Skip to content

Network Security Policy

Owner Classification Review Date Status
CDO Office Internal April 2027 Active
Document Type Policy
Owner CISO
Classification Confidential
Review Cycle Annual
Document # SP-NS-025
Document Title Network Security Policy
Version V1.2
Confidentiality Level Class 2 (Private Data / Confidential)
Date Created 23/03/2021
Issue Date 05/09/2025
Document Owner Chief Network Officer, Head of Network and Infrastructure
Author(s) Simpaisa
Purpose To ensure the compliances of the international standard of information security management system ISO 27001:2022, PCI DSS
Authorised By Yassir Pasha

Reviewed By Steering Committee

Name Role
Yassir Pasha Chief Executive Officer
Kamil Shaikh Chief Operating Officer
Osama Hashmi Chief Financial Officer
Bachir Njeim Chief Strategy and Operations Officer
Saqlain Raza Acting Chief Technology Officer
Rizwan Zafar Chief Product Officer
Ahsan Hussain Payment Channel Partnerships
Danish Abdul Hameed Chief Information Security Officer
Shahroze Khan Head of International Merchant Sales and Strategic Alliances
Noor Ali Country Head Pakistan
Shoukat Bizinjo Global Head of Regulatory Affairs — Regulatory

Change Control

Version Date of Issue Author(s) Brief Description of Changes Approved By
V1.0 08/04/2021 Rizwan Zafar Initial release Salim Karim
V1.1 07/02/2022 Rizwan Zafar Annual review Salim Karim
V1.2 02/02/2023 Rizwan Zafar Annual review Salim Karim
V1.2 27/09/2024 Syed Zubair Ahmed Annual review Yassir Pasha
V1.2 05/09/2025 Simpaisa Annual review Yassir Pasha

1 Introduction

The use of networks is an essential part of the day-to-day business of Simpaisa. Networks not only connect many of the components of business processes together internally, but they also link the organisation with its suppliers, customers, stakeholders and the outside world.

The organisation's networks have evolved to become the circulatory system of the company, transporting information to where it needs to go and enabling business to be carried out effectively.

But the fact that so much information runs through our networks makes them a target for those who would try to steal that information and disrupt our business. Therefore, these networks need to be protected to ensure that the confidentiality, integrity and availability of our vital information are always assured.

The effective protection of our networks requires that we adopt industry-accepted best practices in information security covering the design, implementation, operation and management of them and that we ensure that everyone involved follows these practices. Sources of industry-accepted practices include, but are not limited to:

  • Centre for Internet Security (CIS)

  • International Organisation for Standardisation (ISO)

  • SysAdmin Audit Network Security (SANS) Institute

  • National Institute of Standards Technology (NIST)

This policy sets out Simpaisa's rules and standards for network protection and acts as a guide for those who create and maintain our IT infrastructure. Its intended audience is IT and information security management, and support staff who will implement and maintain the organisation's defences.

As a cloud service provider (CSP), this policy also applies to the methods used to design and create the physical and virtual networks used to deliver service to our cloud customers.

This control applies to all systems, people and processes that constitute the organisation's information systems, including board members, directors, employees, suppliers and other third parties who have access to Simpaisa systems. The following policies and procedures are relevant to this document:

  • Remote Working Policy

  • Change Management Process

  • Software Policy

  • Anti-Malware Policy

  • Password Policy

  • Access Control Policy

  • Information Security Policy

2 Network Security Policy

2.1 Network Security Design

The design of networks is a complicated process requiring a good knowledge of network principles and technology. Each design is likely to be different, based on a specific set of requirements that are established early in the process. This policy does not attempt to specify how individual networks should be designed and built but provides guidance for the standard building blocks that should be used.

2.1.1 Requirements

A network must be based on a clear definition of requirements which should include the following security-related factors:

  • The classification of the information to be carried across the network and accessed through it

  • A risk assessment of the potential threats to the network, taking into account any inherent vulnerabilities

  • The level of trust between the different components or organisations that will be connected

  • The hours of availability and degree of resilience required from the network

  • The geographical spread of the network

  • The security controls in place at locations from which the network will be accessed

  • Security capabilities of existing computers or devices that will be used for access

Requirements must be documented and agreed before design work starts.

2.1.2 Defence in Depth

A "Defence in Depth" approach will be adopted to network security whereby multiple layers of controls are used to ensure that the failure of a single component does not compromise the network. For example, network firewalls should be supplemented by host-based software firewalls on servers and clients in order to provide several levels of protection.

At key points in the network a "defence diversity" approach must also be taken so that vulnerabilities are minimised. For example, this may involve using firewalls from different vendors in series so that if a vulnerability is exploited in one device, the other will not be subject to it. This may be extended to the use of more than one network virus scanner at the perimeter for the same reason.

2.1.3 Network Segregation

Where possible, the principle must be adopted that a network should consist of a set of smaller networks segregated from each other based on either trust levels or organisational boundaries (or both).

Network segregation must also be used to protect all system components that store, transmit or process cardholder data (i.e. within the Cardholder Data Environment).

For a large network this should be achieved using separate domains, particularly where separate organisations' networks are being linked. An appropriate level of trust must be configured at the domain level and domain perimeters must be secured using a firewall where appropriate.

Within networks, Virtual Local Area Networks (VLANs) must be used where available to segregate organisational units. Firewalls or access control lists (ACLs) must be used to secure and control each segmentation.

In a cloud environment, it is important that requirements for segregating networks to achieve tenant isolation are defined and the cloud service provider's ability to meet these requirements is verified.

Where Simpaisa is acting as a CSP, it is important to enforce segregation between our multitenant clients and between the cloud service customer environment and our own internal network.

2.1.4 Perimeter Security

At all perimeters between the internal network and an external network (such as the Internet) effective measures must be put in place to ensure that only authorised network traffic is permitted. This will usually consist of at least one Stateful Inspection firewall and for major links with the Internet an Application (or Application Gateway) firewall must be used. For connections such as broadband at smaller locations a Packet Filtering firewall may suffice, depending on the results of a risk assessment.

Servers that are intended to be accessed from an external, insecure network (such as web servers) must be in a Demilitarised Zone (DMZ) of the firewall in order to provide additional protection for the internal network.

2.1.5 Public/Untrusted Networks

Where information is to be transferred over a public network such as the Internet, strong encryption via TLS 1.2 (or higher) must be used to ensure the confidentiality of the data transmitted.

Servers that will be accessed from devices on the public network will be in the DMZ of the firewall.

Network Address Translation (NAT) will always be used when communicating to untrusted networks to ensure the private IP address is not disclosed.

2.1.6 Wireless Networks

Wireless networks must be secured using WPA2 encryption or 802.1X Authenticated Wireless Access. WEP and WPA should not be used.

Wireless networks must be treated as segmented networks (like a DMZ) and a firewall installed between the wireless network and the main LAN.

A guest wireless network may be provided for visitors. This must be physically separate from all internal networks (including internal wireless networks) and secured using a firewall.

Wireless access points must be configured to not broadcast their SSID and to not allow secure connection using WPS (Wi-Fi Protected Setup) via physical access to the access point itself.

Wireless access point admin logon passwords must always be changed from the default.

Tests must be carried out to scan for the presence of wireless access points and detect and identify all authorised and unauthorised wireless access points on a quarterly basis. If unauthorised wireless access points are detected the Security Incident Response Procedure will be invoked.

Any wireless access points considered to be in Simpaisa's Cardholder Data Environment (CDE) will be recorded in the CDE Asset Inventory.

2.1.7 Firewalls and Routers

Firewall and routers are designed to protect and control network traffic between internal, external and wireless networks. Software based firewalls may also be active and configured on appropriate system components.

Personal firewall software (or equivalent functionality) must be installed and active on any portable computing devices that connect to the Internet when outside the network and which are also used to access the CDE.

Personal firewall software (or equivalent functionality) must be configured to specific configuration settings, actively running, and not alterable by users.

Configuration standards must be used to list all services, protocols and ports enabled including business justification and approval for each. Each configuration standard must be subject to review every 6 months or when any significant change to the organisation or infrastructure occurs.

Router configurations must be checked to ensure all running configurations are the same as start-up configurations. This is to ensure any configurations remain intact after reboot.

Additional controls are required when protecting Cardholder Data Environments (CDEs). Additional controls include:

  • Anti-Spoofing measures to detect forged source IPs from entering the network

  • Permitting only established connections into the network where the firewall detects and verifies the state of any previous connections made

A Web Application Firewall (sometimes referred to as a reverse proxy) monitors, controls and blocks web traffic and reduces threats from SQL injections and similar attacks. Coupled with traditional firewalls, it improves all web application security. For all public facing web applications, a web application firewall must be installed and configured.

2.1.8 Physical Security

Remote network equipment must be housed in secure cabinets which are always locked. Only support staff should have access to the key to each cabinet.

Backbone and centralised network equipment must be housed in appropriate lockable cabinets or racks in a secure server room to which only authorised support staff have access (except for local facilities staff for reasons of health and safety).

Where appropriate, facility entry controls must be in place to limit and monitor physical access to a server room and an access log used to record and review such access. Video cameras or access control mechanisms (or both) must be used to monitor individual physical access to server rooms. This data must be reviewed and stored for at least three months, unless otherwise restricted by law.

Wireless access points located in public areas must be hidden from view where possible and should be placed in positions where access by the public is difficult e.g. in or near the ceiling. A lockable protective casing must be installed where an access point is in an unprotected public area e.g. a car park.

Physical and/or logical controls must be implemented to restrict access to publicly accessible network ports on office walls. For example, network ports located in public areas and areas accessible to visitors must be disabled and only enabled when network access is explicitly authorised.

Any components considered to be within the Cardholder Data Environment must be subject to frequent tamper testing to ensure the devices have not been compromised. Staff members will be trained to inspect devices for tampering and record their findings in the CDE Asset Inventory.

2.1.9 Remote Access

Where there is a requirement for remote access to the internal network the following controls will be used:

  • A Virtual Private Network (VPN) must be used providing session encryption using TLS 1.2 (or higher)

  • Multi-Factor Authentication at the client

  • Secure authentication using a RADIUS server

  • Network Access Control (NAC) must be used to restrict access to remote clients that do not meet minimum requirements e.g. AV up to date, firewall enabled and patch level up to date

Remote access should be granted on an "as required" basis rather than for all users by default.

2.1.10 Intrusion Detection System and Intrusion Prevention System (IDS/IPS)

An Intrusion Detection System/Intrusion Prevention System (IDS/IPS) must be installed at each segmented internal network perimeter, at the perimeter to the internet and at all key points within the network e.g. on critical or data-sensitive servers. All logs from the IDS/IPS must be correlated within the Security Information and Event Management (SIEM) system.

2.1.11 File-Integrity Monitoring

File-integrity monitoring must be used to monitor entities that don't regularly change, for example operating system files. Alerts will be raised upon any changes of existing files but generally not when new files are created. Critical files being protected include:

  • System executables

  • Application executables

  • Configuration and parameter files

  • Centrally stored, historical or archived, log and audit files

  • Additional critical files identified through risk assessment

2.1.12 Network Hardware

Where possible a single supplier policy will be used for network hardware. An exception may be made where the use of multiple vendor hardware is judged to increase the level of security provided e.g. in a dual network-based firewall configuration.

Switch ports, including diagnostic ports must be configured to be administratively disabled until required. Hubs should not be used due to their inherent security weaknesses.

Cat 6 UTP must be used for network cabling unless specific circumstances (such as excessive interference) preclude its use. The network topography used will be Ethernet according to the IEEE 802.3 family of standards.

2.1.13 IP Addressing

IPv4 must be used on internal networks. However new network devices purchased should support IPv6 in preparation for the future.

The internal IP address range used will be 192.168.0.0 – 192.168.254.254. The assignment and use of subnets must be monitored carefully.

IP addresses and associated network information for desktop and laptop clients must be controlled using DHCP. Internal DNS servers will be used.

2.1.14 Network Protocols

The protocol used on all networks will be TCP/IP. UDP will be used where appropriate, but other OSI layer 4 network protocols should not be used. Only protocols and ports required on a specific server should be enabled by default in order to reduce the attack surface. This is especially true for servers within the DMZ of the firewall(s).

2.1.15 Date and Time Synchronisation

All systems on the network will be synced using the Network Time Protocol (NTP) and will have the following controls in place:

  • Time settings are received from industry-accepted time sources

  • Time data is protected to only personnel with a business need to access time data

2.1.16 Configuration Standards

Configuration standards must be used for all system components to ensure each component is built, configured, and secured in the right way.

A configuration standard covers the build and configuration of specific types of devices used within the organisation. When building a device, the following areas are considered:

  • Build requirements

  • Security

  • Applications

2.1.17 System Hardening

All system components that are prone to security vulnerabilities must be subject to system hardening. This will be consistent with industry-accepted system hardening standards including but not limited to:

  • Centre for Internet Security (CIS)

  • International Organisation for Standardisation (ISO)

  • SysAdmin Audit Network Security (SANS) Institute

  • National Institute of Standards Technology (NIST)

System configuration standards will be applied when new systems are configured and verified as being in place before a system is installed on the network.

System hardening instructions will be included in the appropriate configuration standard for a given system component. These standards will be updated as and when new vulnerabilities are identified. See the Technical Vulnerability Management Policy for more information.

All vendor-supplied accounts for system configurations and passwords must be removed/changed before any system component is allowed on the live network. This includes but is not limited to:

  • Operating systems

  • Security software and devices

  • Wireless access points

  • Applications

  • SNMP

2.2 Network Security Management

Once networks have been designed and implemented based on a clear set of security requirements, there is an ongoing responsibility to manage and control the secure networking environment to protect the organisation's information in systems and applications. This should be achieved via controls in the following areas.

2.2.1 Roles and Responsibilities

Roles and responsibilities for the management and control of networks must be clearly defined. In order to provide effective segregation of duties, the operation of networks is managed separately from the operation of the rest of the infrastructure such as servers and applications. This segregation of duties is detailed in the following table:

Manager Role Team Main Responsibilities
Network Manager Network and Communications Management Design and implementation of new and changed networks; Installation and removal of networking equipment; Configuration of networking equipment; Third line incident management
Network Operations Manager Network Operations Network availability monitoring; Network intrusion monitoring; Second line incident management; Configuration backups; Patching and updates; Setup and management of remote access users
Computer Operations Manager Computer Operations Server and application backups; Job scheduling; Infrastructure monitoring; First line incident management; Configuration standard reviews; Firewall and Router rule reviews
Information Security Manager Information Security Ensure information is classified and protected in accordance with appropriate standards e.g. PCI DSS (Cardholder Data) and GDPR (Personally Identifiable Information)

2.2.2 Logging and Monitoring

Logging levels on all network devices must be configured to collect data centrally using a Security Information and Event Management (SIEM) tool, in accordance with organisation policy (see Procedure for Monitoring the Use of IT Systems), and logs monitored on a regular basis. All logs will be kept for a minimum period of 1 year.

Typical attributes to be recorded within logs include but are not limited to:

  • User identification

  • Type of event

  • Date and time

  • Success or failure indication

  • Origination of event

  • Identity or name of affected data, system component, or resource

Firewall logs must be monitored for signs of excessive port scanning which may be a precursor to a remote attack. Where installed, a Network-based Intrusion Detection System (NIDS) should be configured to alert the Network Operations team of this activity.

Network monitoring for performance and availability will be achieved using an appropriate SNMP-based network management tool (such as Nagios, Solar Winds or WhatsUp Gold) and recovery actions automated where possible.

Alerts from the Network Access Control (NAC) system must be addressed immediately to ensure that clients that do not meet minimum security requirements are only allowed access to a quarantined subset of systems on the network.

2.2.3 Network Changes

All changes to network devices will be subject to the change management process (see Change Management Process) and appropriate risk assessment, planning and back-out methods put in place. Configuration records must be updated whenever such changes are carried out so that a current and accurate picture of the network is always maintained.

2.2.4 Network Security Incidents

Network events which are deemed to be security incidents must be recorded and managed according to the Information Security Incident Response Procedure.

2.2.5 Security Testing

A fundamental part of network security and vulnerability management is the ability to test and verify the strength of the organisation's security controls against ever-changing cyber threats. The results of security testing must be risk assessed and applied to the treatment process to remediate any vulnerabilities found. Please refer to the Technical Vulnerability Management Policy and Risk Assessment and Treatment Process for more information.

3 Conclusion

Network security is a cornerstone of Simpaisa's defences against many of the threats with which we are faced. Only by designing effective security into every new system and network from the very beginning can effective control be maintained, and risk minimised. Further to this, additional controls must be implemented which ensure that proper segregation of duties is achieved and changes to the network environment happen in a managed way.

Combined with watchful monitoring of the network itself and the tools put in place to manage it, this should ensure that the number and severity of network security incidents is minimised and our exposure from those that do occur is not as great as it otherwise might have been.