RCIT-11 Reeves County Network Security Policy

IT REEVES COUNTY NETWORK SECURITY POLICY

Policy Statement:

This policy is designed to safeguard the integrity of Reeves County Department's network, mitigating risks and potential losses associated with security threats to computing resources. It ensures secure and reliable network access and performance for the institution and its users. This policy is applicable to all Reeves County IT Department facilities with any form of connectivity or access to IT resources.

Guidelines:

1. Network Access and Controls:

   - Security controls are maintained on all networked systems to authorize connections, documenting interface characteristics, security requirements, and the nature of communicated information.

   - Employees are strictly prohibited from establishing unauthorized communications to the network or IT resources.

2. Network Infrastructure Management:

   - Reeves County IT Department's network infrastructure is managed separately from business use, with sessions on network devices relying on separate VLANs or different physical connectivity.

   - Diagnostic and configuration ports' physical and logical access is controlled, and key security tools are isolated from other internal components.

3. Network Security and Encryption:

   - a. IDS/IPS:

      - Next-generation firewalls, configured to the current Standard, are implemented at all internet entry and exit points.

      - IDS/IPS inspects traffic at critical points, including internet traffic, personnel VPN connections, and site-to-site VPN connections.

      - Managed and monitored by Information Security or a designated third party.

   - b. Application Firewalls:

      - All applications are protected by application firewalls, allowing traffic only from authorized locations on specific ports.

   - c. Software Patching:

      - Networking devices must be patched within 90 days of release (but no sooner than 30 days) to the latest stable version.

   - d. Remote Access:

      - Multi-factor authentication and data encryption in transit are mandatory for all remote access points, including VPN, and other solutions.

   - e. Filtering:

      - URL filters and DNS filtering services are enforced to limit access to approved websites and block potentially malicious activities.

   - f. VPN Tunnels:

      - Configuration details for VPN tunnels are provided for internal users and vendor connections.

   - g. Segmentation/Segregation:

      - Network segmentation is based on information classification levels, with VLANs separating Protected Information. A deny-all, permit-by-exception policy is implemented.

   - h. Wireless Network:

      - Reeves County IT Department manages unlicensed radio frequencies and maintains secure wireless networking.

      - Multi-factor authentication and encryption (e.g., EAP/TLS, AES) are employed for wireless access, and unnecessary wireless access is disabled.

   - i. External Traffic, Services, and Requests:

      - Outbound traffic is restricted to business-related activities; inbound traffic is limited to essential applications.

      - Business-critical applications are explicitly allowed through firewalls, while other traffic is blocked based on standard categories.

   - j. Network Access Control:

      - All devices connected to the network must be registered and approved by Reeves County IT Department's IT Department.

      - Security checks ensure up-to-date operating system patches

4. Network Time Protocol:

   - Systems synchronize their time from approved time servers listed for each region.

5. Monitoring and Auditing:

   - Reeves County IT Department maintains and monitors traffic logs for network devices for security auditing purposes.

   - Users have no expectation of privacy, and Reeves County IT Department reserves the right to monitor, access, retrieve, read, and/or disclose data communications.

6. Web Browsing:

   - Internet browsing is limited to authorized websites only and can be disabled at any time.

   - User browsing history is subject to review and audit.

7. System Management:

   - Administrators use dedicated accounts for administrative duties, following specific naming conventions and password guidelines.

   - Administrative accounts do not have VPN access, and administrators use dedicated bastion hosts for backend infrastructure access.

8. Additional Controls:

   - Reeves County IT Department implements various technologies and controls based on risk assessments, such as DHCP logging, inventory of administrative accounts, penetration testing, and Red Team exercises.

Policy Administration and Enforcement:

   - Administered and implemented by the Reeves County IT Department IT Department.

   - Exceptions to this policy may be requested through the RCIT Help Desk proceed.

   - Violations may result in disciplinary actions, including access restrictions, termination, and potential legal consequences.

This policy underscores Reeves County IT Department's commitment to maintaining a secure and resilient network environment, protecting critical information assets, and ensuring the continuity of essential services. Users are expected to comply with these guidelines to contribute to the institution's overall cybersecurity posture.