1. Purpose
Establish requirements for controlling and monitoring access to [ORGANIZATION]'s network resources to prevent unauthorized access and lateral movement.
2. Scope
This policy applies to all network access methods including wired, wireless, VPN, and remote access to [ORGANIZATION]'s network infrastructure.
3. Policy
3.1 Network Access Authentication
All network access shall be authenticated. Unauthenticated access is only permitted for designated guest networks that are fully isolated from internal resources.
Port-based network access control (802.1X) shall be implemented on all wired and wireless access points where technically feasible.
Network authentication shall integrate with [ORGANIZATION]'s centralized identity management system.
Machine certificates or agent-based compliance verification shall be required for full network access to internal network segments.
3.2 Remote Access
Remote access to [ORGANIZATION]'s network shall only be through approved VPN or zero-trust network access solutions with: multi-factor authentication, split-tunnel disabled (or with adequate security controls on split-tunnel configurations), endpoint compliance verification, and session timeout after [CUSTOMIZE: 8/12/24] hours of inactivity.
Third-party remote access shall use dedicated, time-limited connections that are monitored and logged.
Remote access connections shall be terminated immediately upon personnel separation.
3.3 Network Segmentation Enforcement
Access between network segments shall follow the principle of least privilege, with only required communication flows permitted.
Micro-segmentation or software-defined networking shall be implemented for critical assets and data stores where technically feasible.
Network segment access policies shall be reviewed at least [CUSTOMIZE: quarterly/bi-annually].
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control