Test and approve all external network connections through the firewall ensuring the changes and changed documentation match and meet organizational standards.

UCF ID: 01270
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a firewall standard for an overarching placement of all types of firewalls. [UCF Control ID 00546]

There are no supporting controls.

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 1.1.1; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-23.b, App D-3; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-703; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.1, § 5.6.4, Exhibit 4 AC-19, Exhibit 4 AC-20, Exhibit 4 CA-3; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, CA-3; The Standard of Good Practice for Information Security, CB4.3.1, CB6.4.3(d), NW2.3.1(a), NW2.3.2, SD4.6.4(d); ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.10.8.5; Australian Government ICT Security Manual (ACSI 33), § 2.7.9, § 2.7.16, § 3.10.15, § 3.10.17, § 3.11.22; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.1.1; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, Table 8-1 Item 3; DoD Instruction 8500.2 Information Assurance (IA) Implementation, EBCR-1; ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 13.2.4

Payment Card Guidance

The router and firewall configuration standards must include formal procedures for testing and approving all network connections.
Examine the firewall and router configuration procedures to verify they include a formal process for testing and approving all network connections. [§ 1.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The router and firewall configuration standards must include formal procedures for testing and approving all network connections. [§ 1.1.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

The DAA should approve all connections to the network, including Internet connections. A memorandum of understanding should be signed by the DAA's of each connected system. Connections to unaccredited systems should only transmit non sensitive data to and from the system. Connections to accredited systems should be consistent with the sensitivity level, the mode of operations, and any restrictions required for any of the systems. Systems that contain classified information must not be connected to the Internet. [§ 2-23.b, App D-3, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Controlled interfaces must be tested and evaluated to ensure they can provide the proper separation required for the protection level. [§ 8-703, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

The information system is compliant with the organization’s connection rules. [EBCR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

Wireless access, device access, and individual access to system(s) that contain Federal Tax Information must be authorized, documented, and monitored. The organization must develop a policy for mobile devices and authorized individuals to access the system from remote locations. The organization must authorize, using a connection agreement, and document connections to any system outside the accreditation boundary. These connections must be monitored on an ongoing basis. [§ 5.6.1, § 5.6.4, Exhibit 4 AC-19, Exhibit 4 AC-20, Exhibit 4 CA-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Organizational records and documents should be examined to ensure all external connections are identified, authorized, and approved; external connections are monitored and controlled on a continuos basis; and specific responsibilities and actions are defined for the implementation of the information systems connection control. Any problems discovered during the implementation of the information systems connection control should be documented and used to improve the controls. Connection agreements should be in compliance with NIST Special Publication 800-47.
Interviews should be conducted with personnel involved in identifying, approving, and monitoring external connections to the system. [CA-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

All connections to the WLAN should use IEEE 802.1X/EAP authentication based on an IEEE 802.11i RSNA. [Table 8-1 Item 3, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]

ISO Guidance

When information systems will be interconnected, procedures and policies should be developed to provide for the protection of the information being used on those systems. [Annex A.10.8.5, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Security Conditions For Connection. Unless security conditions for connection are in place and contractually agreed, an organization is in effect accepting the risks associated with the other end of a network connection.
As an example, organization A may require that before organization B can be connected to its systems via a network connection, B must maintain and demonstrate a specified level of security for its system involved in that connection. In this way A can be assured that B is managing its risks in a way that is acceptable. In such cases A should produce a security conditions for connection document that details the safeguards to be present at B’’s end. These should be implemented by B, followed by that organization signing a binding statement to that effect and that security will be maintained. A would reserve the right to commission or conduct a compliance check on B.
There will also be cases where organizations mutually agree a “security conditions for connection’” document which records obligations and responsibilities for all parties, including reciprocal compliance checking. [¶ 13.2.4, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

All external connections to applications and networks should be identified and approved by the applicable owners. Tested and approved application programming interfaces (APIs) should be used to connect web servers and application or database servers. [CB4.3.1, CB6.4.3(d), NW2.3.1(a), NW2.3.2, SD4.6.4(d), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Prior to approving an external network connection, the organization should review certification reports from the other organization to determine the risks associated with connecting to its system or network. The organization also should look at which other networks are connected to the other network. All gateways should be certified. Unaccredited portable computers or personal electronic devices should not be allowed to connect to the organization's system or store official information. [§ 2.7.9, § 2.7.16, § 3.10.15, § 3.10.17, § 3.11.22, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of notebooks and mobile devices that are required to be in compliance with approved configuration policy before being granted network access. [UCF Control ID 02106]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.