Network Security Policy

[ORGANIZATION]'s network shall be designed and maintained with defense-in-depth principles, incorporating: network segmentation between zones of different trust levels, demilitarized zones (DMZ) for internet-facing services, restricted management networks for administrative access, and isolated networks for sensitive systems (PCI, healthcare, etc.).

Network architecture diagrams shall be maintained and updated within [CUSTOMIZE: 30 days] of any significant network change.

All traffic between network segments of different trust levels shall pass through a firewall or equivalent security control.

Access to [ORGANIZATION]'s network shall require authentication and authorization.

Wireless networks shall use WPA3 (or WPA2 Enterprise minimum) with certificate-based authentication for corporate access.

Guest network access shall be isolated from internal networks with no route to internal resources.

Network access control (NAC) solutions shall be deployed to verify device compliance before granting network access where technically feasible.

VPN connections shall require MFA and shall terminate only to authorized, managed devices.

Intrusion detection/prevention systems (IDS/IPS) shall be deployed at network perimeters and at key internal network boundaries.

IDS/IPS signatures shall be updated at least [CUSTOMIZE: daily/weekly].

Network traffic shall be monitored for anomalous patterns including: unusual data volumes, connections to known malicious destinations, lateral movement indicators, and command-and-control traffic patterns.

DNS traffic shall be monitored and filtered to detect and block communication with malicious domains.

All network security events shall be forwarded to the centralized SIEM for correlation and analysis.