Creating Network security procedure

I need to create a network security procedure for my company.  Can anyone tell me what needs to be in one or can I get an example?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
First you need policies, then they will help you define your procedures. The SANS Institute has some of the best stuff written, it's easy to understand and customize to your organization.

Read through some of those, like the Acceptable use policy for example. The acceptable use policy has in it things like, keeping passwords safe, labeling confidential emails as confidential,  p2p software is unaccptable etc...

I believe this will be your first step- If you need more info just right back, I'll be happy to add- I'm just unsure of your question because it's pretty brief.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rich RumbleSecurity SamuraiCommented:
typo's "right"... i meant "write back"... i'm getting too old.
I agree with Rich.
That SANS link is the best place to go.
There are pay-sites that have sample policies, but SANS has all you need.

Also useful (and from SANS again) would be the sans reading room for all things related to infosec:

For things specifically related to developing and implementing policy:

And remember - developing policy is one thing. Ensuring it's followed and reviewing it's relevance/practicality is another thing altogether and crucial. It's no use enforcing 15 character complex passwords if people are going to write them on a post-it note and stick it on the monitor! :)

I had to put these types of policies in place for my company.  Here are a list of suggestions ontop of what has already been said.  

Once you get your policies in place make sure your Human Resources, or other Executive Managment personnel, agree with the policies and will support them.  The policies are no good if they are not supported by upper management.  Keep in mind that you will most likely have to enforce these policies at one time or another.  We had ours user sign a form stating that they read, understood, and agreed to follow all the policies.  We also had all of the policies posted on the Company intranet.

Get a good password policy.  I am a consulatant now and I have walked into many customers sites and been able to get on their network too easily.  Blank passwords, password on sticky notes etc are a very bad thing to have in your organization and are very hard to prevent.

A good firewall is also very important to your network.  Remember to log the firewall and to block unwanted traffic from comming in and going out.  Most people overlook the outbound policies.  Also make sure you have some intrusion detection, this is often overlooked as well.

Keep all you machines up to date with service packs and patches.

Have up to date anti virus software on all workstations and servers.

If you can remove all modems from servers and workstations, this may not be cost effective or feasible for you to do.  Cisco had analog line cards that can be added to some of thier routers.  that way all modem traffic can be passed though a firewall.

If you have Windows 2000 or Windows XP workstation prevent users from installing software.  There is usually never a good reason why a user would need to install software on thier machine.

Use a proxy server to monitor Internet use.  Providing reports of users activities to managment is a great deterent to inappopriate use.

Have a good backup and distaster recover procedure.  I would typically ghost my servers after new software or service packs, etc were installed.  All the actual data was backed up daily and achived once a week.  The previous weeks tapes were kept off site.  Monitor your backup logs to make sure the backup are actually running okay.

Docuement your network, and I mean everything that you have in it.  If you have to rebuild anything it's much easier if its been documented.  Your docuementation should be kept in a secure place, since if its done right you would not want it to fall into the wrong hands.

There are a lot of other things that can/should be done to build a godo network secuity procedure. I hope this list helped.
A couple of things that I think are going to be very important as you move forward with this.

1.  Make sure that you raise awareness, and show the need for improving security.
2.  Make sure that you have senior management buy in.  They can say that they want to be more secure, but they will need to back you.  

<advertizing removed by CetusMOD per http:help.jsp#hi106>
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.