WithPCI Logo
WithPCI.com

Network Security Policy Template
Company Name [Company Name]
Effective Date [Date]
Version [Version Number, e.g., 1.0]
Policy Owner [CISO/IT Director]
Document Classification Confidential / Internal Use Only
Parent Policy Information Security Policy

Purpose

This policy establishes the requirements for securing [Company Name]'s network infrastructure to protect the confidentiality, integrity, and availability of information assets, including sensitive corporate data, Personally Identifiable Information (PII), Intellectual Property (IP), and Cardholder Data (CHD). It defines standards and procedures for network design, configuration, monitoring, and management to defend against unauthorized access, misuse, and denial of service, while ensuring compliance with relevant regulations, including PCI DSS 4.0.1.

Scope

This policy applies to all network infrastructure components owned, managed, or utilized by [Company Name], including routers, switches, firewalls, wireless access points, VPN concentrators, load balancers, cloud networking services (VPCs, security groups, etc.), and associated network management systems. It covers all physical locations, data centers, cloud environments, remote access connections, and any network segments, including the Cardholder Data Environment (CDE), Demilitarized Zones (DMZs), internal corporate networks, and guest networks. All employees, contractors, consultants, and third parties managing or accessing [Company Name]'s network are subject to this policy.

Roles and Responsibilities

Role/Group Key Responsibilities
Executive Management Provide overall strategic direction and resources for network security; Ensure alignment of network security with business objectives.
CISO/IT Director Own and approve this policy; Oversee the network security program; Ensure compliance and risk management related to network infrastructure.
Information Security Team Develop and maintain network security standards and procedures; Monitor network security posture; Perform vulnerability assessments and audits; Lead security incident response related to network events; Review and approve firewall/security changes.
Network Engineering/Operations Team Implement, configure, and maintain network infrastructure according to this policy and associated standards; Manage network device access; Implement approved changes; Maintain network topology diagrams; Respond to network-related alerts.
System/Application Owners Define network connectivity and security requirements for their systems/applications; Participate in firewall rule justification and reviews.
Change Advisory Board (CAB) Review and approve significant network changes impacting critical systems or the CDE, including major firewall rule modifications.
Compliance/Audit Team Periodically review network configurations, logs, and processes for compliance with this policy and relevant regulations (e.g., PCI DSS).
All Users Comply with acceptable use policies; Report suspected network security issues promptly.

Policy Requirements

1. Network Segmentation and Architecture

  • Network Segmentation: Implement network segmentation to isolate critical systems and sensitive data, particularly the Cardholder Data Environment (CDE), from less trusted networks (e.g., corporate LAN, guest wireless, internet). Segmentation must be based on risk and business need, utilizing technologies like firewalls, VLANs, and Access Control Lists (ACLs). The CDE must be isolated from all other networks.
  • Network Topology Policy:
    • Maintain accurate and up-to-date network diagrams illustrating all network connections, including CDE boundaries, DMZ segments, critical system locations, and connections to third parties.
    • Diagrams must clearly identify security zones and controls separating them.
    • Diagrams must be reviewed and updated at least annually or whenever significant changes occur, following the Change Management Policy. Access to diagrams must be restricted based on job function.

2. Firewall and Router Security

  • General Requirements: Firewalls and routers must be implemented at network perimeters, between security zones (including between the CDE and other zones), and at key internal boundaries to control traffic based on defined security policies.
  • Stateful Inspection Policy: All perimeter firewalls and firewalls protecting critical zones (like the CDE) must implement stateful inspection, allowing only established connections into the network.
  • Firewall Ruleset Standard:
    • Implement a default-deny approach for all inbound and outbound traffic. Allow only explicitly authorized services, protocols, and ports necessary for business functions.
    • Each rule must have a documented business justification, owner, and expiration date (if applicable).
    • Rules must be specific, limiting source/destination IP addresses and ports/protocols to the minimum required (avoid "Any/Any" rules unless explicitly justified and approved).
    • Implement rules based on the principle of least privilege.
    • Obsolete, redundant, or overly permissive rules must be identified and removed promptly via the change management process.
    • Rules pertaining to the CDE must be clearly identified and subject to stricter review.
  • Ruleset Review Procedure: Firewall and router rulesets must be reviewed at least every six months to ensure accuracy, necessity, and compliance with this policy. Reviews must be documented, including participants, findings, and actions taken (referencing relevant Change Requests). (PCI DSS Req 1.2.4, Req 1.3.2 effective March 31, 2025).
  • Firewall Change Management Procedure:
    • All changes to firewall or router configurations (including ruleset modifications, OS upgrades, hardware changes) must follow the [Company Name] Change Management Policy.
    • Requests must include justification, detailed technical steps, security impact assessment (especially on CDE), test plan, and rollback plan.
    • Changes impacting the CDE or critical security functions require explicit review and approval from the Information Security team and CAB, as appropriate.
    • Post-implementation validation must confirm the change was successful and did not introduce unintended security weaknesses. Documentation (ruleset, diagrams) must be updated promptly.
  • Configuration Standards: Documented configuration standards must be maintained for all firewall and router types, covering secure setup, logging, access control, patch management, and disabling unnecessary services. Vendor defaults must be changed before deployment (PCI DSS Req 2).

3. DMZ Architecture and Security

  • DMZ Architecture Standard: Establish Demilitarized Zones (DMZs) to host systems providing services accessible from untrusted networks (e.g., web servers, email servers, VPN gateways). DMZs must be logically or physically separated from the internal corporate network and the CDE. A multi-firewall architecture (external firewall for internet-DMZ, internal firewall for DMZ-internal) is recommended for enhanced security.
  • DMZ Traffic Rules:
    • Traffic from the internet to the DMZ must be restricted to only necessary protocols/ports for the specific services hosted in the DMZ.
    • Traffic from the DMZ to the internal network must be strictly controlled and generally denied, except for specific, justified, and approved connections (e.g., application data transfer to a backend server).
    • Traffic originating from the DMZ to the internet should be restricted to only necessary outbound connections (e.g., DNS lookups, software updates from trusted sources).
    • Direct traffic between the internet and the internal network bypassing the DMZ firewall rules is prohibited.
    • Systems within the DMZ must be hardened and monitored closely due to their higher exposure.

4. Network Access Control

  • Access Control Lists (ACLs): Implement ACLs on routers, switches, and firewalls to enforce network segmentation and restrict traffic based on source/destination IP, protocol, and port, adhering to the principle of least privilege. ACLs must be documented and reviewed regularly as part of the ruleset review process.
  • Anti-Spoofing Standard: Implement measures to detect and prevent IP address spoofing at network perimeters and key internal boundaries. This includes ingress filtering (blocking traffic arriving from the internet with internal source IP addresses) and potentially egress filtering (blocking traffic leaving the internal network with source IPs not allocated to the organization). Unicast Reverse Path Forwarding (uRPF) should be considered where feasible.
  • Remote Access: Remote access to the internal network must utilize secure, encrypted methods (e.g., VPN) and require Multi-Factor Authentication (MFA). Split-tunneling on VPNs providing access to critical environments like the CDE is prohibited.
  • Administrative Access: Access to network device management interfaces must be restricted to authorized personnel via secure protocols (e.g., SSH, HTTPS), require MFA, utilize unique credentials (no shared accounts), and originate from dedicated, secured management workstations or network segments.

5. Wireless Network Security

  • Wireless Network Security Policy: Wireless networks present unique risks and must be secured rigorously, especially if connected to or capable of impacting the CDE.
  • Segmentation: All wireless networks must be segmented from the wired network and the CDE, typically placed in their own security zone or DMZ. Guest wireless networks must be completely isolated from internal corporate and CDE networks.
  • Wireless Security Configuration Standard:
    • Change all default settings on wireless access points (APs) and controllers (e.g., admin passwords, SNMP community strings, SSIDs) before deployment.
    • Configure APs with the strongest available security settings, disabling unnecessary protocols (e.g., WPS, legacy management interfaces).
    • Maintain an inventory of all authorized APs.
    • Implement measures to detect and alert on rogue access points at least quarterly (as managed via the Incident Response Plan) [PCI DSS Req 11.2.1].
  • Wireless Encryption Policy: All authorized wireless networks transmitting or connecting to systems handling sensitive data (including the CDE) must use robust encryption protocols, specifically WPA2 or WPA3 with strong, unique pre-shared keys or preferably certificate-based authentication (e.g., EAP-TLS). Outdated protocols like WEP and WPA (TKIP) are prohibited.

6. Network Monitoring and Logging

  • Logging Requirements: Enable sufficient logging on network devices (firewalls, routers, switches, VPNs, wireless controllers, DNS servers) to track connections, administrative actions, and security events. Logs must include source/destination IP, port, protocol, timestamp, user ID (where applicable), and event type. Synchronize clocks across all network devices using a central time source (e.g., NTP).
  • Outbound Traffic Logging: Log and monitor outbound traffic, particularly from sensitive zones like the CDE, to detect potential data exfiltration or connections to malicious sites. Focus on logging connections initiated from critical systems.
  • Packet Logging: Implement full packet capture only in specific, targeted locations (e.g., critical ingress/egress points, specific servers during an investigation) due to storage and performance overhead. Rely primarily on flow data (e.g., NetFlow, sFlow) and security device logs (firewall, IDS/IPS) for routine monitoring.
  • Log Review and Retention: Network security logs must be sent to a central SIEM system for correlation, alerting, and analysis. Logs must be reviewed regularly (daily for critical alerts, weekly/monthly for trends). Retain logs for at least one year, with at least three months immediately available for analysis (PCI DSS Req 10.5).
  • Protocol Whitelisting Policy: Where feasible, especially for critical systems or segments like the CDE, implement policies that allow only explicitly expected and approved network protocols. Deny all other protocols by default. This complements port-based firewall rules.

Enforcement

  • Failure to comply with this Network Security Policy may result in disciplinary action, up to and including termination of employment or contract, in accordance with established HR policies.
  • Network access may be revoked for users or systems found to be in violation of this policy. Unauthorized devices connected to the network will be disconnected and investigated.
  • Exceptions to this policy require a documented business justification, formal risk assessment, implementation of compensating controls, and written approval from the CISO/IT Director. Approved exceptions must be reviewed at least annually.

Revision History

Version Date Author Change Details
1.0 [Date] [Author Name] Initial policy release
[Ver #] [Date] [Author Name] [Summary of changes]

Approval

Name Title Signature Date
[Exec Name] [Executive Title, e.g., CIO] [Date]
[CISO Name] [CISO/IT Director Title] [Date]

Appendix A: Firewall Change Management High-Level Flow

graph TD
    A[Initiate CR for Firewall Change] --> B{Security & Technical Review}
    B -->|Impact CDE/Critical?| C{CAB Review & Approval}
    B -->|No| D[Security/Network Lead Approval]
    C --> E[Schedule & Implement Change]
    D --> E
    E --> F[Validate Change & Test]
    F -->|Pass| G[Update Documentation]
    F -->|Fail| H{Invoke Rollback Plan}
    H --> I[Execute & Validate Rollback]
    I --> G
    G --> J[Close CR]

    subgraph Pre-Implementation
        A
        B
        C
        D
    end
    subgraph Implementation & Post
        E
        F
        G
        H
        I
        J
    end

Appendix B: Network Security Controls - PCI DSS 4.0.1 Mapping

PCI DSS Requirement Relevant Policy Section(s) Key Controls Covered
Req 1 (Overall) Entire Policy (esp. Sec 1, 2, 3) Network controls, Firewalls, Routers, Segmentation, DMZ, Configuration Standards
1.2.1, 1.3.1, 1.3.3 Policy Req 2 (Firewall Ruleset Standard, Protocol Whitelisting) Inbound/Outbound traffic control, Default Deny, Permit only necessary traffic
1.2.3 Policy Req 1 (Network Topology Policy) Maintain current network diagrams
1.2.4, 1.3.2 Policy Req 2 (Ruleset Review Procedure) Firewall/Router rule reviews at least every six months
1.4.1, 1.4.2 Policy Req 2 (Configuration Standards), Req 4 (Admin Access) Secure config for firewalls/routers, Personal firewalls (covered elsewhere), Restricted access to network devices
1.5 Policy Req 3 (DMZ Architecture/Traffic Rules) DMZ implementation and traffic restrictions
2.2.2, 2.2.3 Policy Req 2 (Config Standards), Req 5 (Wireless Config Standard) Change vendor defaults, Disable unnecessary services/protocols on network devices
4.2.1 Policy Req 5 (Wireless Encryption Policy) Strong encryption (WPA2/WPA3) for wireless transmitting CHD
6.4 Policy Req 2 (Firewall Change Management Procedure) Change management for network components
8.3, 8.4, 8.5, 8.6 Policy Req 4 (Admin Access, Remote Access) Unique IDs, MFA for network access (esp. admin/remote), Password complexity (implicit/ref User Policy)
10.2, 10.3, 10.5 Policy Req 6 (Logging Requirements, Log Review/Retention) Logging network events, Time synchronization, Log retention
11.2.1 Policy Req 5 (Wireless Config Standard - Rogue AP Ref) Rogue AP detection process (detailed in IRP)
11.3.2 Policy Req 2 (Stateful Inspection Policy) Stateful inspection firewalls
(Implied by 11.4) Policy Req 6 (Overall), Req 4 (Anti-Spoofing) Network monitoring, IDS/IPS (covered elsewhere), Anti-spoofing

Appendix C: Key Terms

  • ACL (Access Control List): A list of permissions attached to an object, specifying which users or system processes are granted access and what operations are allowed. In networking, typically applied to routers/switches/firewalls to filter traffic.
  • CDE (Cardholder Data Environment): The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.
  • DMZ (Demilitarized Zone): A perimeter network segment that separates an organization's internal network from untrusted networks, usually the internet.
  • Firewall: A network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
  • IDS/IPS (Intrusion Detection System / Intrusion Prevention System): Systems that monitor network or system activities for malicious activity or policy violations and produce reports (IDS) or attempt to block them (IPS).
  • MFA (Multi-Factor Authentication): A security process that requires more than one method of authentication from independent categories of credentials to verify the user's identity.
  • PCI DSS (Payment Card Industry Data Security Standard): A set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
  • Segmentation: Dividing a computer network into smaller subnetworks or segments, typically for performance or security purposes.
  • SIEM (Security Information and Event Management): Software products and services combining security information management (SIM) and security event management (SEM).
  • Stateful Inspection: A firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.
  • VPN (Virtual Private Network): Extends a private network across a public network, enabling users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
  • WPA2/WPA3 (Wi-Fi Protected Access 2/3): Security protocols and certification programs developed by the Wi-Fi Alliance to secure wireless computer networks.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy