Secure Network Management Policies

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free

Secure Network
Management Policies

by James G. Barr

Docid: 00021148

Publication Date: 2001

Report Type: TUTORIAL


In today’s enterprise, voice and data networks
serve as essential conduits for communicating information
among employees, between employees and customers or business
partners, and between employees and other enterprise stakeholders. Not
surprisingly, the design, development, deployment, operation, and maintenance of secure
enterprise networks depends upon the formation of comprehensive
network management policies.

Report Contents:

Executive Summary

[return to top of this report]

Information is essential to the modern enterprise, and enterprise networks
serve as an essential conduit for communicating data among employees, between employees
and customers, between employees and business partners, and between employees
and other enterprise stakeholders. Not surprisingly, the design, development, deployment, operation, and maintenance of secure enterprise networks
is a matter of enterprise policy and priority.

The enterprise Network Management Policy – and its subordinate
policies – are subject to rigorous standards. The policies must be
comprehensive, addressing all aspects of enterprise usage, and align with
(or otherwise support) the overall goals and objectives of the enterprise – not
just the information technology (IT) goals, but, more fundamentally, the
business goals of the enterprise.

Among these fundamental business goals is security. Secure network management polices generally share the same characteristics. They are:

  • Short, as brief as possible but no briefer.
  • Written in plain language, except where technical jargon is demanded.
  • Updated on a regular basis, at least annually (or more frequently based on business or network changes).
  • Backed by ample procedures (a policy is not a “how to” document).
  • Consistent with the enterprise-established IT governance standard, such as COBIT, ITIL, or ISO.

A note about nomenclature: Some network management polices may address
security explicitly (in which case the word "secure" or "security" will normally
appear in the title), or implicitly (in which case maintaining security is
considered a principal priority).


[return to top of this report]

The standards
and practices for writing
network management (and other) polices differ from enterprise to
enterprise. For example, the following Network Firewall Policy template, offered by
Hewlett-Packard, consists of seven sections:

  1. Purpose – A
    clear statement of the reason(s) the
    security policy exists. For example: This document discusses the
    security configuration baseline with which all firewalls deployed at XYZ
    Corp should comply.
  2. Scope – Identifies which sections, divisions, or
    departments of an organization are subject to the policy. The scope can also
    define or indicate those sections that are exempt from the policy. For
    example: This document applies to all departments of XYZ Corp. The
    extranet department and the R&D department are exempt from this document
    if their department specific policy defines a contradictory requirement.
  3. Policy – Clearly defines exactly what
    requirements, conditions, configurations, and standards must be adhered to,
    followed, or implemented. Items in this section of the policy might include
    conditions under which VPN connections are enabled, what Internet services
    are allowed to cross through the firewall, and what content is filtered.
  4. Responsibilities
    – Identifies the individual or
    group responsible for implementing the conditions of the policy.
  5. Enforcement – Discusses the consequences of
    violating the policy.
  6. Definitions – Defines terms and acronyms to
    ensure that everyone reading the policy will clearly understand exactly what
    is being discussed.
  7. Revision History – Documents and dates all
    changes to the firewall policy after its initial creation and deployment.
    This essential part of any policy ensures that only the latest and most
    up-to-date version is actually used.”1

In terms of network management, the “Network Management Policy” is
usually several policies. The “root,” or master, policy:

  • Describes the nature of network management.
  • Details the reasons why employees and other network users should adhere to
    network management policy provisions.
  • Discusses the consequences of violating network management policies – both
    for the enterprise and for the individuals involved.
  • Offers an index to subordinate polices.

Subordinate polices are usually developed according to their intended
audience. For example, while both users and technicians – primarily users
– must be cognizant of the “Acceptable Network Use Policy,” the
“Network Patch Management Policy” is germane only to IT and Security
personnel. Table 1 identifies some of the possible subordinate network
management policies.

Table 1. Possible Subordinate Network Management Policies

Policy Name


Primary Audience

Acceptable Network Use

how the enterprise network may be used. The ANUP is often employed
to define the limits of Internet usage, such as restricting access to
sites featuring inappropriate content.


Acquisition Assessment2 Establishes Infosec responsibilities regarding
enterprise acquisitions, and defines the minimum security requirements
of an Infosec acquisition assessment.
Techs / Users

Network Backup and

how network data is protected against loss or contamination.


Network Configuration

which devices may be connected to the network. This is becoming a
major issue as users petition to use their personal smartphones and
tablets for
business purposes.


Network Continuity 

how network functions are continued or recovered in the event of a
network-related disaster, including the loss of commercial Internet


Network E-Mail

e-mail dos and don’ts, such as “Do not open e-mail attachments from
unknown senders.”



which source and destination IP addresses are allowed.

Techs / Users

Network Incident Response

how network problems are reported, investigated, and, if necessary,


Network Intrusion Prevention3 Specifies how intrusion prevention systems detect
and block network attacks and attacks on browsers, as well as protect
applications from vulnerabilities.
Network LiveUpdate4 The LiveUpdate Content
policy and the LiveUpdate Settings policy
contain the settings that determine how and when client computers
download content updates from LiveUpdate.
Techs / Users

Network Password

the rules for creating and changing login passwords. May also
specify related identity management requirements, such as two-factor


Network Patch Management

the interval between receiving and applying network patches,
particularly security fixes.


Network Remote Access

how remote users – including teleworkers – may safely connect to the


Network Router and Switch5 Specifies a required minimal security
configuration for all routers and switches connecting to a production
network or used in a production capacity at or on behalf of the

Network Security

how the network – and network data – are secured, via encryption or
other means.


Network Virus and Spyware Protection6

Specifies how the network:

  • Detects, removes, and repairs the side
    effects of viruses, spyware, and other malware.
  • Detects the threats in the files that users
    try to download.
  • Detects the applications that exhibit
    suspicious behavior.
Techs / Users

Virtual Network Management

Specifies how virtual networks and virtual
network components and services are managed and secured.


Wireless Communication7 Specifies the technical requirements that
wireless infrastructure devices must satisfy to connect to an enterprise
network. Only those wireless infrastructure devices that meet the
requirements specified in this standard or are granted an exception by
the InfoSec Team are approved for connectivity to an enterprise network.
Techs / Users

Current View

[return to top of this report]

Owing to their complexity, network management
policies are seldom written from scratch. “Canned” polices, which can
be easily modified to suit the needs of a particular enterprise, are
available for a fee from commercial sources. They are also available
for free from organizations such as the SANS Institute, the US National Institute of Standards and
Technology (NIST), or even the White House.

The Obama White House, for example, crafted a “BYOD Toolkit” that offers five
sample policies:

  1. “Policy and Guidelines for Government-Provided
    Mobile Device Usage"
  2. "Bring Your Own Device – Policy and Rules of
  3. “Mobile Information Technology Device Policy"
  4. “Wireless Communication Reimbursement
  5. “Portable Wireless Network Access Device Policy"

The following is an extract from the "Portable Wireless Network Access Device
Policy." While obviously intended for federal agencies, this policy could be
readily adapted and adopted by private-sector enterprises and non-profit organizations.


This policy applies to all employees of the
who use portable wireless devices capable of accessing
resources. This policy describes the handheld wireless network
access system implementation, recommends guidelines for usage and lists
policies and procedures that apply to its use. Portable wireless
network access devices are provided to improve customer service and
enhance government efficiencies and will only be provided to employees
whose Managers have determined that the employee has a demonstrated

The purpose of this policy is to establish rules for the use of portable wireless computing devices and their connection to the
network. These rules are necessary to preserve the integrity, availability and confidentiality of the


Those employees of the
who have a need for
immediate notification and access to email, voice and web services while
away from their office or in a mobile situation are candidates for use
of a portable wireless network access device. All usage is covered
[AGENCY NAME]’s Acceptable Use Policy. Primary use of the portable wireless network access device is for official
business. Personal use of government-owned portable wireless network access devices (for
email, calendar, incoming and outgoing telephone calls) shall be limited to
infrequent, incidental and/or emergency use.


Within each department,
agency and/or component, the determining authority and responsibility
for issuance of portable wireless network access device shall rest with
or similar approving

Final authority and wireless activation of each new wireless network access device shall rest with the
[AGENCY NAME] Chief Information Officer or his/her designee.

[AGENCY NAME] shall implement appropriate
process and controls over the common server, infrastructure, transport
services and computing resources under its control. Deployment of
the portable wireless network access devices will be limited dependent
on available resources.

Network security controls
must not be bypassed or disabled. To the extent possible, security
capabilities of the wireless device should be employed that are
consistent with the
Acceptable Use Policy. Use of any Cellular Telephone access shall be governed by the
Cellular Telephone policy.

Violation of this policy may result
in disciplinary action, loss of access privileges to the common server
infrastructure, or civil and criminal prosecution.8

ISO 27033

Secure network management polices should be based on widely accepted and
respected network management principles. For most enterprises – especially
enterprises with a global footprint – adherence to the ISO 27033 set of
standards is considered prudent, if not essential.

ISO/IEC 27033-1:2015 Information
technology — Security techniques — Network security — Part 1:
Overview and concepts

ISO/IEC 27033-1:2015 provides an overview of
network security and related definitions. It defines and describes
the concepts associated with, and provides management guidance on,
network security. (Network security applies to the security of
devices, security of management activities related to the devices,
applications/services, and end-users, in addition to security of the
information being transferred across the communication links.)

ISO/IEC 27033-2:2012
Information technology — Security techniques — Network
security — Part 2: Guidelines for the design and
implementation of network security

ISO/IEC 27033-2:2012 gives guidelines
for organizations to plan, design, implement and
document network security.

technology — Security techniques — Network
security — Part 3: Reference networking
scenarios — Threats, design techniques and
control issues

ISO/IEC 27033-3:2010
describes the threats, design techniques and
control issues associated with reference
network scenarios. For each scenario, it
provides detailed guidance on the security
threats and the security design techniques
and controls required to mitigate the
associated risks. Where relevant, it
includes references to ISO/IEC 27033-4 to
ISO/IEC 27033-6 to avoid duplicating the
content of those documents.

ISO/IEC 27033-4:2014

Information technology —
Security techniques — Network
security — Part 4: Securing
communications between networks
using security gateways

27033-4:2014 gives guidance for
securing communications between
networks using security gateways
(firewall, application firewall,
Intrusion Protection System,
etc.) in accordance with a
documented information security
policy of the security gateways,

  1. Identifying and analyzing
    network security threats
    associated with security

  2. Defining network security
    requirements for security
    gateways based on threat

  3. Using
    techniques for design and
    implementation to address
    the threats and control
    aspects associated with
    typical network scenarios;

  4. Addressing issues associated
    with implementing,
    operating, monitoring and
    reviewing network security
    gateway controls.

ISO/IEC 27033-5:2013

technology —
Security techniques
— Network security
— Part 5: Securing
across networks
using Virtual
Private Networks (VPNs)

ISO/IEC 27033-5:2013
gives guidelines for
the selection,
implementation, and
monitoring of the
technical controls
necessary to provide
network security
using Virtual
Private Network (VPN)
connections to
networks and connect
remote users to

ISO/IEC 27033-6:2016



— Part

for the
of the
in this
part of
27033 is
to be
the use


[return to top of this report]

In the future, the ability to generate and maintain secure network
management policies may be influenced by several factors:

  1. Globalization – The need to comply with multiple security and
    privacy regulations from multiple jurisdictions; in particular, the
    European Union (EU).
  2. Cloud Computing – The need to maintain
    a mixed network environment, including public and private clouds.
  3. Smartphone and Tablet Proliferation – The need
    to support an ever-expanding range of smartphones and tablets, each with
    its own security characteristics.
  4. IPv6 – The need to transition to Internet Protocol version 6.
  5. Internet of Things – The need to support an emerging
    class of Internet-connected systems, sensors, and other devices.
  6. Edge Computing – The need to accommodate data processing at the
    network edge.


Today’s enterprise does business on a worldwide
basis. With that opportunity comes an obligation to comply with local,
national, and international security and privacy policies. The world’s
strictest policies belong to the European Union, with the effect that
adhering to EU policies will almost certainly position an enterprise for
global compliance.

Importantly, the EU
policymakers seem forever busy turning out new policies – or new
variations on old policies. As a result, the enterprise chief
compliance officer (CCO), in cooperation with the enterprise general counsel, must
remain vigilant in reviewing – and assessing the implications of – EU
security and privacy pronouncements.

For example, the new European Union General Data Protection Regulation (GDPR) imposes new, stricter data security
requirements on enterprises operating within the EU, or handling personal data
belonging to EU residents.

A parallel initiative, the Digital Republic Bill, adopted by France in
October 2016, penalizes enterprises that evidence inadequate data security

Perhaps inspired by GDPR, the state of California passed the California
Consumer Privacy Act (CCPA). Commencing January 1, 2020, CCPA grants consumers
various increased rights with regard to personal information held by a business.
Among the expanded rights are the right to request a business to delete any
personal information that is collected by the business, and the business is
required to comply with such a verifiable consumer request unless the data is
necessary to carry out specified acts.

Cloud Computing

From a policy perspective, the major issue surrounding cloud computing is
third-party involvement, as enterprise data travels to and from enterprise and
non-enterprise networks; in the latter category, networks belonging to:

  • Cloud providers
  • Supply chain partners
  • Managed security services providers (MSSPs)

Under ideal circumstances, the same secure network management policies
observed by the enterprise would be followed by each non-enterprise actor. In practice, of course, each network owner/operator establishes its own

To achieve maximum protection, enterprise officials, both IT and security,
should “drill down” on partner network management practices. They should
determine, at minimum, if each partner adheres to sound – if not necessarily
identical – network management policies.

Smartphone and Tablet Proliferation

As smartphone and tablet usage continues to expand worldwide, mobile
platforms will become even more tempting targets for malware makers.

Since enterprise business officials are finding it harder to “just say
no” to the “Bring-Your-Own-Device” (BYOD) crowd – those individuals who
argue for the need to connect consumer-grade smartphones and
tablets to enterprise networks – enterprise security officials will
likely amend network management policies to permit the use of a wider
selection of mobile information devices.

To compensate for this concession, security officials will – or should –
detail how each brand and model of authorized smartphone or tablet should be
secured – perhaps in a special subordinate policy or policy addendum.


Internet Protocol version 6 (IPv6) is the planned next generation of the IP
protocol. Slated to succeed IPv4, and proposed for future enterprises, intranets,
and the Internet, IPv6 provides easier administration, an expanded
addressing scheme, and, most importantly, tighter security.

Figure 1 reflects the status of IPv6 industry deployments through December
17, 2019.10

Figure 1. IPv6 Industry Deployments – 12/17/2019

Figure 1. IPv6 Industry Deployments - 12/17/2019

Source: US NIST

As enterprises migrate to IPv6, they must modify their network policies and
practices accordingly.

Internet of Things

A term coined by technologist Kevin Ashton in 1999,11 the "Internet
of Things" (IoT) refers to efforts designed to extend the dominion of the
Internet from cyber space to the physical world, creating a network of
intelligent devices that form the mechanical equivalent of the body’s central
nervous system. The purpose is twofold:

  1. To gather information about physical processes in order to improve
  2. To exercise real-time control over physical processes in order to
    affect greater operational efficiency and effectiveness.

As analyst Nick Ismail observes, "For some time, one of the primary concerns
with IoT has been its impact of network security. This is because a greater
number of devices are connecting to the network, resulting in a much higher risk
of hackers being able to gain access and do damage."

For those effected, Ismail suggests "creating
a device management policy: A policy
that lays out guidelines for IoT device integration and connection to your
network will help streamline the managing process."12

Edge Computing

As the term implies, "edge computing" is computing at the network edge.
According to Gartner, "Edge computing describes a computing topology in which
information processing and content collection and delivery are placed closer to
the sources of this information."13

The emergence of edge computing is tied to Industrial Internet of Things (IIoT), in which industrial components are
transformed into smart machines capable of collecting and processing data
locally and transmitting it to a central data center, or the cloud. Given the
sheer volume of data being collected by sensors and other intelligent devices,
it only makes sense to conduct as much processing "onsite" as possible; in other
words, to shift processing to the network edge.

If edge computing sounds like the latest incarnation of distributed
computing, it is. The principal difference between edge computing and earlier
distributed forms is that edge computing is essential to certain use cases. The
most frequently cited example involves self-driving or autonomous cars, in which
the onboard AI systems must make immediate, often life-and-death, decisions
based on vehicle sensor data. There is literally no time to transmit data to the
cloud for processing. The processing must take place within the vehicle, or at
the edge.

Network management policies must be amended to enable secure edge operations.


[return to top of this report]

To facilitate the process of
developing a secure Network Management Policy, consider the following:

  1. Assemble a Policy Development Team, consisting
    of network users as well as technical representatives from IT, Security, and
    Quality Assurance.
  2. If more expertise is required, engage a network
    security consultant or consulting firm. An experienced third-party
    contributor can share policy development best practices.
  3. Invite the participation of general counsel to
    ensure proposed policy provisions are enforceable.
  4. Identify which laws and regulations apply to
    the enterprise, and how these statutes will be enforced through the policy .
  5. Make liberal use of free policy templates and
    samples supplied by authoritative bodies such as NIST or the SANS
  6. Appoint a policy owner, a single department –
    preferably, a single person – responsible for policy administration, both
    the root policy and its subordinate policies.
  7. Circulate the policy for user approval prior to
    implementation. Unless the subjects of the policy “buy in”
    to its various provisions, the policy is not viable.
  8. Once the Network Management Policy – and its associated subordinate
    policies and procedures – are developed, conduct a Risk Analysis to identify
    – and plug – any residual security exposures.
  9. Select and implement an automated Policy Management tool to help ensure
    policy compliance.


[return to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst and

business writer with more than 30 years’ IT experience. A member of

“Who’s Who in Finance and Industry,” Mr. Barr has designed,

developed, and deployed business continuity plans for a number of Fortune

500 firms. He is the author of several books, including How to

Succeed in Business BY Really Trying, a member of Faulkner’s Advisory

Panel, and a senior editor for Faulkner’s Security Management

Practices. Mr. Barr can be reached via e-mail at

[return to top of this report]