8.Communications security

8.1 Network security management

  

Objective: To ensure the protection of information in networks and its supporting information processing facilities.

8.1.1 Network controls

Networks should be managed and controlled to protect information in systems and applications.

  • Implement controls to ensure the security of information in networks and the protection of connected services from unauthorized access. Consider the following:
    a) establish responsibilities and procedures for the management of networking equipment;
    b) separate operational responsibility for networks from computer operations where appropriate;
    c) establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications; special controls may also be required to maintain the availability of the network services and computers connected;
    d) apply appropriate logging and monitoring to enable recording and detection of actions that may affect, or are relevant to, information security;
    e) closely coordinate management activities both to optimize the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure;
    f) authenticate systems on the network and restrict systems connection to the network.

    Additional guidance can be found in ISO/IEC 27033. See also CIS Control 12 Network Infrastructure Management.  

8.1.2 Security of network services

Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.

  • Determine and regularly monitor the ability of the network service provider to manage agreed services in a secure way, and agree the right to audit. 
  • Identify the security arrangements necessary for particular services, such as security features, service levels and management requirements. 
  • Ensure that network service providers implement these measures. 
  • Consider the following security features:
    a) technology applied for security of network services, such as authentication, encryption and network connection controls;
    b) technical parameters required for secured connection with the network services in accordance with the security and network connection rules;
    c) procedures for the network service usage to restrict access to network services or applications, where necessary.

    Network services include:
    - the provision of connections,
    - private network services and value added networks,
    - managed network security solutions such as firewalls and intrusion detection systems.

    These services can range from simple unmanaged bandwidth to complex value-added offerings.

8.1.3 Segregation in networks

Groups of information services, users and information systems should be segregated on networks.

  • Select an appropriate method of managing the security of large networks, e.g. to divide them into separate network domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks (e.g.virtual private networking). 
  • Define the perimeter of each domain.    
    a) access between network domains is allowed, but control it at the perimeter using a gateway (e.g. firewall, filtering router).
    b) base the criteria for segregation of networks into domains, and the access allowed through the gateways, on an assessment of the security requirements of each domain.    
    c) align the assessment with the access control policy, access requirements, value and classification of information processed and also take account of the relative cost and performance impact of incorporating suitable gateway technology. 
  • For sensitive environments, consider to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls policy before granting access to internal systems. 
  • The authentication, encryption and user level network access control technologies of modern, standards based wireless networks are sufficient for direct connection to the internal network when properly implemented. 
  • When business partnerships are formed that require the interconnection or sharing of information processing and networking facilities, networks extend beyond organizational boundaries. Such extensions require protection from other network users because of their sensitivity or criticalit, as the risk of unauthorized access to the organization’s information systems that use the network increases.