Ensure network access points are identified and controlled

Status: Live

The organization will maintain a standard and appropriate procedures to ensure network access points are identified and controlled. [UCF ID 00529]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, § 319.45; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Information Security, Pg 38, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Operations, July 2004, Pg 23; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 33; System Security Plan (SSP) Procedure, Version 1.0, App A § 4.4; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP 005-1 R1.1 thru CIP 005-1 R1.3, CIP 005-1 R5.2; Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives, § 8; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 2.1.1; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.2(B); GAO/PCIE Financial Audit Manual (FAM), § 260.17(e); The National Strategy to Secure Cyberspace, February 2003, Pg 47; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.15, Exhibit 4 SC-7; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, SC-7, SC-7(1); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SC-7, SC-7(1); Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1, § 3.1.2; CobiT 4.1, AI3.2; The Standard of Good Practice for Information Security, SM6.5.4(a), CB6.4.2(d), NW1.2.2(f), NW2.4.3, NW2.4.5, NW2.4.6, NW3.4.4(b), SD4.6.3(d); DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 4.2.3; ISO 17799:2005 Code of Practice for Information Security Management, § 11.4.3; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.11.4.6; ISO/IEC 27002-2005 Code of practice for information security management, § 11.4.3; OGC ITIL: Security Management, § 4.2.4.2; OECD / World Bank Technology Risk Checklist, Version 7.3, § I.16; Archer Control Table, ATCS-348, ATCS-350; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, §4.4.1.D, § 4.6.1.A, § 4.6.1.B, § 4.6.1.C

Sarbanes Oxley Guidance

[§ 319.45, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

Banking and Finance Guidance

[Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should map the network to identify and control all access points. [Pg 38, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Information Security]

All remote access points should be identified and controlled by periodically reviewing the network diagram and hardware inventory. [Pg 23, FFIEC IT Examination Handbook – Operations, July 2004]

The implemented logical access controls should also protect network access. [Pg 33, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Healthcare and Life Science Guidance

Calls for a description of the WAN security controls for organizational systems. The controls should also discuss any additional hardware or technical controls that have been installed on systems and implemented to provide protection against unauthorized system penetration and other known internet threats and vulnerabilities. [App A § 4.4, System Security Plan (SSP) Procedure, Version 1.0]

Energy Guidance

Access points to the Electronic Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s). For a dial-up accessible Critical Cyber Asset that uses a non-routable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device. Communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s). The Responsible Entity shall update the documentation to reflect the modification of the network or controls within ninety calendar days of the change. [CIP 005-1 R1.1 thru CIP 005-1 R1.3, CIP 005-1 R5.2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

§ 4.4.1.D Centralized management systems that can control and configure distributed wireless networks are recommended.
§ 4.6.1.A An organization must require explicit management approval to use wireless networks in the Cardholder Data Environment (CDE). Any unsanctioned wireless must be removed from CDE.
§ 4.6.1.B An organization must require that wireless access is authenticated with user ID and password or other authentication item (for example, token). Wi-Fi Protected Access (WPA) Enterprise supports this requirement. If Pre-Shared Keys (PSKs) are used, then they must be rotated whenever employees that have access to wireless devices leave the organization. In Enterprise mode, individual user access can be enabled/disabled centrally.
§ 4.6.1.C Ensure that the organization maintains a list of all wireless devices and personnel authorized to use the devices. [§4.4.1.D, § 4.6.1.A, § 4.6.1.B, § 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

The organization must ensure that the network architecture has been properly approved. [§ 8, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

This document calls for strong network configuration to defend against unauthorized LAN access. It describes in 2.1.1 a variety of vulnerabilities to which a LAN may fall prey. These include inappropriate identification schemes, poor password management, unprotected modems, poor physical control of network devices, lack of disconnect for multiple login failures, no logging of activities or time outs when an account is left inactive for an extended period of time. [§ 2.1.1, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

Careful analysis is needed to identify all of the systems entry points and paths to sensitive files. FISCAM calls for the creation of an access path diagram identifying: the users of the system; the type of device from which they can access the system; the software used in the system; the resources they may access; the system on which these resources reside; and the modes of operation and telecommunication. The access path diagram should be reviewed and updated to include network changes. [AC-3.2(B), Federal Information System Controls Audit Manual (FISCAM), February 2009]

Different types of computer processing present different levels of risk which must be taken into account. Peripheral access devices or system interfaces can take existing risk levels and increase them. Distributed networks also increase risk levels. Finally, application software developed in-house presents higher inherent risk as well. Thus when determining network configuration, be aware of how each of these things increases risk and implement controls to reduce risk. [§ 260.17(e), GAO/PCIE Financial Audit Manual (FAM)]

Asks federal agencies to consider installing systems that continuously check for unauthorized connections to their networks. [Pg 47, The National Strategy to Secure Cyberspace, February 2003]

US Internal Revenue Guidance

The system must monitor and control all communications at key internal boundaries and at all external boundaries. [§ 5.6.15, Exhibit 4 SC-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Any connections to the Internet, or other external networks or information systems, must occur through controlled interfaces (e.g., proxies, gateways, routers, firewalls, encrypted tunnels). The operational failure of the boundary protection mechanisms does not result in any unauthorized release of information outside of the information system boundary. Information system boundary protections at any designated alternate processing sites provide the same levels of protection as that of the primary site.
SC-7(1) suggests for medium and high impact systems, that the organization physically allocate publicly accessible information system components (e.g., public web servers) to separate subnetworks with separate, physical network interfaces. The organization prevents public access into the organization’s internal networks except as appropriately mediated. [SC-7, SC-7(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure communications are monitored and controlled at external and key internal boundaries of the system; the information boundaries are protected with appropriate tools and techniques; publicly accessible information is located on a physically separate subnetwork; public access into internal networks is prohibited, except for when approved; and specific responsibilities and actions are defined for the implementation of the boundary protection control. Any problems discovered during the implementation of the boundary protection control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in controlling and monitoring the internal and external boundaries of the system and with personnel involved in maintaining publicly accessible networks and information. [SC-7, SC-7(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should to deny all network activity that is not expressly permitted. Only activity necessary for the proper functioning of the organization should be permitted. This includes securing all connection points, such as modems, virtual private networks (VPNs), and dedicated connections to other organizations. [§ 3.1.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1]

Other Configuration Guidance

Remote access servers must be configured to prevent remote users from having access to the control, management, and configuration functions. [§ 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

ISO Guidance

Equipment identification can be used to authenticate connections from specific equipment and locations. An identifier can be placed in or on the equipment to indicate if the computer can connect to the network. [§ 11.4.3, ISO 17799:2005 Code of Practice for Information Security Management]

The ability of users to connect across shared networks should be restricted. User access should be based on business requirements and the access control policy. [Annex A.11.4.6, ISO 27001:2005, Information Security Management Systems - Requirements]

Equipment identification can be used to authenticate connections from specific equipment and locations. An identifier can be placed in or on the equipment to indicate if the computer can connect to the network. [§ 11.4.3, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.2.4.2, OGC ITIL: Security Management]

General Guidance

The organization should implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated. [AI3.2, CobiT 4.1]

Wireless access points should be configured for low power, located to minimize interference, assigned a unique Service Set Identifier (SSID), and managed and configured from a central location. Wireless access should be protected by access control mechanisms, device authentication, user authentication, and encryption between the wireless device and the wireless access point. The encryption key should be changed regularly. Network access points should be disabled on network devices until they are required. Web servers used to support applications should be prevented from initiating connections to the Internet. The connection method for third party connections should be restricted. [SM6.5.4(a), CB6.4.2(d), NW1.2.2(f), NW2.4.3, NW2.4.5, NW2.4.6, NW3.4.4(b), SD4.6.3(d), The Standard of Good Practice for Information Security]

EU Guidance

[§ I.16, OECD / World Bank Technology Risk Checklist, Version 7.3]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.