Back

Establish, implement, and maintain a network configuration standard.


CONTROL ID
00530
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Identify and control all network access controls., CC ID: 00529

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain network segmentation requirements., CC ID: 16380
  • Establish, implement, and maintain a network security policy., CC ID: 06440
  • Maintain up-to-date network diagrams., CC ID: 00531
  • Maintain up-to-date data flow diagrams., CC ID: 10059


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should establish a secure Internet infrastructure (including the design of the demilitarized zone and configuration of the relevant devices, as well as intrusion detection controls) to support their Internet banking system. Moreover, AIs should implement adequate security measures for the intern… (§ 5.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should establish a secure Internet infrastructure (including the design of the demilitarized zone and configuration of the relevant devices, as well as intrusion detection controls) to support their Internet banking system. Moreover, AIs should implement adequate security measures for the intern… (§ 5.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Overall responsibility for network management should be clearly assigned to individuals who are equipped with the know-how, skills and resources to fulfill their duties. Network standards, design, diagrams and operating procedures should be formally documented, kept up-to date, communicated to all r… (6.1.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • If wireless local area networks (WLANs) are to be deployed, AIs should develop policies and procedures for approval, installation, operation and administration of WLANs. A risk assessment process for evaluating the sensitivity of information to be accessible via a WLAN should be formulated before a … (6.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The organization shall consider implementing network configurations that separate networks connected to external networks from networks that are not connected to external networks. (T43.7, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Determining the most appropriate network configuration to ensure adequate security and performance for the bank (Critical components of information security 24) iv. Bullet 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Network documentation is updated as network configuration changes are made and includes a 'current as at [date]' or equivalent statement. (Security Control: 0518; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices. (Security Control: 0516; Revision: 4, Australian Government Information Security Manual, March 2021)
  • IPv6 capable network security devices are used on IPv6 and dual-stack networks. (Security Control: 1186; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Public IP addresses controlled by, or used by, an organisation are signed by valid ROA records. (Control: ISM-1783; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Public IP addresses controlled by, or used by, an organisation are signed by valid ROA records. (Control: ISM-1783; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The information security policy should include networking and connections to other systems. (Control: 0890 Bullet 5, Australian Government Information Security Manual: Controls)
  • The organization should ensure the network configuration is maintained under the control of a central network management authority. (Control: 0513, Australian Government Information Security Manual: Controls)
  • The detailed network configuration documentation must be classified at least at the same level as the network that it covers. (Control: 1177, Australian Government Information Security Manual: Controls)
  • The detailed network configuration documentation must not be published in tender documentation. (Control: 1180, Australian Government Information Security Manual: Controls)
  • The network configuration should be kept under the control of a central network management authority. The network should be configured to minimize the opportunity for information to be accessed without authorization while in transit. This should be accomplished by use of firewalls, routers, switches… (§ 3.10.5, § 3.10.8, Australian Government ICT Security Manual (ACSI 33))
  • Prepare a network plan and examine the additional information available on the it systems contained and update and complete, if necessary. (4.2.3 Bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Prepare a network plan and examine the additional information available on the communication links contained and update and complete, if necessary. (4.2.3 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Determining a network plan (§ 8.1 ¶ 5 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • For defining the protection needs of other devices, first the business processes and applications for which these devices are used and how their protection needs are inherited must be determined. These Information have been determined in Section 8.1.7 and Section 8.2.6. Here, the data flow via such … (§ 8.2.6 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In the field of networks, the employed network management tools should support automatic creation of network plans. In addition to the physical IT systems, it also should be possible to automatically map virtual IT systems (e.g. virtual switches, virtual routers, virtual security gateways). (§ 8.1.4 ¶ 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Document all critical communication links in tabular or graphical form (§ 8.2.8 Subsection 2 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • With regard to using the network plan for the structure analysis, the next step entails comparing the existing network plan (or partial plans, if the overall plan has been divided into smaller sections to make it easier to read) with the actual existing IT structure and if necessary updating it to r… (§ 8.1.4 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In order to take into account the different protection needs of the users, cloud computing platforms must be multi-client capable and ensure reliable and continuous separation of users for the whole cloud computing stack (servers, networks, storage and management). In addition to the usual security … (§ 8.2.9 Subsection 1 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Physical and virtualised network environments are designed and configured in such a way that the connections between trusted and untrusted networks must be restricted and monitored. At defined intervals, it is reviewed whether the use of all services, logs and ports serve a real commercial purpose. … (Section 5.9 KOS-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Network/infrastructure components (own or customer networks) are protected against unauthorized access. (3.1.1 Requirements (should) Bullet 4, Information Security Assessment, Version 5.1)
  • A procedure for securing and using network services is defined and implemented. (5.3.2 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • Requirements regarding the information security of network services are determined and fulfilled. (5.3.2 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • operating system, network, and firewall configuration; (§ 7.11 Bullet 9, SS2/21 Outsourcing and third party risk management, March 2021)
  • (§ 4.2.4.2, OGC ITIL: Security Management)
  • Traffic over the WLAN should be monitored by an intrusion detection system (IDS) or intrusion protection system (IPS). If this is not possible, ensure Remote Management has been disabled. (§ 2.3.1 (2.3.1.020), The Center for Internet Security Wireless Networking Benchmark, 1)
  • The organization should choose products that support security management solutions on a network level. (§ 1.2 (2.3.1.020), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
  • The organization should choose products that support security management solutions on a network level. (§ 1.2 (2.3.1.020), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • The organization should choose products that support security management solutions on a network level. (§ 1.2 (2.3.1.020), The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, 1)
  • The organization must develop standards that address all known vulnerabilities and use any of the industry accepted hardening standards. (§ 2.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Defined. (1.2.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Implemented. (1.2.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Maintained. (1.2.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective. (1.2.7, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards. (1.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. (1.2.7.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. (1.2.7.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. (1.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine configuration files for NSCs to verify they are in accordance with all elements specified in this requirement. (1.2.8, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Defined. (1.2.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Implemented. (1.2.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Maintained. (1.2.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective. (1.2.7, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective. (1.2.7, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Defined. (1.2.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Implemented. (1.2.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Maintained. (1.2.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Maintained. (1.2.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective. (1.2.7, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Defined. (1.2.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Implemented. (1.2.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Organizational networks are most likely to be connected to many external networks, not just the Internet. More access is being granted to the organizational network to outsiders due to key processes being automated. External networks should not be trusted, since they are not under the organization's… (§ 3.4, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • To ensure network security, the following elements should be a part of the data protection efforts: documenting, designing, and implementing the network properly; configuring firewalls to deny unauthorized traffic; physically and logically separating the client network from the service provider's LA… (§ 5.2 (Network Security), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which cover security architecture principles. (CF.09.01.01a, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers standard security management practices. (CF.09.01.01b, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers device configuration. (CF.09.01.01c, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers restricting access to network devices. (CF.09.01.01d, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers vulnerability and patch management. (CF.09.01.01e, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers changes to routing tables and settings in network devices. (CF.09.01.01f, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers regular review of network device configuration and setup. (CF.09.01.01g, The Standard of Good Practice for Information Security)
  • Network documentation (e.g., diagrams, inventories, and schedules) should be readily accessible to authorized individuals. (CF.09.02.04b, The Standard of Good Practice for Information Security)
  • Network storage systems, such as Storage Area Network and network-attached storage should be deployed, configured, and maintained in accordance with documented standards / procedures. (CF.07.04.01, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which cover security architecture principles. (CF.09.01.01a, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers standard security management practices. (CF.09.01.01b, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers device configuration. (CF.09.01.01c, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers restricting access to network devices. (CF.09.01.01d, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers vulnerability and patch management. (CF.09.01.01e, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers changes to routing tables and settings in network devices. (CF.09.01.01f, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers regular review of network device configuration and setup. (CF.09.01.01g, The Standard of Good Practice for Information Security, 2013)
  • Network documentation (e.g., diagrams, inventories, and schedules) should be readily accessible to authorized individuals. (CF.09.02.04b, The Standard of Good Practice for Information Security, 2013)
  • Network storage systems, such as Storage Area Network and network-attached storage should be deployed, configured, and maintained in accordance with documented standards / procedures. (CF.07.04.01, The Standard of Good Practice for Information Security, 2013)
  • The organization should verify all servers that are visible from untrusted networks and the Internet and move ones that are not required for business purposes to an internal Virtual Local Area Network and assigned a private address. (Critical Control 11.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The network should be designed with at least a three-tiered architecture (a Demilitarized Zone, middleware, and a private network). (Critical Control 19.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization shall document the specific network components and the incorporated medical devices and other equipment on the network infrastructure. (§ 4.3.2 ¶ 1(a), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall document the operational characteristics of the network infrastructure, such as bandwidth. (§ 4.3.2 ¶ 1(b), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall document the hardware configuration and the software configuration of the network. (§ 4.3.2 ¶ 1(e), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish and maintain network documentation for the interfaces between the medical devices and the network components in order to support Risk Management, including the physical network configuration and the logical network configuration. (§ 4.3.3 ¶ 1(a), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish and maintain network documentation for the interfaces between the medical devices and the network components in order to support Risk Management, including the conformance statements and the applied standards. (§ 4.3.3 ¶ 1(b), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish and maintain network documentation for the interfaces between the medical devices and the network components in order to support Risk Management, including the logical client/server structure and the physical client/server structure. (§ 4.3.3 ¶ 1(c), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish and maintain network documentation for the interfaces between the medical devices and the network components in order to support Risk Management, including the data security, reliability, and network security. (§ 4.3.3 ¶ 1(d), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish and maintain network documentation for the interfaces between the medical devices and the network components in order to support Risk Management, including the medical device manufacturer's network communication requirements. (§ 4.3.3 ¶ 1(e), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish and maintain network documentation for the interfaces between the medical devices and the network components in order to support Risk Management, including the planned and reasonably foreseeable changes, enhancements, and upgrades. (§ 4.3.3 ¶ 1(f), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • ¶ 8.2.4(3) Network Management. An organization should implement safeguards to achieve network management, which includes planning, operation and administration of networks. The proper configuration and administration of networks is an effective means to reduce risks. Safeguards in the area of netwo… (¶ 8.2.4(3), ¶ 9.2 Table Row "Network Configuration", ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 13.7 Network Security Management. The management of any network should be undertaken in a secure manner, and indeed provide support for the management of network security. This should be accomplished with due consideration of the different network protocols available and related security services… (¶ 13.7, ¶ 13.8, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Electronic commerce traffic passing over public networks should be protected from fraudulent activity, modification, disclosure, or dispute. Security considerations for electronic commerce are as follows: the level of confidence for each party; determining and meeting requirements for confidentialit… (§ 10.9.1, ISO 27002 Code of practice for information security management, 2005)
  • Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. (§ 8.9 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Accreditation of multiple networks by a single individual should include communications integrity (authentication and nonrepudiation), compromise protection (data and traffic flow confidentiality and selectively route transmissions over the network), and denial of service characteristics (continuity… (§ 2-23.c, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 1.13.9: Before mobile or portable information systems are connected to the Medicare claims processing networks, the organization must perform the following: scan for malicious code, update the virus protection software, disable unnecessary hardware, conduct primary operating system integrity che… (CSR 1.13.9. CSR 10.6.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Each agency must develop, document, and implement an information security program agency wide that includes policies and procedures that ensure compliance with the minimally acceptable system configuration requirements and other applicable requirements. (§ 3544(b)(2)(D)(iii), Federal Information Security Management Act of 2002, Deprecated)
  • Webmail application servers must be configured according to the Web Services STIG and the appropriate operating system STIG. The Network Infrastructure STIG and Enclave STIG must be followed for all network, device security, remote access, and architectural requirements. (§ 2.1, § 3, § 6, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • § 3.1 Network Access Control (NAC) solutions can be configured to work in conjunction with pre-existing security technologies to provide post-connect NAC. Alerts from systems (such as IDS) and vulnerability scanners can trigger the NAC system to revoke access previously granted to an endpoint or a … (§ 3.1, § 3.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • The cognizant security authority must review the security attributes of each network being connected to ensure the combination of data and/or users does not require a higher protection level. (§ 8-700.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Network configuration management and change control processes. (V Action Summary ¶ 2 Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The network is fully documented, including remote and public access, with documentation available only to authorized persons; (TIER II OBJECTIVES AND PROCEDURES D.1. Bullet 12, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ▪ A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ▪ Existing controls comp… (Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • (Obj 1.7, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should maintain an up-to-date network configuration. The network configuration documentation should have enough detail for the organization to troubleshoot any problems, help the organization recover after a disruption, and aid in planning for any expansions to the network. The netw… (Pg 9, Pg 10, Pg 28, FFIEC IT Examination Handbook - Operations, July 2004)
  • The network should be configured to protect the retail payment system from unauthorized access. (Pg 33, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., FedRAMP Security Controls High Baseline, Version 5)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., FedRAMP Security Controls Low Baseline, Version 5)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Have policies, procedures, and practices been implemented that describe how the network components are configured? (IT - Networks Q 19, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The network should be configured to allow only activity that has been expressly permitted and that is necessary for the proper functioning of the organization. To aid in preventing DoS attacks, key functions (firewalls, web servers) should have redundancy implemented, and networks and systems should… (§ 3.1.2 ¶ 3, § 4.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • A network bridge allows two dissimilar networks to be joined. The connection is transparent, but the address of the network is visible on the other network. A bridge should not be implemented because it can expose the network to additional threats. (§ 3.1.1, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Virtual private networks (VPNs) that are being used to protect the confidentiality of WLAN communications should be configured to use FIPS-validated algorithms. (§ 6.3.1 Par 2, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • When placing servers in firewall environments, where to place them is dependent on the number of DMZs, external and internal access required for the servers located on the DMZ, the amount of traffic and the sensitivity of the data served. Placement should be done in a way that protects external serv… (§ 3.9, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establish and document policies and procedures for assessing and maintaining configuration information, for tracking changes made to the pipeline cyber assets, and for patching/upgrading operating systems and applications. Ensure that the changes do not adversely impact existing cybersecurity contro… (Table 2: Asset Management Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., TX-RAMP Security Controls Baseline Level 1)
  • Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and (AC-17a., TX-RAMP Security Controls Baseline Level 2)