Network Policies and Physical Security Measures

This lesson covers network policies and physical security measures as required by OCR J277 Section 1.4. While technical measures like firewalls and encryption are important, organisational policies and physical safeguards are equally essential for comprehensive security.

---

What Are Network Policies?

A network policy is a set of rules and guidelines that define how a network should be used, managed, and secured within an organisation. Network policies ensure that all users understand their responsibilities and that security measures are consistently applied.

---

Types of Network Policies

1. Acceptable Use Policy (AUP)

An Acceptable Use Policy defines what users are and are not allowed to do on the network.

Typically Permitted	Typically Prohibited
Work-related internet browsing	Downloading pirated software
Using company email for work	Accessing inappropriate websites
Storing work files on network drives	Sharing login credentials
Using approved software	Installing unauthorised software
Accessing authorised resources	Connecting personal devices without approval

2. Password Policy

A password policy sets requirements for creating and managing passwords.

Common requirements include:

• Minimum password length (e.g. 8+ characters)
• Complexity requirements (uppercase, lowercase, numbers, symbols)
• Regular password changes (e.g. every 90 days)
• Password history (cannot reuse recent passwords)
• Account lockout after a set number of failed attempts

3. Backup Policy

A backup policy defines how and when data should be backed up.

Element	Detail
Frequency	How often backups are performed (daily, weekly)
Type	Full, incremental, or differential backups
Storage location	On-site, off-site, or cloud storage
Retention period	How long backups are kept
Testing	Regular testing to ensure backups can be restored

OCR Exam Tip: If asked about backup policies, mention the 3-2-1 rule: 3 copies of data, on 2 different types of storage media, with 1 copy stored off-site. This demonstrates thorough understanding.

4. Disaster Recovery Policy

A disaster recovery policy outlines how an organisation will respond to and recover from a security incident, hardware failure, natural disaster, or other disruption.

Key elements include:

• Recovery Time Objective (RTO) — The maximum acceptable time to restore operations.
• Recovery Point Objective (RPO) — The maximum acceptable amount of data loss (measured in time).
• Roles and responsibilities of staff during recovery.
• Communication procedures (who to contact and how).
• Steps for restoring systems from backups.

---

Access Controls

Access controls determine who can access what resources on a network.