Standard Policy Procedure Code of Practice Work Instruction TITLE Document reference Page Review date Version Issued by Approved by NETWORK SECURITY POLICY NETWORK SECURITY POLICY (For circulation of internal use only) The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access Page of 13 September 2019 1.0 Standard Policy Procedure Code of Practice Work Instruction Document reference TITLE Page Review date Version Issued by Approved by NETWORK SECURITY POLICY Table of Contents The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access Page of 13 September 2019 1.0 Standard Policy Procedure Code of Practice Work Instruction Page Review date Version Issued by Approved by Document reference TITLE Page of 13 September 2019 1.0 NETWORK SECURITY POLICY DOCUMENT INFORMATION Document Name Network Security Policy Document Reference No 190910 FRS_IT – NSP.1.0 Document Version No 1.0 Document Effective Date Document Owner DOCUMENT CONTROL Name Role Position Nguyen The Hung Author IT Manager Date REVISION HISTORY Document Name: Document Type: Policy Review Date: Next Review Date: Version Reviewer Details of Change The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access Date Standard Policy Procedure Code of Practice Work Instruction Document reference TITLE Page Review date Version Issued by Approved by Page of 13 September 2019 1.0 NETWORK SECURITY POLICY INTRODUCTION This Policy details the overall framework for network security requirements that must be followed by all Company’ employees and entities in order to protect Company network from unauthorized access Network Security consists of provisions of controls to detect, monitor and prevent unauthorized access, misuse, modification or denial of services of Company computer network and other networked resources Network Security Policy (NSP) will assits to prevent the IT assets loss/damage due to network security incident and reduce the associate risks of unauthorized access to Company IT Assets and Systems Being supported by a suite of other IT Policies document, the Network Security Policy will cover a wide range of information security aspects, which must be read and complied with, by Company’ employees, as listed in the Appendix PURPOSE The IT Security Policy is created and maintained for purpose of control the network security performance (such as firewall and intrusion detection/prevention system) to detect and/or prevent the intrusion attacking, unauthorized access or other inappropriate activities on Company network system and networked-connect resources, thereby helping to ensure the Confidentiality, Integrity and Availability of IT Assets and Systems that held by Company ROLES AND RESPONSIBILITIES NSP is applied to the Company’ network system, network devices, networked-connect resources, and other procedures/processes to operate/manage/control and monitor thereof It is responsibility of IT Manager to maintain the policy and provide guidance to the business on the policy implementation Company’ employees must obtain insight in any local standards and legislation (particularly when dealing with personal data) and where applicable develop additional policies to the other relevant policies and to ensure overall compliance Please contact with IT Manager for any instances where local legislation or regulation would contradict with any requirements stated in the Company IT policies SCOPE This Policy applies to: - All networked-connect systems, devices and IT assets in Company, All business data and information that managed, processed or stored by Company, or its service providers, regardless of whether it being processed electronically or in paper (hard copy) form, All providers of Information Technology services to Company, All users of Information Technology Assets, Systems and Networks in Company, Authorized third parties connecting to Company Networks Note: Network devices are subject to the Set of Information Security policies, for example, network devices should be configured in line with the secure configuration section of the Vulnerability Management policy and in line with the access control section of the Access Control policy The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access Standard Policy Procedure Code of Practice Work Instruction Page Review date Version Issued by Approved by Document reference TITLE Page of 13 September 2019 1.0 NETWORK SECURITY POLICY REVIEW The NSP will be reviewed as part of an overall management review of the effectiveness of the Company’ security programme during its impelementation and lifecycle Also, due to a security/network security incident and/or changes to organizational or technical infrastructure, the NSP must be reviewed in response accordingly ASSOCIATED RISK DEFINITION All components of IT Assets, Systems and Network has a value to the Company However, some of them are more sensitive to risks because of the content or importance to the ongoing business operations This sensitivity or risk is driven by the need to maintain the Confidentiality, Integrity and Availability in term of IT Assets, Systems and Networks as defined in table below: Confidentiality Confidentiality refers to preventing information disclosure, even authorized or unauthorized, to unauthorized individuals or other IT Systems/Networks Integrity In the major of Information Security, the Integrity means maintaining and assuring the accuraccy, completeness, consistency and timeliness of IT Assets, Systems and Network over their entire lifecycle and preventing the modification from unauthorized Availability For any IT Assets and Systems to serve their own purpose, the Assets and Systems must be available when needed Ensuring Availability also involves to the preventing of other security relevant such Denial-of-Service (DoS) attack, or malware/malicious code which may break normal operations These are collectively known and called as CIA in IT Security CLASSIFICATIONS The requirements in the Policy Requirements chapter will provide more details about requirements around IT Assets and Systems, and linked to Assets Classification Schema – see table below – which requires that each network asset, equipment, device, etc should be given an appropriate classification label Please note, this is intended only as a guidance, therefore, business knowledge is vital in accurately depicting the level of risks and classifications Assets Classification Schema Level Classification Label Definition Level Standard The base level of security that applies to all IT assets and systems unless stated otherwise If no other classification is given, it is assumed that “Standard” classification applies Level Confidential The label “Confidential” will be applied to the IT Assets/Systems whose confidentiality, integrity and availability are critical to the ongoing business operation and business reputation Level Restricted The label “Restricted” will be applied to the IT Assets/Systems that processed the data which is bound by specific standard or legislation, for example: - Personal information (information that identifies an individual) and would be - bound by the requirements of Data Protection Act/Regulation Payment Card information that would be bound by the requirements of Payment Card Industry Data Security Standard (PCI DSS) The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access Standard Policy Procedure Code of Practice Work Instruction Page Review date Version Issued by Approved by Document reference TITLE Page of 13 September 2019 1.0 NETWORK SECURITY POLICY DEVIATION FROM POLICY REQUIREMENTS Any decisions to deviate from requirements that settled out in this Policy must be approved by Company Senior Management Team Compliance is mandaroty for: - IT Assets, Systems or Network that processing the Payment Industry Card (PCI) related data (for example, Credit Card details) Data protection regulation such as UK Data Protection Act and EU Data Protection Directive/EU Global Data Protection Regulation Other local Law and Legislation that may applied to Information Technology POLICY REQUIREMENTS Primary goal objectives of the Network Security Policy (ITSP) are to help to ensure that: - Protect the integrity of Company network, Mitigate the risks and losses associated with network security threats to computing resources, Secure the network access for Company’ authorized users, Detect and prevent unauthorized access from both authorized and unauthorized people Depending on the Assets Classification category applicable from previous chapter, the requirements settled out below will describe the security conditions which Company’ must comply with, by using the following sections: - Network Architecture, Netwokr device logging and monitoring, Firewalls, Internet facing applications, Remote connections, And Wireless network CONTROL AREA REQUIREMENTS REFERENCE NETWORK ARCHITECTURE Standard Requirements - Confidential Requirements Network diagram and architecture must be documented and updated in timely manner or due to significant change in network architecture and topology IT Policy Network segmentation using both physical and logical configuration, must be in place to separate internal network into subnetworks to segregate internal netwwork systems and devices to the external-facing services Logging and Monitoring Policy - It is required to enable the “trust-relationship” (or delegation) between systems according to business requirements - A formal change management process must be placed to manage and record all modifications or addition to the network architecture, with respective approvals - Each change must be combined with a back-out plan (failback or rollback) to ensure that network system be able to restore to “Last Known-Good Configuration” in case of failure occurred - Change implementation must be scheduled to ensure that no unplanned events impact occurs to business operations As Standard, plus: - Network architecture must include the determination of network traffic flows (at least, logical level) between end-user and network resources where confidential The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access IT Security Policy Vulnerability Policy Management Standard Policy Procedure Code of Practice Work Instruction Page Review date Version Issued by Approved by Document reference TITLE Page of 13 September 2019 1.0 NETWORK SECURITY POLICY data and information being stored/processed Restricted Requirements As Confidential, plus: - Network architecture must include the determination of network traffic flows (both physical and logical level) between end-user and network resources where restricted data and information being stored/processed NETWORK DEVICE LOGGING AND MONITORING Standard Requirements - All externally accessible devices (for example, firewall or internet router at network boundaries) must be monitored and labeled as “Confidential” system, with following conditions: o Logging must be enabled, o o o o Confidential Requirements Restricted Requirements Auditing must be configured to send an alert notification to IT Systems Administrator about a network security incident, Log files must be protected out of unauthorized deletion or modification from both authorized and unauthorized people Predefined events must be monitored and alerted automatically once such event occurs Identified events will be used for correlation actions and analysis to detect other unusual patterns - The log for critical network device such firewall must be reviewed regularly to determine whether security incidents and breaches have occurred - Security events must be tracked (in the Risk Register record) and managed accordingly to ensure that the issues has been resolved and mitigated as best as possible As Standard, plus: - Such network systems and devices that labelled as “Confidential” must be protect from intrusion attacking by implemeting Intrusion Detection/Prevention System (ID/PS) at network boundaries - IDPS must be configured to monitor and report on – network activities for malicious actions or policy violations - It is recommended to implement a security incident simulation environment to test Company security readiness in responding to security incident(s) As Confidential, plus: - It is required to audit the network device logging and monitoring procedure/process to validate the Company readiness in responding to security incident(s) - It is required to set up the Firewall at Company network boundaries - All access to and from Company trusted network, must only take place through approved securely network access points (both wired and wireless) that are managed by an approved firewall - The firewall must be configured to: o Permit connectivity for required and authorized services/protocols/ports FIREWALL Standard Requirements Where possible, a banner must be configured to display a warning message about unauthorized access to firewall o o o o o o o o Permit connectivity from identificable devices/equipment Disable all non-required services/protocols/ports Include a “Deny-all” at the end of the rule set, which create a rule to deny all network traffic from any source to any destination using any service and protocol and port Alert the System Administrator about gateway integrity violation Alert the System Administrator about network attacking Check and log the source’s IP addresses/protocols/services used and ports Check and log the destination’s IP addresses/protocols/services used and ports Record the state information about a network communications passed through The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access “Need-to-Know” and “Need-toHave” principal Standard Policy Procedure Code of Practice Work Instruction Document reference TITLE NETWORK SECURITY POLICY o Confidential Requirements Restricted Requirements Page Review date Version Issued by Approved by firewall (for example, outgoing port command, incoming traffic, downloaded bandwidth, etc.) Log all activity on Firewall - Refer to the section “Network Architecture” above, a formal change process must be placed to adapt and manage all critical changes that could be impacted to Firewall configuration and operation - Firewall configuration must be reviewed regularly to ensure that adequate protection is provided - Firewall configuration must be auto-backup to ensure that in order system crashed, the configuration can be restored and system downtime can be minimized - The backed up configuration must be stored in safe location with access restriction to authorized people only - The firmware (hardware management built-in application) and attack patterns must be configure to be updated As Standard, plus - The Firewall must be configured to be managed from authorized, approved and trusted IP address only - All network traffic from and to untrusted networks must be controlled and managed by the Firewall/Intrusion Detection/Prevention System - All network packets typically used to executed a “Denial-of-Service” must be rejected/dropped from Firewall (for example, ICMP Echo, UDP and TCP Echo, Chargen packets, etc.) - Configuration of all network equipment and devices must be protected from unauthorized access and disclosured As Confidential, plus - Deny all incoming and outgoing network traffic where the source/destination addresses are khown as “spoofed” - Specified source/destination and IP address/protocols/ports must be blocked or restricted - Where possible, the Two-factors authentication must be enabled/applied on the Firewall to protect from accesing by unauthorized individuals INTERNET FACING APPLICATION Standard Requirements - Internet facing application system (if applicable) must be protected by multiple layers of security which included but not limited: o Access control, o o o o o o Confidential Requirements Network segmentation to limit the accessing through network, Anti virus/malware, Patch management and system hardening, Logging and monitoring, Implementing the Secure Socket Layer (SSL) on the Internet facing application server It is required to perform security testing, at least annualy As Standard, plus: - Restricted Requirements Secure configuration of network devices such Firewall, Switch, Routers, etc Where the Internet facing application server involves by other Third-parties, it is required to place the “Assurance Agreement” between Company and Third-parties to ensure about the Confidentiality, Integrity and Availability of Internet facing application server As Confidential, plus: - Digital signatures must be applied to authenticate the source of accessing to the application where e-commerce transactions being processed (for example, Payment online, Social or Tax online transactions, etc.) - Access to internal Company’ Internet facing application system must be performed via a secure mechanism (for example, through Firewall) and/or a method of serving the application contents without accessing directly to Company’ internal network The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access Page of 13 September 2019 1.0 Standard Policy Procedure Code of Practice Work Instruction Page Review date Version Issued by Approved by Document reference TITLE NETWORK SECURITY POLICY system (for example, running the application over through VPN connection) REMOTE CONNECTIONS Standard Requirements - The remote connection to Company’ network must be restricted to authorized person only - Non-approved cloud based solution (for example, Dropbox, OneDrive, Google Drive) is prohibited to use for storing Company data and information - The connection used to remote connect must: o Be protected, for example, using Secure Socket Layer (SSL) encryption, o Confidential Requirements Restricted Requirements Where possible, be authenticated by 2-Factors authentication method (for example, VPN + token ring or VPN + user name and password) Remote connection must be tested and verified for security as a part of security management and risk management process As Standard, plus: - Where remote connection by Third parties (both internal and external Company’) is required, an Access Agreement must be placed to determine roles and responsibilities of Third parties during remote connection session - All activities during a remote connect session to a confidential system must be logged at both network and application level As Confidential, plus: - Remote connect to the restricted system is strongly limited to explicitly authorized and approved person only - All activities during a remote connect session to restricted system must be logged at both network, application and server level - Wireless network for Guests usage (for example, Company’ users using nonCompany equipment, or non-Company’ users using non-Company equipment) must be segmented physically/logically and must not be connected to internal Company network - It is required to set the pass-phrase to access to Wireless network And the passphrase must follow the standard that settled out in the IT Policy, Chapter Security - Wireless connect to internal Company’ network is prohibited WIRELESS NETWORK Standard Requirements Confidential Requirements As Standard, plus: Restricted Requirements Bluetooth connection must only be used on non-sensitive device which contains non-confidential/restricted data and information Wireless network will not be provided to connect to Confidential systems As Confidential, plus: - Wireless network will not be provided to connect to Restricted systems The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access Page of 13 September 2019 1.0 Standard Policy Procedure Code of Practice Work Instruction Page Review date Version Issued by Approved by Document reference TITLE Page 10 of 13 September 2019 1.0 NETWORK SECURITY POLICY APPENDIX 1: ADDITIONAL IT POLICIES SET Policy Name Description IT Policy Set the requirements for all IT activities within Company entities, by all Company’ employees Access Control Set the requirements for creating and maintaining user access to IT Assets and Systems Logging and Monitoring Set the requirements for what activities must be logged and monitored on which IT Assets, Systems and Network Vulnerability Management Set the requirements for performance of security vulnerability scanning and patching on Application, Operating System and other critical devices Data Leakage Prevention Set the requirements for data transfer over flash storage, electronic mail messagem file transfer service in respect of sensitive data movements Third Party Outsourcing Set the requirements for engagement and continuous monitoring over third parties who provide IT Services which impact to critical business data and information Malware Protection Set the requirements for malware, computer viruses and malicious codes protection on Company network and devices Network Security Set the requirements for intrusion detection/prevention and monitoring on Company network Also defines how might we maintain and manage the firewall and secure network infrastructure Application Security Set the requirements for how might we secure Company applications Website Control Set the requirements for securing creation and monitoring the Company web presence The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access Standard Policy Procedure Code of Practice Work Instruction Page Review date Version Issued by Approved by Document reference TITLE Page 11 of 13 September 2019 1.0 NETWORK SECURITY POLICY APPENDIX 2: ASSETS/SYSTEMS CLASSIFICATION EXAMPLE Level Classification Label Examples Level Standard Generic information Level Confidential - Level Restricted Typical Risks Financial Statements (Pre-release), Business disruption: Product Details, Product Structure, - Price List, Contracts, Board of Directors papers, Loss of delivering capability, Loss of payment processing or revenue collection Mergers and Acquisitions Documents, Reputational damage, Audit Documents, Loss of commercial advantage, IT Documents, IT Systems Configuration, Customers disatisfaction Production System, Payment Card Processing documents, Fines and Public Censure, HR, Salary, Pension Records, Reputational damage Customer Record which identify individuals identifiers such as name, home address, date of birth, etc The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access APPENDIX 3: ASSETS/SYSTEM INVENTORY EXAMPLE Asset Business Area Description Key fields Classification Location Owner Custodian Likelihood x Impact point File Server All Primary storage device for all Company documents All Confidential Server room - HCMC Office IT Manager IT 16 points (Critical Area) Firewall All Primary security firewall at network boundary to protect local network and devices from attacking Security Confidential Server room – HCMC Office IT Manager IT 16 points (Critical Area) Marketing Data Marketing All data related to Marketing All Confidential File Server Marketing Marketing Manager points (High Area) Price List Sales Customer details Confidential File Server Sales Manager Sales Manager points (High Area) Sales Computer Restricted (Data Protection Act) File Server HR Manager HR Manager 12 points (Critical Area) Confidential File Server Finance Finance 16 points (Critical Area) Pricing plan Employee and HR Data HR Financial Statement Finance All Pre-release Explanation HR Computer Finance Computer The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access APPENDIX 4: IMPACT AND LIKELIHOOD ANALYSIS MATRIX The hardcopy of this ducument is marked as UNCONTROLLED version CONTROLLED version is stored on Company primary storage system in a hierachy folder with appropriate permission to access  ... Company computer network and other networked resources Network Security Policy (NSP) will assits to prevent the IT assets loss/damage due to network security incident and reduce the associate risks... the Network Security Policy will cover a wide range of information security aspects, which must be read and complied with, by Company’ employees, as listed in the Appendix PURPOSE The IT Security. .. Systems and Networks in Company, Authorized third parties connecting to Company Networks Note: Network devices are subject to the Set of Information Security policies, for example, network devices