Network Security Policy - SME

This Network Security Policy (P21S) is explicitly designed to meet the tailored needs of small and medium-sized enterprises (SMEs) operating without large or specialized IT security teams. Adapted for environments where the General Manager assumes overall accountability, the policy ensures effective implementation of robust network security controls even when roles such as SOC or CISO may not exist. Aligned with ISO/IEC 27001:2022 and compatible with GDPR, NIS2, and DORA regulations, it provides both clarity and assurance in achieving technical, legal, and audit-ready compliance. The policy's scope is comprehensive, addressing all elements of an organization's network: wired and wireless infrastructure, firewalls, routers, switches, remote (VPN, RDP), and cloud connections, as well as devices linked to the network. This includes internal staff, remote and hybrid workers, guests, contractors, vendors, and service providers. Both physical and logical network separations, like guest zones and IoT devices, are explicitly covered, ensuring each segment is appropriately managed according to risk and access needs. Clear assignment of roles is fundamental: the General Manager owns policy oversight and approves exceptions, while the IT Support Provider (or an internal IT role) is responsible for practical implementation, maintenance, and incident detection. These definitions allow SMEs without dedicated IT departments to fulfill high-standard compliance requirements using simplified governance structures. Privacy or Security Coordinators support compliance with personal data protection regulations, participate in breach investigations, and ensure documentation requirements are met. All staff must follow strict guidelines on network access, device connection, password security, and incident reporting. Governance and technical controls are meticulously outlined. All network assets must be sourced from supported vendors and kept up-to-date with security patches. Firewalls and wireless controllers enforce default-deny principles; wireless networks must use WPA3 or WPA2 encryption, with guest access strictly isolated. Cloud service exposures are minimized, VPN access is strictly controlled and monitored, and multifactor authentication is mandatory for remote logins. Logging, monitoring, regular audits, and clear reporting channels are required to ensure continuous improvement and incident response readiness. By emphasizing annual reviews, change control processes, and strict enforcement (with actions for non-compliance ranging from retraining to legal measures), this policy creates an effective and sustainable foundation for ongoing security. Exception processes are formalized, always requiring justification, compensating controls, and General Manager approval. This approach enables SMEs to operate securely, fulfill legal obligations, and demonstrate technical proficiency to customers, auditors, and regulators.