As a Network security professional, you have various domains and policies which are adopted and adhered by companies/enterprises.
Considering these network security policies are critical to for organizations to keep the network infra secure.
another aspect of these domains and policies is to stay compliant from regulators and avoiding fines which happen due to data breach.
In this article, i am focusing about these domains and policies. These are basics and must be known to a network security engineer.
In CCNA and CCNP Security, this is just a small part of content piece. It will help you in the learning program.
Network Security Domains
It is important for network security professionals to know the outcome of network security.
They must also be familiar with enterprise requirements for network security as covered by the 14 network security domains.
There are 14 Network security domains a network security or an IT Security professional must know:
These are developed, prepared and documented by bodies like ISO – NIST and ISC2
- Information security policies
- Organization of Information security
- Human resources security
- Asset management
- Access controls
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintainence
- Supplier relationships
- Information security incident management
- Business continuity management
- Compliance
This is quite important information related to network security which i am sharing here for the users on the internet. I generally conduct 1/1 and group CCNA Security trainings online via microsoft teams.
If you want more detailed content you can consider 1/1 training of 30 days where i cover everything from CCNA Security.
Although CCNA Security series at cybernomadtv is completely free and will help you to prepare ccna sec and introductory ccnp security track.
I’ll be illustrating some of the network security domains here which are important to know.
Information Security policies
These are broad level policies developed and adopted by companies to handle network security more professionally and ethically.
These policies guide network security professionals with a handbook of security policies where they implement practical network security implementations
An example of an information security policy can be – Mandatory MFA Across systems, Limiting Cisco Router access and authorization of time based access to router.
Access Controls
Access controls is a security control used to implement and restrict access to network infra, network access and servers and endpoints.
In CCNA Network security area, you can think of access controls to restrict access rights to networks, systems and data located in the network premise.
Communications Security
Communications security can be known when organizations handling LAN Network traffic communicating internally must be secured, logged and implement accounting information.
Similarly communications from LAN to LAN or LAN to different companies – customers, suppliers must be secured properly and implement access controls to limit network access.
Asset management
Organizations and companies create an asset inventory of IT Infra devices – Endpoints, Servers, Switches, Routers etc and classifies under common scheme to categorize and segregate information assets.
These infra technologies are an assets to an organization and it is a priority to label and secure those IT Infra assets.
Humans Resources Security
Human resources security must be properly implemented and HR Personnel in the organization must be provided by organizational security policies and protocols which must be followed by HR and Talent teams to keep HR Systems secure.
Common target where threats actors try there luck is to social engineer HR Teams.
Hence, it is critical network security domain where employees throughout the hiring journey are kept accordingly with the security procedures.
Network Security Policies
According to Cisco, there are important policies which is presented in Cisco CCNA Security.
Although, these are quite common and presented in different learning guides as well.
Here, I will be sharing network security policies used by companies.
Cisco has categorized policies and segregated further:
- Business Policies
- Security Policies
- BYOD Policies
Business Policies
Business policies are the statements that are developed by individual companies to govern its actions.
The policies define standards of correct behavior for the business and its employees.
In network security, policies define the activities that are allowed on the network (LAN). This sets a framework of acceptable use.
If any activity that violates business policy is detected on the network, it is possible that a security breach has occurred.
Further in Business policies you can also categorize policies based on:
- Company Policy
- Employee Policy
- Security Policy
Company Policy
These policies establish conduct of rules on a broader level in the company. these rules and policies are implemented and governed by the company and adhered by both employers and employees in the organization.
These policies also protect rights of the employees and business interest of companies.
It’s more broad and basic policy structure adopted by companies although it’s not directly involved with network security.
Employee Policy
These policies are adopted, implemented and followed by HR Teams to co-ordinate, tackle and document employee documentation domain – salary slips, offer letter, legal documentation, benefits, work hours
These are provided to new employees when joining any firm.
Security Policy
These security policies are defined by companies to employees in the organization to grant and limit network access and access levels in the organization.
defines the rules of behaviour for users, admins, and specify system requirements.
Security policy is changed and adapted based on threat landscape to an organization and vulnerabilities existing in the current network security landscape.
Network Security Policy
A comprehensive Network security policy has a number of security benefits to any company
- Demonstrates an organization’s commitment to security
- Sets the rules for expected behavior
- Ensures consistency in system operations
- Defines the legal consequences of violations
- Gives security staff the backing of management
Types of Network Security Policies in the security umbrella
Identification and Authentication Policy – This policy ensures authorization and access to network infra to authorized network admins under security policies defined by enteprises.
Password policies – Ensuring passwords meet company policy. example can be use of secure passwords, Using password managers, and Temporary password grant access etc
Acceptable use policy (AUP) – This ensures authorized applications are entered into network permiter, if any specific product is blacklisted then the security violation occurs.
Remote access policy – Policies for Remote workers to securely connect to organization files and resources.
Network maintenance policy – Specifies Network Infra ( routers, switches, firewalls) updates and patch policy
Incident handling procedures – describes and shows how to handle security incidents under a documented approach of an organization.
BYOD Policies – Some policies and practices include – password protected access, use of mdm software, controlling wireless connectivity.
There are also external regulations regarding network security. Network security professionals must be familiar with the laws and codes of ethics that are binding on Information Systems Security (INFOSEC) professionals.
Many organizations are mandated to develop and implement security policies. Compliance regulations define what organizations are responsible for providing and the liability if they fail to comply. The compliance regulations that an organization is obligated to follow depend on the type of organization and the data that the organization handles. Specific compliance regulations will be discussed later in the course.
