The organization will maintain a standard and appropriate procedures to ensure network access points are identified and controlled. [UCF ID 00529]
Supporting and supported controls
This control directly supports:
• Technical security [UCF Control ID 00508]
This control has the following supporting controls:
• Network configuration [UCF Control ID 00530]
• Protocols, ports, and services [UCF Control ID 00537]
• Secure the Domain Name Server (DNS) system [UCF Control ID 00540]
• Establish and maintain firewall design and configuration practices [UCF Control ID 00544]
• Establish and maintain Voice over Internet Protocol design and configuration criteria [UCF Control ID 01449]
• Ensure and maintain Wireless LAN design and configuration criteria [UCF Control ID 01646]
• Establish a policy on whether to allow web-based e-mail and instant messaging services [UCF Control ID 04577]
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security Pg 38, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Audit Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Operations Pg 23; FFIEC IT Examination Handbook – Retail Payment Systems Pg 33; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIOP 005-1 R1.1, R1.2, R1.3, R5.2; OECD / World Bank Technology Risk Checklist I.16; CobiT 4.1 AI3.2; The Standard of Good Practice for Information Security SM6.5.4(a), CB6.4.2(d), NW1.2.2(f), NW2.4.3, NW2.4.5, NW2.4.6, NW3.4.4(b), SD4.6.3(d); SYSTEM SECURITY PLANS (SSP) METHODOLOGY Appendix A, § 4.4; ISO 17799:2000, Code of Practice for Information Security Management § 9.4; ISO 17799:2005 Code of Practice for Information Security Management § 11.4.3; ISO 27001:2005, Information Security Management Systems - Requirements § A.11.4.6; ISO/IEC 27002-2005 Code of practice for information security management § 11.4.3; OGC ITIL: Security Management 4.2.4.2; Recommended Security Controls for Federal Information Systems, NIST SP 800-53 SC-7, SC-7(1); Computer Security Incident Handling Guide, NIST SP 800-61 § 3.1.2; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § SC-7, SC-7(1); AICPA SAS 94 § 319.45; FISCAM (Federal Information System Controls Audit Manual) AC-3.2(B); FIPS 191, Guideline for the Analysis of LAN Security 2.1.1; The National Strategy to Secure Cyberspace Pg. 47; GAO Financial Audit Manual 260.17 (e); Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives PE 8; DoD 5220.22-M, National Industrial Security Program Operating Manual § 8-700.a
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Retail Payment Systems Pg 33 states that the implemented logical access controls should also protect network access.
Healthcare and Life Science Guidance
Appendix A, § 4.4 of the CMS Systems Security Plan Methodology calls for a description of the WAN security controls for organizational systems. The controls should also discuss any additional hardware or technical controls that have been installed on systems and implemented to provide protection against unauthorized system penetration and other known internet threats and vulnerabilities.
Energy Guidance
The North American Electric Reliability Corporation's, CIOP 005-1 R1.1 states that access points to the Electronic Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s).
R1.2 states that for a dial-up accessible Critical Cyber Asset that uses a non-routable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device.
R1.3 states that communication links connecting discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s).
R5.2 states that the Responsible Entity shall update the documentation to reflect the modification of the network or controls within ninety calendar days of the change.
US Federal Security Guidance
FISCAM AC-3.2 calls for the identification and control of all network access paths. Careful analysis is needed to identify all of the systems entry points and paths to sensitive files. FISCAM calls for the creation of an access path diagram identifying: the users of the system; the type of device from which they can access the system; the software used in the system; the resources they may access; the system on which these resources reside; and the modes of operation and telecommunication. The access path diagram should be reviewed and updated to include network changes.
FIPS Publication 191 calls for strong network configuration to defend against unauthorized LAN access. It describes in 2.1.1 a variety of vulnerabilities to which a LAN may fall prey. These include inappropriate identification schemes, poor password management, unprotected modems, poor physical control of network devices, lack of disconnect for multiple login failures, no logging of activities or time outs when an account is left inactive for an extended period of time.
The National Cyberspace Strategy Pg 47 calls for federal agencies to consider installing systems that continuously check for unauthorized connections to their networks.
GAO Financial Audit Manual 260.17(e) says different types of computer processing present different levels of risk which must be taken into account. Peripheral access devices or system interfaces can take existing risk levels and increase them. Distributed networks also increase risk levels. Finally, application software developed in-house presents higher inherent risk as well. Thus when determining network configuration, be aware of how each of these things increases risk and implement controls to reduce risk.
The Corporate Information Security Working Group, Report of the Best Practices Subgroup PE 8 states that the organization must ensure that the network architecture has been properly approved.
The DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) § 8-700.a states that when connecting two or more networks, the organization shall review the security attributes of each network (even if the networks are accredited at the same protection level) to determine whether the combination of data and/or the combination of users on the connected network requires a higher protection level.
NIST Guidance
NIST 800-53, SC-7 states that any connections to the Internet, or other external networks or information systems, must occur through controlled interfaces (e.g., proxies, gateways, routers, firewalls, encrypted tunnels). The operational failure of the boundary protection mechanisms does not result in any unauthorized release of information outside of the information system boundary. Information system boundary protections at any designated alternate processing sites provide the same levels of protection as that of the primary site.
For medium and high impact systems, SC-7(1) suggests the organization physically allocate publicly accessible information system components (e.g., public web servers) to separate subnetworks with separate, physical network interfaces. The organization prevents public access into the organization’s internal networks except as appropriately mediated.
NIST 800-61 § 3.1.2 states that the organization should to deny all network activity that is not expressly permitted. Only activity necessary for the proper functioning of the organization should be permitted. This includes securing all connection points, such as modems, virtual private networks (VPNs), and dedicated connections to other organizations.
International Standards Organization Guidance
ISO 17799 § 9.4 says network access control’s objective is to protect networked services. This can be done by providing appropriate interfaces between the organization’s network and networks owned by other organizations and making use of authentication mechanisms and access privileges.
The ISO/IEC 27002-2005 Code of practice for information security management § 11.4.3 states that equipment identification can be used to authenticate connections from specific equipment and locations. An identifier can be placed in or on the equipment to indicate if the computer can connect to the network.
The ISO 27001:2005 Information Security Management Systems - Requirements § A.11.4.6 states that the ability of users to connect across shared networks should be restricted. User access should be based on business requirements and the access control policy.
The ISO 17799:2005 Code of Practice for Information Security Management § 11.4.3 states that equipment identification can be used to authenticate connections from specific equipment and locations. An identifier can be placed in or on the equipment to indicate if the computer can connect to the network.