Network Security Policy

The Network Security Policy (Document P21) was developed to establish rigorous controls over both internal and external organizational networks, providing protection against unauthorized access, service disruption, data interception, and misuse. Its primary objectives include safeguarding the confidentiality, integrity, and availability of data in transit and at rest, while aligning closely with key regulatory and standard requirements such as ISO/IEC 27001:2022, GDPR Article 32, NIS2 Directive, DORA, and COBIT 2019. This robust policy applies globally to all network infrastructures, including physical, virtual, cloud, and hybrid environments. It lists routers, switches, firewalls, cloud-based networks, VPN systems, and even supporting services like DNS and proxy servers under its comprehensive scope. Both internal staff and external service providers who interact with these networks are bound by the requirements set forth. Notable features of the policy include mandatory network segmentation, explicit firewall configuration protocols, secure routing standards, and ongoing central monitoring and logging of network activities. Governance is clearly structured, obliging roles such as the CISO, Network Security Manager, SOC, IT Operations, and even third-party vendors to adhere to defined responsibilities for secure network design, operational monitoring, change management, and incident response. The policy sets expectations not just for routine network management, but also for handling exceptions, such as legacy system dependencies, through a controlled, risk-assessed approval process. All exception approvals are registered within the ISMS with a strict 90-day review cycle, ensuring no long-term vulnerabilities are overlooked. To minimize attack surfaces and meet compliance obligations, the policy stipulates that all boundary networks must be protected using next-generation firewalls with stateful inspection, application filtering, and intrusion prevention. Internal networks are to be segmented between production, development, user, and guest areas, using firewalls and VLANs to enforce strict access controls. VPN and remote access solutions must utilize encryption and multi-factor authentication, while wireless networks are required to adopt enterprise-level security protocols and guest segregation. Cloud and hybrid environments are not exempt, security group rules, audited VPN links, and cloud-native firewall settings must be tightly managed. For monitoring and detection, continuous logging into a centralized SIEM, anomaly detection through NDR, and set log retention periods are all integral requirements. Periodic policy reviews and audits are mandatory, triggered by new threats, network changes, regulatory updates, or audit findings. Non-compliance, including deliberate circumvention of controls, leads to disciplinary action, contractual penalties, or breach reporting in line with regulations. Finally, the Network Security Policy also specifies its linkages with other critical organizational policies, including foundational security, access control, change management, asset management, logging, and incident response policies for a layered, defense-in-depth approach.