, text, and IM may be required to break through the clutter.
Learn More: Third-Party Cyber Risk Management
Nine – Set a Firm Retention Date for Your Network Security Policy
Agree on a firm timeline to retain your network security policy. Timelines will vary depending on the industry, growth trajectory, number of office locations, M&A, new regulations, and more.
A ball-bearing manufacturing company with a simple IT footprint in a 20,000 square foot warehouse may retain its policy for three years, while a rapidly growing social media company (acquiring competitors every quarter) may opt for a shorter retention period.
You may have to reset your retention timeline. Why? Your policies may fail annual compliance and regulatory audits. It’s a best practice to review policies at least once a year and update them with the most recent time period. If it’s 2022, network security policies from 2019 are insufficient.
Are You Ready to Revise or Create a Network Security Policy?
Now that we’ve given you the raw materials to develop a network security policy or improve the one you already have, it’s time for an assessment.
Algosec has an excellent checklist of recommended network security policy essentials:
- Information security objective
- Authority and access control policy
- Data classification
- Data support and operations
- Security awareness and behavior
- Responsibility, rights, and duties
Do you have all of these details neatly documented and stored in a safe place? See any areas that need improvement?
If your network security policy has gaps, there’s no time like the present to close them. Book a Strategy Session Today.