Skip to content

Infrastructure, Network and Cloud Security Policy

Document Information
Version {{version}}
Effective Date {{effective_date}}
Document Owner {{document_owner}}
Next Review {{next_review_date}}
Approved By {{approved_by}}

Purpose

The purpose of this policy is to establish guidelines for ensuring the secure operation of {{company_name}}, hereafter referred to as "the company", information systems and networks, protecting the confidentiality, integrity, and availability of our data.

The intent of this policy is to establish the direction and principles for the protection of the {{company_name}}'s Infrastructure, Network and Cloud assets against cyber threats and enable continuous improvement of security capability and resilience to emerging and evolving security threats.

Scope

This policy applies to all employees, interns, contractors, and third parties who have access to the company\'s information systems and networks.

Infrastructure Security

Infrastructure security is to ensure that all IT infrastructure, including servers, desktop computers, laptops, mobile devices, and network equipment, is protected against unauthorized access, threats, and vulnerabilities. This is critical to maintaining the confidentiality, integrity, and availability of our data and systems.

  • Physical Security Measures: All IT infrastructure should be physically secured to prevent unauthorized access, theft, or damage. This includes secure storage of equipment, controlled access to server rooms and data centres, and secure disposal of obsolete equipment.

  • Access Controls: Access to IT infrastructure should be controlled based on the principle of least privilege. Users should only be granted the access privileges that are necessary for their job functions. Access privileges should be reviewed regularly and updated as necessary.

  • Security Updates and Patches: All IT infrastructure should be kept up to date with the latest security updates and patches. The {{it_provider}} should monitor for the release of relevant updates and patches and apply them in a timely manner.

  • Configuration {{management_team}}: All IT infrastructure should be configured in a secure manner. This includes disabling unnecessary services, configuring security settings, and using secure configurations for network equipment.

  • Network Security: Network equipment should be secured using appropriate security measures, such as firewalls, intrusion detection systems, and secure network architectures.

  • Malware Protection: All IT infrastructure should be protected against malware. This includes the use of antivirus software, regular malware scans, and user education on avoiding malware.

  • Asset {{management_team}}: All IT infrastructure should be tracked in an asset register. The asset register should include information such as the asset\'s location, user, and configuration.

The {{it_provider}} is responsible for implementing and maintaining the infrastructure security measures outlined in this policy. All users are responsible for complying with this policy and for reporting any suspected security incidents.

Network Security

Network security is to protect the company\'s networks, including both wired and wireless networks, from unauthorized access, threats, and vulnerabilities. This is critical to maintaining the confidentiality, integrity, and availability of our data and systems.

  • Firewalls: Firewalls should be used to control the flow of traffic into and out of the company\'s networks. Firewalls should be configured to deny all traffic by default and only allow traffic that is necessary for the company\'s operations.

  • Intrusion Detection and Prevention Systems (IDS/IPS): IDS/IPS should be used to detect and prevent unauthorized access to the company\'s networks. IDS/IPS should be configured to alert {{it_provider}} of any suspicious activity and to block such activity when possible.

  • Secure Network Architectures: The company\'s networks should be designed with security in mind. This includes zero trust networks for sensitive systems and data. The use of infrastructure software to protect the network for travelling or work from home employees/contractors should be implemented.

  • Secure Communication Protocols: All communication over the company\'s networks should be secured using secure communication protocols. This includes the use of encryption to protect the confidentiality of data in transit, and the use of secure protocols such as HTTPS and other secure file transfer protocols where required.

  • Wireless Network Security: Wireless networks should be secured using strong encryption, such as WPA2 or WPA3. The use of default or easily guessable passwords should be avoided. Wireless networks should also be regularly scanned for rogue access points.

The {{it_provider}} is responsible for implementing and maintaining the network security measures outlined in this policy. All users are responsible for complying with this policy and for reporting any suspected security incidents.

Cloud Security

Cloud security is to ensure that all cloud services used by the company provide adequate security measures to protect our data and systems. This is critical to maintaining the confidentiality, integrity, and availability of our data and systems in the cloud.

  • Data Encryption: All data stored in the cloud should be encrypted both at rest and in transit. This includes the use of strong encryption algorithms and secure key management practices.

  • Access Controls: Access to data and services in the cloud should be controlled based on the principle of least privilege. Users should only be granted the access privileges that are necessary for their job functions. Access privileges should be reviewed quarterly and updated as necessary.

  • Compliance with Security Standards and Regulations: All cloud services used by the company should comply with relevant security best standards and regulations.

  • ISO 27001 Certification: The company should use cloud services that are certified under ISO 27001 or equivalent standards. This certification provides assurance that the cloud service provider has implemented a comprehensive information security management system.

  • Cloud Service Provider Security: The company should evaluate the security practices of cloud service providers before using their services. This includes reviewing the provider\'s security certifications, security architecture, data privacy practices, and incident response capabilities.

  • Cloud Security Monitoring: The company should monitor its use of cloud services for security incidents and anomalies. This includes regular security audits, vulnerability assessments, and monitoring for unusual activity.

The {{it_provider}} is responsible for implementing and maintaining the cloud security measures outlined in this policy. All users are responsible for complying with this policy and for reporting any suspected security incidents.

Staff Responsibilities

Staff (including interns and contractors) are expected to uphold the expected standards of professional conduct and comply with this policy in its entirety.

All staff must read, understand, and comply with all components of this policy, and all laws, and regulations that apply to their role.

  • Staff should speak up when seeing possible violations of the policies, and legal and regulatory requirements.

  • Be truthful, and cooperate fully in any internal investigations, and not conceal or destroy information.

  • Staff should ensure they complete training on the policies, and attest that they are understand and commit to comply with them.

  • Failing to read or attest to the policies does not excuse staff from these responsibilities.

Review

This policy will be reviewed at least annually or as needed based on changes to our business, technology, or regulatory environment.

Enforcement & Waivers

These policies are important to us. Violation may result in disciplinary action, up to and including termination of employment. Only by consent of the {{company_name}}'s board of directors a provision of the policies for a staff member may be waivered.

Essential Eight Alignment

This policy supports:

  • Patch Applications - For infrastructure components
  • Patch Operating Systems - For servers and network devices
  • Restrict Administrative Privileges - For infrastructure access
  • Configure Microsoft Office Macro Settings - For admin workstations

Target Maturity: {{e8_target_maturity}}

Implementation Check

  1. Who owns this? {{policy_owner}}
  2. Are we doing it? {{implementation_status}}
  3. When will we check again? {{next_review_date}}