Background ---------- ISO/IEC 27002:2022 clause 8.20 indicates that "Networks and network devices should be secured, managed and controlled to protect information in systems and applications [in order] to protect information in networks and its supporting information processing facilities from compromise via the network." Policy statements ----------------- 1. Cryptographic controls such as encryption and authentication should be used where possible, supplementing other security measures for data integrity and non-repudiation, particularly on public networks. 2. Use multi-factor authentication to identify users of IT network applications, particularly for remote users. 3. Use appropriate firewall access control lists and other access controls to protect confidentiality and reduce the possibility of network compromise. 4. Unauthorised Internet connections to corporate systems or internal networks are strictly prohibited; all Internet connections must follow a management-approved risk-assessment and authorization process. 5. Appropriate antivirus controls must be implemented to protect IT networks and systems against malware including worms. 6. Due to their ephemeral nature, wireless networks require additional security controls. [Cite a separate policy] 7. Security patches released by vendors should be promptly verified and applied to all relevant systems, especially Internet-facing ones and those requiring critical patches. 8. For business-critical IT network communications, additional measures should be taken to ensure the availability and resilience of network services, including contingency arrangements in case of Internet outages. 9. Due to the considerable information risks associated with social and business networking, awareness and caution are paramount. Notes ----- This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation. Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.