Copyright Goodheart-Willcox Co., Inc. 485 Chapter 15 Network Security Policies Policies and procedures must cover many things. Included in the list of items you must have policies for are on-boarding and off -boarding procedures. Th ese proce- dures determine how new employees will be set up on a network and how exiting employees will be removed. Th is may include signing a non-disclosure agreement (NDA). Th ese policies should also defi ne expectations for remote access best practices and safety guidelines and how the company handles situations in which employees work with their own devices, commonly referred to as bring your own device (BYOD). Th e most common policy is an acceptable use policy (AUP). Th is often describes how systems should be used. A technology frequently used and referenced in an AUP, particularly in conjunction with BYOD, is network access control (NAC). Th is scans any device connecting to the network and determines if it meets the minimum secu- rity standards. If it does not meet the standards, the device is not allowed to connect to the network. Th ere should also be policies describing how to handle software usage, includ- ing licensing restrictions and international export controls. Th is is particularly im- portant on encryption software. Related are guidelines for asset disposal. More often than not, computer equipment cannot simply be thrown away. Th is is due to both environmental and security concerns. For example, computer and electrical often contain heavy metals and carcinogens that can enter the atmosphere if improperly disposed. Additionally, a hard drive that is simply thrown in a dumpster can be re- trieved and accessed. Th is is called dumpster diving. Th erefore, policies should out- line how to dispose equipment properly to ensure environmental stability and loss prevention. Data Loss Prevention Policies (DLP) address how a company will prevent data from being obtained from the company. Th is might include forbidding the use of USB devices, or implementing intrusion-detection rules. Captive portals are an excellent way to ensure users are aware of policies and agree to them. A captive portal is a web page the user must access before accessing the network. Th ey often include the user checking a box agreeing to the network policies. Just as important as policies for end users are policies for the security staff . Th is includes incident response policies. Th ese defi ne exactly what to do should an inci- dent arise. Th at includes any type of incident from a hacker infi ltrating the network to a fi re in the server room. Data Security Compliance Requirements Th ere are several security standards and laws aimed at securing personal user data such as medical records, banking records, health records, and credit card informa- tion. Th e diff erence between a standard and a law is that a standard is voluntary, whereas a law is legally binding. Both standards and laws typically require the network to be tested for security vulnerabilities. Most require network access and activity to be tracked, monitored, and recorded. Th ey also require that network security features be tested on a regular basis. A policy and procedure guide should also be created and maintained, and all network users be instructed in security-related procedures, such as password and e-mail security. 3.5, 4.2 NET Tech Tip A standard can be incorporated into a contract, making it legally binding. For example, when a network construction contract states that “all work shall conform to the latest IEEE standards,” then the standard has become the legally binding part of the contract.