1) SCOPE

This policy is applicable to the IT Function.

2)PURPOSE

This document provides details of the Policies being followed at the Company to ensure application of good practices to manage company’s networks.

3)DEFINITIONS

ISG: Information Security Group

Network: A set of two or more computing devices connected to each other for exchanging electronic information.

Note: A network includes LAN, WAN, WLAN, etc.

LAN: Local Area Network

VLAN: Virtual Local Area Network

WAN: Wide Area Network

WLAN: Wireless Local Area Network

IDS: Intrusion Detection System

IPS: Intrusion Prevention System

LT: Leadership Team

 4)RESPONSIBILITY

• The primary ownership of implementing this Policy is with IT.
• The IT Team shall implement this Policy under guidance of the Leadership Team and in coordination with Department Heads.

 5) RESPONSIBILITY

• Networks shall be designed in conformance with sound security practices. The following points shall be observed while designing networks –
• The network design shall be supported by a formal documentation of the network details and user’s service requirements that will be addressed through the network.
• Adequate redundancy of critical network components shall be considered to ensure high availability, as necessary.
• Coherent technical standards shall be incorporated while using consistent naming conventions and complying with applicable statutory and regulatory requirements.
• Distinct sub-networks (LAN / VLAN) protected by rule-based traffic filtering mechanism using firewall or other technology shall be established for ensuring appropriate segregation.
• Single-points-of-failures and the number or entry points into the network shall be avoided as much as possible.
• While choosing a network protocol, secure protocols shall be preferred over unsecured protocols (e.g., HTTPS over HTTP, SFTP over FTP, SSH over Telnet, etc.).
• Appropriate authorization for enabling or disabling network services shall be followed. Such authorization shall consider security risks associated with the network service in the context.
• Any unused network service shall be removed or disabled.
• Access to the network and network services shall be allocated, changed, or revoked in accordance with the Logical Access Control Policy.
• External parties shall not be allowed to access company’s LAN or WLAN. Internal parties shall be allowed to access the LAN / WLAN from a remote location only after a formal approval and shall be required to use company approved secure remote access mechanism.
• Vendor supplied default credentials (administrative or otherwise) to the network devices shall be changed before making such network device operational.
• Guest accounts shall be disabled from all the network systems that come with built-in guest accounts by default.
• Network device identification banners shall be either disabled or changed to avoid any identification attempt by malicious users.
• Standard configurations for network devices shall be maintained and used. Workspace manager will conduct periodic reviews of network configurations against the configuration standards.
• Access to diagnostic ports shall be controlled.
• A business continuity plan together with a disaster recovery plan shall be maintained and tested annually for the network in accordance with the Business Continuity Policy.

6) PROCEDURE

Network device acquisition and deployment

• This function is out of the scope of Narendra Finance Network access management
• Refer to the Logical Access Management Policy for allocation, change, or revocation of access to network devices.
• Network vulnerability assessment and penetration tests
• The workspace manager of the co-working space has complete ownership of the network provided to Narendra Finance. They are responsible for scheduling vulnerability assessment and penetration tests.
• Reports of such tests will be kept confidential with the workspace manager. This function is out of the scope of Narendra Finance.
• Network Patch Management
• The workspace manager along with dedicated IT specialists will plan and deploy appropriate patches. This function is out of the scope of Narendra Finance.
• Network device decommissioning or disposal.
• This function is out of the scope of Narendra Finance.