9-4 Information Technology Professionals Policy - Section IX: Network Management Policy
What’s on this Page
Section IX: Network Management Policy
Read next: Section X: Operations Management Policy
IX. Network Management Policy
This Policy establishes requirements for access control and security management of Local Agency networks.
- Network Security Management
All Local Agency networks must be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and application using the network, including information in transit. Local Information Service Providers must at minimum, implement the following:
- Managing and monitoring network security is separate from computer operations when possible;
- When necessary, special controls are implemented to safeguard the confidentiality and integrity of sensitive data passing over public networks (i.e., the Internet);
- Security requirements of network services must be identified and documented, which include specification of:
- Technologies applied for security of network services, (e.g., authentication, encryption and connection controls);
- Technical parameters and rules for secured connection with the network; and
- Procedures and processes to control and/or restrict access.
- Network Connections
All connections to Local Agency networks must be authorized by the Local Information Service Provider.
- Network Access Control
To prevent unauthorized access to network services the following controls, at minimum, must be implemented:
- Access to a Local Agency’s network must require all authorized Users to authenticate themselves through use of an individually assigned User-ID and an authentication mechanism, (e.g., password or token).
- Network access controls must ensure that Users can only access the Local Agency IT resources and data they have been specifically authorized to use.
- Where technically feasible, access to a Local Agency network must be limited to identified devices or locations.
- Physical and logical access controls must be implemented and maintained to protect diagnostic and configuration ports.
- Access controls must be implemented between segments as necessary.
- Remote Access Control
- Remote access connections to a Local Agency network must be done in a secure manner to preserve the integrity of the network, data transmitted over the network, and the availability of the network.
- To maintain information security during remote access to Local Agency IT resources, individual accountability must be maintained.
- Use of a common access point is required. All remote connections to Local Agency IT resources must be made through managed central points of entry.
- All Virtual Private Network (VPN) connections must have split tunneling disabled. In the case where split tunneling must be enabled to accommodate a business need, a risk assessment must be performed to ensure that the connection will not compromise the Local Agency network.