Global Network Firewall Policy
Download PDF
Controlled copy — valid on date of download only
Internal Use
Global Network Firewall Policy
Document Control
| Item | Details |
|---|---|
| Version | 1.1 |
| Cadence | Annual |
| Policy Owner | Chief Technology Officer |
| Approved By | Chief Executive Officer |
| DCF References | DCF-10, DCF-11, DCF-12, DCF-13, DCF-21, DCF-22, DCF-32, DCF-38, DCF-39, DCF-40, DCF-41, DCF-42, DCF-48, DCF-49, DCF-55, DCF-56, DCF-57, DCF-60, DCF-72, DCF-73, DCF-74, DCF-80, DCF-81 |
1. PURPOSE AND SCOPE
1.1 Purpose
The purpose of this policy is to define requirements for deployment, configuration, management, and operation of network firewalls and virtual firewall segments protecting Dispel’s IT systems.
1.2 Scope
This policy applies to:
- All firewalls and virtual firewall segments protecting Dispel’s IT systems and networks.
- Cloud-based network access control mechanisms used to protect Dispel IT systems.
- User endpoints (e.g., workstations) where firewall policies are centrally managed.
1.3 Regulatory and Framework Alignment
| # | Framework / Standard | Relevant Control IDs | Alignment Notes |
|---|---|---|---|
| 1 | SOC 2 | CC6.1, CC6.6, CC7.1, CC7.2 | Supports Trust Services Criteria for logical access, change management, and monitoring via network boundary controls and default-deny rules. |
| 2 | ISO/IEC 27001 | A.8.20, A.8.21, A.8.22 | Supports Annex A controls for network security, secure network services, and segregation in networks as applied to firewall configuration and monitoring. |
| 3 | NIST SP 800-53 | SC-7, SC-7(1), SC-7(3), SC-7(4) | Supports boundary protection controls for perimeter defenses, default-deny postures, and restricted communications paths. |
| 4 | IEC 62443 | 62443-3-3.SR3.1, 62443-3-3.SR3.2 | Supports requirements for network segmentation and boundary protection in industrial/OT environments. |
| 5 | HIPAA | 164.312(a)(1), 164.312(e)(1) | Supports Security Rule technical safeguards for access control and transmission security when ePHI is in scope. |
2. POLICY STATEMENTS
2.1 Management Commitment
Dispel management is committed to maintaining robust network perimeter defenses and internal segmentation through properly configured and managed firewalls and related network access control mechanisms.
2.2 Primary Policy Statement
Dispel SHALL implement and maintain firewalls and network access control mechanisms to protect IT systems from unauthorized access, intrusion, and other network-based threats, consistent with a layered defense (defense-in-depth) approach.
2.3 Secondary Policy Statements
At a minimum, Dispel SHALL:
- Protect servers and critical systems with Network Access Control Mechanisms (NACMs).
- Define and approve firewall and NACM rules based on business need.
- Review and remove unnecessary rules in a timely manner.
- Log and monitor administrative access to firewalls and key network access control systems.
3. REQUIREMENTS
3.1 Defense-in-Depth and NACM Coverage
- Dispel SHALL use a layered defense approach; firewalls are a key element of this architecture.
- Dispel’s servers and critical systems MUST be protected with NACMs (e.g., network firewalls, security groups, virtual network ACLs).
- Responsibility for deployment and administration of NACMs SHALL rest with system owners as defined in internal documentation.
- The Security team SHALL provide guidance on NACM configuration and management to system owners.
3.2 Firewall and NACM Configuration
- Web application firewalls (WAFs) MUST be deployed as needed to protect core applications.
- Firewalls or cloud-based NACMs MUST be deployed to protect Dispel IT systems from intrusion, suspicious anomalies, and known threats by blocking harmful traffic.
- Unauthenticated inbound connections MUST be blocked by default (default-deny for inbound).
- NACM rules MUST be approved and documented by an authorized person, including the business need.
3.3 Endpoint Firewall Policies
- All user home workstations MUST have firewall policies managed centrally via an approved MDM platform.
- Exceptions MAY be granted for development workstations where firewall rule modification is
necessary for development/testing purposes. Such exceptions MUST:
- Have logging enabled for all firewall rule changes.
- Be subject to periodic review to ensure compliance with baseline security requirements.
3.4 Rule Lifecycle Management
- Unnecessary NACM rules that are no longer needed MUST be removed or disabled promptly.
- NACM rulesets MUST be reviewed periodically.
- Cloud development environment rules SHALL be reviewed periodically.
- Access to NACM configurations MUST be reviewed periodically.
3.5 Logging and Monitoring
- All administrative access to firewalls MUST be logged.
- Logs related to firewall and NACM administration MUST be monitored for suspicious activity.
3.6 Final Authority
- Final policy decisions regarding firewalls and NACMs rest with the CISO or designated delegate.
3.7 Out-of-Scope Traffic
- For the purposes of this policy, customer traffic transiting MTD (Moving Target Defense) networks is considered out of scope unless explicitly brought into scope by other policies or agreements.
4. ROLES AND RESPONSIBILITIES
4.1 Firewall and System Administrators
- Configure and maintain firewalls and NACMs in accordance with this policy.
- Ensure rule changes are authorized, documented, and logged.
- Participate in periodic ruleset and access reviews.
4.2 Engineering and Security (E&S)
- Enforce this policy and related standards at all times.
- Provide guidance and oversight for firewall and NACM configuration.
- Investigate suspected policy violations and coordinate remediation.
4.3 CISO
- Owns this policy and approves exceptions.
- Has final decision-making authority for firewall and NACM-related issues.
4.4 All Personnel
- Report suspected firewall or NACM misconfigurations or violations to the Help Desk or Security.
5. PROCEDURES
High-level procedures for global network firewall management include:
Design and Baseline Configuration
- Define standard firewall and NACM baselines for different system classes.
Change Management
- Submit and approve rule changes through the established change control process.
- Document business justification for each change.
Implementation and Testing
- Implement approved changes.
- Test to confirm intended behavior and absence of unintended exposure.
Review and Cleanup
- Periodically review rulesets and remove or disable unused rules.
Detailed operational procedures MAY be maintained in separate standards or runbooks.
6. MONITORING AND COMPLIANCE
6.1 Monitoring
Compliance with this policy SHALL be monitored through:
- Regular review of firewall and NACM rulesets.
- Review of administrative access logs to firewalls.
- Periodic audits of endpoint firewall configurations via MDM.
6.2 Non-Compliance
Non-compliance with this policy may result in:
- Corrective actions to remediate configurations.
- Disciplinary action up to and including termination, consistent with HR policies and laws.
7. EXCEPTIONS AND WAIVERS
Exceptions to this policy MUST:
- Be documented and justified.
- Be approved by the CISO or delegate.
- Be time-bound and reviewed regularly.
8. DEFINITIONS
Network Access Control Mechanism (NACM): A firewall, security group, or other mechanism that controls network traffic to systems or services.
Web Application Firewall (WAF): A firewall specifically designed to monitor and filter HTTP/HTTPS traffic to and from web applications.
9. REFERENCES
- NIST SP 800‑53 (SC‑7 and related controls)
- ISO/IEC 27001 Annex A (network and system hardening controls)
- IEC 62443 (network segmentation and boundary protection)
- HIPAA Security Rule (technical safeguards)
10. DOCUMENT HISTORY
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2025-10-02 | Chris Stradtman | Initial draft |
| 1.1 | 2025-12-22 | Stefan Kristensen | Renewed without changes; aligned with template |
11. APPROVAL SIGNATURES
| Role | Name | Signature | Date |
|---|---|---|---|
| Policy Owner | |||
| Security Officer | |||
| Compliance Officer |
END OF POLICY