1. What is the network security policy?

With the rapid increase in investments in the IT system and the increase in the size of IT thefts, security policies have become a necessity. Network security policy is a formal written expression of the strategy regarding the management of all components related to the security of the computer network.

Network security policies vary depending on the needs and structures of institutions. For this reason, security network policies should be created before the system is installed and any security problems are encountered. A secure computer network cannot be achieved without a security policy.

Since security policies are written, they enable all employees throughout the organization to clearly understand how the technology and information assets owned by the organization will be used.

2. Network security policies

• Acceptable use policy
• Access policy
• Network firewall policy
• Internet policy
• Password management policy
• Physical security policy
• Social engineering policy

2.1. Acceptable use policy

The rights and responsibilities of users regarding the use of network and computer facilities are specified. Basically, the following topics are determined. It is possible to add other items depending on the structure of the institution.

• Who has permission to use resources,
• How to use resources appropriately,
• Who is authorized to grant access and approve use,
• who can have management priorities,
• What are the rights and responsibilities of users,
• What can be done with sensitive information,
• What are the rights and responsibilities of system administrators over users?

2.2.Access policy

This policy determines users' authority to connect to the network. Access policies should be determined separately for each category after users are divided into categories. System administrators are also included in this category. If access rules are not determined for the system administrator, some rules in the system will be left to the authority of the system administrator, thus undesirable security vulnerabilities may occur on the system.

2.3.Network firewall policy

Access from outside the network to the inside of the network is controlled. Network firewalls are solutions that serve as a gateway between the institution's network and external networks and are designed to solve problems that the institution may encounter in internet connection. The firewall can ensure network security by working with the services listed below.

Proxy:

Unlike other types of firewalls, a Proxy acts as an intermediary between external networks and computers, preventing direct communication between the two. It evaluates the data and if no problem is detected, it allows the data to reach the user.

Anti-virus solutions:

These are systems that scan HTTP, FTP and SMTP traffic for viruses and aim to clean them from viruses before they reach the user.

Content filtering:

These are systems used to filter the desired web pages and incoming e-mails with various software.

Private virtual networks (VPN):

These are used to make connections to the corporate network more reliable over public data networks.

Intrusion detection systems (IDS):

It is a system that aims to detect suspicious events, penetration and attacks. In suspicious cases, the system administrator can be alerted via methods such as e-mail or pager.

2.4. Internet policy

It is defined who among the external users (employees, partners, customers or others) in the organization can access the services in the corporate network and what kind of access rights they have.

2.5. Password management policy

Passwords check whether users have permission to access the information they want to access. Incorrect and malicious use of passwords causes security problems.

System administrators should be able to warn users by interfering with their password choices, preventing them from choosing simple and easily guessable passwords.

Institutions regarding password selection; It can determine restrictions such as the size and content of the password, expiration policy, and access to everything with a single registration policy.

2.6. Physical security policy

It should not be forgotten that an attacker who can physically access corporate devices can take control of the device. An attacker who can access the network connection can listen to the line and even send traffic by accessing the cable with special equipment (tapping). For this reason, physical security policies that can be taken for the main devices that make up the institution's network and the servers that provide services should be determined for the institution.

2.7. Social engineering policy

Social engineering is the act of convincing people to do what you want and obtaining information about the user. It can be done in various ways, such as trying to learn the user's password by claiming to be the system administrator, physically infiltrating the institution by posing as a technician, or collecting information by going through garbage cans.

Employees of the institution should never convey information to people who do not prove their identity, and should separate their business life from their private life. Necessary warnings should be made regarding such situations in the institutional policy and precautions should be taken.

• Business
• Security