The organization will ensure that network standards and procedures specify methods of controlling the technical aspects of the network (eg network design, traffic management, network monitoring). [UCF ID 00530]
Supporting and supported controls
This control directly supports:
• Ensure network access points are identified and controlled [UCF Control ID 00529]
This control has the following supporting controls:
• Maintain up to date network diagrams [UCF Control ID 00531]
• Segregate security restricted servers into their own domain [UCF Control ID 00533]
• Plan for, and have approved, all network changes [UCF Control ID 00534]
• Scan for unknown workstations and other network devices and default deny access [UCF Control ID 00536]
• Place intrusion detection and intrusion response systems in network locations where they will be the most effective [UCF Control ID 04589]
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.10.5, 3.10.8; FFIEC IT Examination Handbook – Information Security Pg 38, Pg 82; FFIEC IT Examination Handbook – Audit Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Operations Pg 9, Pg 10, Pg 28; FFIEC IT Examination Handbook – Retail Payment Systems Pg 33; FFIEC IT Examination Handbook – E-Banking Obj 1.7; The Standard of Good Practice for Information Security SM6.5.3(a), NW1.2.2, NW1.3.3(d), NW2.1.2(e), NW2.1.2(f), NW2.1.5, NW2.3.1(b); ISO 17799:2005 Code of Practice for Information Security Management § 10.9.1; ISO 27001:2005, Information Security Management Systems - Requirements § A.10.9.1; ISO/IEC 27002-2005 Code of practice for information security management § 10.9.1; OGC ITIL: Security Management 4.2.4.2; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 3.9; Computer Security Incident Handling Guide, NIST SP 800-61 § 4.2.2; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 2.2(b); Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 2.2(b); Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 § 3.1.1
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Retail Payment Systems Pg 33 states that the network should be configured to protect the retail payment system from unauthorized access.
Credit Card Guidance
§ 2.2 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the organization must develop standards that address all known vulnerabilities and use any of the industry accepted hardening standards.
§ 2.2(b) of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must develop standards that address all known vulnerabilities and use any of the industry accepted hardening standards.
US Federal Security Guidance
FIPS Publication 191 2.1.3 talks about problems that may be encountered when a LAN needs to protect sensitive data. Potential vulnerabilities mentioned include improper access control settings, data or application source code stored in unencrypted form, viewable monitors in high traffic areas, printer stations in high traffic areas and data and software backup copies stored in open areas.
2.1.7 describes ways in which LAN functions may be disrupted. Disruptions may come from inability to detect unusual traffic patterns, inability to reroute traffic, single point failure configurations, unauthorized changes to hardware components, improper maintenance and poor physical security. It is implied that good network configuration will defend against or avoid most if not all of these problems.
NIST Guidance
NIST 800-41 § 3.9 says that when placing servers in firewall environments, where to place them is dependent on the number of DMZs, external and internal access required for the servers located on the DMZ, the amount of traffic and the sensitivity of the data served. Placement should be done in a way that protects external servers with a Boundary Router/Packet Filter. Servers that are externally accessible should not be placed on the protected network. Internal servers when placed, should be behind internal firewalls with the firewalls configured to the appropriate level of sensitivity and finally, servers should be isolated in a way that attacks on them will not have a negative impact on the rest of the network.
NIST 800-61 § 4.2.2 mentions that when working to prevent denial of service attacks, network perimeters should be configured to deny all incoming and outgoing traffic that is not expressly permitted.
§ 2.2(b) of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must develop standards that address all known vulnerabilities and use any of the industry accepted hardening standards.
Systems security checklist guidance
The Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68 § 3.1.1 states that a network bridge allows two dissimilar networks to be joined. The connection is transparent, but the address of the network is visible on the other network. A bridge should not be implemented because it can expose the network to additional threats.
International Standards Organization Guidance
The ISO/IEC 27002-2005 Code of practice for information security management § 10.9.1 states that electronic commerce traffic passing over public networks should be protected from fraudulent activity, modification, disclosure, or dispute. Security considerations for electronic commerce are as follows: the level of confidence for each party; determining and meeting requirements for confidentiality, integrity, and receipt of documents; the level of confidence for various sensitive documents; verification for payment; keeping confidentiality and integrity of orders; avoiding loss or duplication of transactions; liability due to fraudulent transactions; and insurance requirements.
The ISO 27001:2005 Information Security Management Systems - Requirements § A.10.9.1 states that procedures should be in place to protect all electronic commerce information transmitted over public networks. These procedures should cover the following situations: fraudulent activity and unauthorized disclosure and modification, as well as contract disputes.
The ISO 17799:2005 Code of Practice for Information Security Management § 10.9.1 states that electronic commerce traffic passing over public networks should be protected from fraudulent activity, modification, disclosure, or dispute. Security considerations for electronic commerce are as follows: the level of confidence for each party; determining and meeting requirements for confidentiality, integrity, and receipt of documents; the level of confidence for various sensitive documents; verification for payment; keeping confidentiality and integrity of orders; avoiding loss or duplication of transactions; liability due to fraudulent transactions; and insurance requirements.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.10.5, 3.10.8 states that the network configuration should be kept under the control of a central network management authority. The network should be configured to minimize the opportunity for information to be accessed without authorization while in transit. This should be accomplished by use of firewalls, routers, switches, and/or encryption..
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02097.doc
• Metric Reporting Standard 02098.doc
• Metric Reporting Standard 02082.doc