A network security policy is a strategic document that specifies the rules and regulations of computer use and computer network access for an organization. Common among government groups, educational institutions and businesses, a network security policy usually is compiled by policymakers or lawyers. The purpose of the policy is to provide information security and computer security and to delineate liability and user responsibility. The policy might also state the rules for the use of network equipment, define permissions to the network, and manage or control the data transmitted across the network. Most importantly, the network security policy regulates the communications between the network and the Internet.
Industrial espionage is a growing threat to businesses and educational research facilities that thrive on innovation and invention. Computer hackers might use strong-arm tactics such as code injection or keylogging software to crack a computer network. Some hackers use the more subtle social-psychological tact in which they entice unwary employees to divulge company usernames or sensitive information, thus gaining entrance into a network. A network security policy stipulates rules for employee behavior and provides a clear-cut security engineering policy of protecting trade secrets and monitoring suspicious activity.
The network security policy also delineates computer security practices for all users on the network. The policy might state appropriate and non-appropriate communications between employees, such as prohibiting or monitoring the circulation of personal emails. In the network security policy, users might be required to register all computer devices that access the network, such as laptops and personal devices. The policy clearly specifies acceptable activity and defines all unacceptable activity, including penalties.
One of the most fundamental elements in the network security policy is the regulation of communications between the network and the Internet. Although it is extremely beneficial for research and external communications, the Internet can also provide a direct route for a network security breach. A good network policy takes into consideration threats from the outside as well as the inside. Usually, the organization conducts a risk analysis, determining acceptable Internet activity within the network, and specifies or filters Internet access and activity. For example, access to government or educational websites might be allowed, but viral video websites might be prohibited or blocked.
A network security policy is only as good as its implementation. Enforcement of policy rules is critical. Many businesses and educational institutions might form their own internal crew of network security personnel or hire a security engineering firm. Still others might use special software that monitors and manages all network activity.