Back

Identify and control all network access controls.


CONTROL ID
00529
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective., CC ID: 04589
  • Establish, implement, and maintain a network configuration standard., CC ID: 00530
  • Manage all internal network connections., CC ID: 06329
  • Manage all external network connections., CC ID: 11842
  • Secure the Domain Name System., CC ID: 00540
  • Establish, implement, and maintain a Boundary Defense program., CC ID: 00544
  • Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards., CC ID: 11853
  • Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard., CC ID: 11854
  • Establish, implement, and maintain Voice over Internet Protocol design specification., CC ID: 01449
  • Establish, implement, and maintain a Wireless Local Area Network Configuration Management program., CC ID: 01646


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • O56.3(3): The organization shall monitor connections from internal lines to external lines and external lines to internal systems. T43: The organization shall implement preventive measures against unauthorized access at the point the internal network connects to the external network for systems that… (O56.3(3), T43, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Network Access Control (Critical components of information security 1) 2) q. iii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An effective approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains and perimeter controls enforcing access at a network level. The differences m… (Critical components of information security 24) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Centralize modem and Internet access to provide a consistent authentication process, and to subject the inbound and outbound network traffic to appropriate perimeter protections and network monitoring (Critical components of information security 25) iii.i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Remote access to a bank's provides an attacker with the opportunity to manipulate and subvert the bank's systems from outside the physical security perimeter. The management should establish policies restricting remote access and be aware of all remote-access devices attached to their systems. These… (Critical components of information security 25) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Identifying all access points to the network including various telecommunications channels like ethernet, wireless, frame relay, dedicated lines, remote dial-up access, extranets, internet (Critical components of information security 24) iv. Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Identifying all connections to critical networks and conducting risk analysis including necessity for each connection. All unnecessary connections to critical networks to be disconnected. (Critical components of information security 24) viii. ¶ 1 c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Unlike wired networks, unauthorized monitoring and denial of service attacks can be performed without a physical wire connection. Additionally, unauthorized devices can potentially connect to the network, perform man-in-the- middle attacks, or connect to other wireless devices. To mitigate those ris… (Critical components of information security 28) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Conducting physical security surveys and assessing all remote sites connected to the critical network to evaluate their security. Any location that has a connection to the critical network is a target, especially unmanned or unguarded remote sites. There is also a need to identify and assess any sou… (Critical components of information security 24) viii. ¶ 1 h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • With a clear understanding of network connectivity, banks can avoid introducing security vulnerabilities by minimizing access to less-trusted domains and employing encryption and other controls for less secure connections. Banks can then determine the most effective deployment of protocols, filterin… (Critical components of information security 24) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A firewall should ideally be placed on the host OS to protect the system, or a firewall should at least be local to a small number of systems for protection purposes, with access allowed only for management purposes. Additionally, the firewall should restrict access to only those systems authorized … (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 k., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Internet web browsing provides a conduit for cyber criminals to access the FI's IT systems. In this regard, the FI should consider isolating internet web browsing activities from its endpoint devices through the use of physical or logical controls, or implement equivalent controls, so as to reduce e… (§ 11.2.6, Technology Risk Management Guidelines, January 2021)
  • For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party. (Security Control: 0629; Revision: 3, Australian Government Information Security Manual)
  • Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks. (Security Control: 1271; Revision: 2, Australian Government Information Security Manual)
  • Wireless access points enable the use of the 802.11w amendment to protect management frames. (Security Control: 1335; Revision: 1, Australian Government Information Security Manual)
  • The organization should implement network access controls on all of the networks. (Control: 0520, Australian Government Information Security Manual: Controls)
  • Network devices must be prevented from connecting to an organizationally controlled network and a non-organizationally controlled network at the same time. (Control: 1345, Australian Government Information Security Manual: Controls)
  • (§ 4.2.4.2, OGC ITIL: Security Management)
  • Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data. (9. ¶ 1, Cloud Security Guidance, 1.0)
  • Users should be provided with the tools required to help them securely manage their service. (9: ¶ 1, Cloud Security Guidance, 1.0)
  • Points of access to the entity's information assets from internal and external users and outside entities and the types of data that flow through the points of access are identified, inventoried and managed. The types of users and the systems authorized to connect to each point of access are identif… (S7.1 Manages points of access, Privacy Management Framework, Updated March 1, 2020)
  • (§ I.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Has the organization taken an inventory of each Access Point to the network (e.g., every connected device, wireless, remote, etc.), inside and outside of the firewall, in order to identify potential points of vulnerability? (Table Row I.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Do the access points contain "flashable" firmware only? (Table Row XIII.14, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Identifying all connected entities—e.g., third-party entities with access to the cardholder data environment (CDE) (A3.2.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Identify and authenticate access to system components (Requirement 8:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Identify and authenticate access to system components (Requirement 8:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Identify and authenticate access to system components (Requirement 8:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Identify and authenticate access to system components (Requirement 8:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • § 4.4.1.D Centralized management systems that can control and configure distributed wireless networks are recommended. § 4.6.1.A An organization must require explicit management approval to use wireless networks in the Cardholder Data Environment (CDE). Any unsanctioned wireless must be removed fr… (§4.4.1.D, § 4.6.1.A, § 4.6.1.B, § 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Networks should be designed to restrict the number of entry points into networks. (CF.07.01.06e, The Standard of Good Practice for Information Security)
  • Network devices should be restricted to authorized network staff, using access controls that support individual accountability, and protected from unauthorized access. (CF.09.01.05, The Standard of Good Practice for Information Security)
  • Network access points should be protected by disabling them on the network device (e.g., a network switch) until required. (CF.09.02.02b, The Standard of Good Practice for Information Security)
  • Information Systems and networks accessible by external connections should restrict connections to defined entry points (e.g., specific network gateways). (CF.09.03.03b, The Standard of Good Practice for Information Security)
  • External access should be prevented if unauthorized (or when no longer required) by removing or disabling computer and network connections (e.g., by physically removing a network connection, modifying firewall rules, updating Access Control Lists, and configuring routing tables on network routers). (CF.09.03.10a, The Standard of Good Practice for Information Security)
  • Network storage systems should be subject to standard security management practices (e.g., restricting physical access, performing system 'hardening', applying Change Management and malware protection, monitoring them, and performing regular reviews). (CF.07.04.04, The Standard of Good Practice for Information Security)
  • Networks should be designed to restrict the number of entry points into networks. (CF.07.01.06e, The Standard of Good Practice for Information Security, 2013)
  • Network devices should be restricted to authorized network staff, using access controls that support individual accountability, and protected from unauthorized access. (CF.09.01.05, The Standard of Good Practice for Information Security, 2013)
  • Network access points should be protected by disabling them on the network device (e.g., a network switch) until required. (CF.09.02.02b, The Standard of Good Practice for Information Security, 2013)
  • Information Systems and networks accessible by external connections should restrict connections to defined entry points (e.g., specific network gateways). (CF.09.03.03b, The Standard of Good Practice for Information Security, 2013)
  • External access should be prevented if unauthorized (or when no longer required) by removing or disabling computer and network connections (e.g., by physically removing a network connection, modifying firewall rules, updating Access Control Lists, and configuring routing tables on network routers). (CF.09.03.10a, The Standard of Good Practice for Information Security, 2013)
  • Network storage systems should be subject to standard security management practices (e.g., restricting physical access, performing system 'hardening', applying Change Management and malware protection, monitoring them, and performing regular reviews). (CF.07.04.04, The Standard of Good Practice for Information Security, 2013)
  • Restrict Internet Access & Protect Critical Systems from General IT Environment (1, SWIFT Customer Security Controls Framework, Customer Security Programme, v2019)
  • The processes and tools used to track/control/prevent/correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems. (CIS Control 15: Wireless Access Control, CIS Controls, 7.1)
  • Centralize network AAA. (CIS Control 12: Safeguard 12.5 Centralize Network Authentication, Authorization, and Auditing (AAA), CIS Controls, V8)
  • Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication. (CIS Control 13: Safeguard 13.9 Deploy Port-Level Access Control, CIS Controls, V8)
  • ¶ 7.2 Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas. When considering network c… (¶ 7.2, ¶ 9.2, ¶ 10 Table 1 Clause 10.1, ¶ 10 Table 1 Clause 10.2, ¶ 10 Table 1 Clause 10.3, ¶ 10 Table 1 Clause 10.4, ¶ 10 Table 1 Clause 10.5, ¶ 10 Table 1 Clause 10.6, ¶ 13.2, ¶ 13.2.1, ¶ 13.3.4, ¶ 13.5, ¶ 13.12, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Equipment identification can be used to authenticate connections from specific equipment and locations. An identifier can be placed in or on the equipment to indicate if the computer can connect to the network. (§ 11.4.3, ISO 27002 Code of practice for information security management, 2005)
  • Communications and control networks are protected. (PR.PT-4, CRI Profile, v1.2)
  • Network integrity is protected, incorporating network segregation where appropriate. (PR.AC-5, CRI Profile, v1.2)
  • Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. (CC6.1 Manages Points of Access, Trust Services Criteria)
  • Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. (CC6.1 ¶ 2 Bullet 5 Manages Points of Access, Trust Services Criteria, (includes March 2020 updates))
  • The organization must ensure that the network architecture has been properly approved. (§ 8, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • Does the system isolate the critical network segments? (§ G.11.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For Windows 2003 Server, the organization must configure the system per the NIST SP 800-53 Network Security control requirements. (Table F-2, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must implement authentication procedures to restrict access to highly sensitive data and critical systems/business processes; grant access to critical network device functions; and control remote access to networks. (CSR 10.8.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Remote access servers must be configured to prevent remote users from having access to the control, management, and configuration functions. (§ 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • § 2.3 Remote access, mobile access, and telework may use a number of different communications methods. These connections primarily use a virtual private network (VPN) client to create an encrypted "tunnel" into the DoD network. Methods include: • Broadband networks (such as cable modem, digital s… (§ 2.3, § 2.4, § 2.5, § 3.1, § 3.2, § 4.2, § 4.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • § 2.2 (WIR1250) Implement wireless e-mail servers and handheld configuration settings. § 3.2 The Apriva Sensa secure mobile e-mail system and network components should be implemented according to organization's recommended Sensa Systems Architecture (§ 2.2 (WIR1250), § 3.2, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • § 3.2 Good Mobile Messaging (GMM) wireless e-mail system and network components should be implemented according to organization's recommended GMM Systems Architecture. § 3.15 The Good Mobile Internet Server (GMI) provides the following services: • Forces all Internet browsing via a secure connec… (§ 3.2, § 3.15, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • The Windows Mobile Messaging e-mail system and network components should be implemented according to organization's recommended Windows Mobile Messaging System Architecture (§ 3.3, DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • The organization must manage and control all Internet access points. (EBBD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Internet access must be proxied through Internet access points that are isolated by technical or physical means and under the control and management of the enclave. (EBBD-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Asks federal agencies to consider installing systems that continuously check for unauthorized connections to their networks. (Pg 47, The National Strategy to Secure Cyberspace, February 2003)
  • The agency shall control access to the networks that process criminal justice information. (§ 5.10.1.1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Control access to networks processing CJI. (§ 5.10.1.1 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Controls needed to adequately safeguard the network. (App A Objective 10:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements appropriate controls over wired and wireless networks. (App A Objective 6.10.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should secure access to computer networks through multiple layers of access controls by doing the following: - Establishing zones (e.g., trusted and untrusted) according to the risk profile and criticality of assets contained within the zones and appropriate access requirements within an… (II.C.9 Network Controls, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Network services. (App A Objective 12:12 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ▪ A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ▪ Existing controls comp… (Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • All remote access points should be identified and controlled by periodically reviewing the network diagram and hardware inventory. (Pg 23, FFIEC IT Examination Handbook - Operations, July 2004)
  • Electronic Funds Transfer (EFT)/Point of Sale (POS) network controls. (App A Tier 1 Objectives and Procedures Objective 2:2 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Obtain and review the topology of the financial institution's network, and determine the components involved in the RDC process. Identify the network interfaces with customers using RDC and the technology controls in place. (App A Tier 2 Objectives and Procedures N.1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The implemented logical access controls should also protect network access. (Pg 33, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Careful analysis is needed to identify all of the systems entry points and paths to sensitive files. FISCAM calls for the creation of an access path diagram identifying: the users of the system; the type of device from which they can access the system; the software used in the system; the resources … (AC-3.2(B), Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Different types of computer processing present different levels of risk which must be taken into account. Peripheral access devices or system interfaces can take existing risk levels and increase them. Distributed networks also increase risk levels. Finally, application software developed in-house p… (§ 260.17(e), GAO/PCIE Financial Audit Manual (FAM))
  • The service provider must define which internal communications traffic is to be routed through authenticated proxy servers and which external networks the traffic may be destined for. (Column F: SC-7(8), FedRAMP Baseline Security Controls)
  • The joint authorization board must approve and accept the list of external networks and internal communications traffic. (Column F: SC-7(8), FedRAMP Baseline Security Controls)
  • The system must monitor and control all communications at key internal boundaries and at all external boundaries. (§ 5.6.15, Exhibit 4 SC-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Has management identified and reviewed the network infrastructure access points and their associated risks and vulnerabilities? (IT - Networks Q 16, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the servers maintained by internal personnel? (IT - Servers Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Network integrity is protected, incorporating network segregation where appropriate (PR.AC-5, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Communications and control networks are protected (PR.PT-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Network integrity is protected, incorporating network segregation where appropriate. (PR.AC-5, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Communications and control networks are protected. (PR.PT-4, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure communications are monitored and controlled at external and key internal boundaries of the system; the information boundaries are protected with appropriate tools and techniques; publicly accessible information is located on a physica… (SC-7, SC-7(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Physically identify modems in use to the control room operators. (§ 6.2.1.4 ICS-specific Recommendations and Guidance Bullet 3, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Communications and control networks are protected. (PR.PT-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The smart grid Information System must use managed interfaces that consist of boundary protection devices to connect to external networks or Information Systems. (SG.SC-7 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should limit the number of system access points. (SG.SC-7 Additional Considerations A4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must authorize the connection of mobile devices to the Information System. (App F § AC-19.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System must monitor and control communications at key internal boundaries and the external boundary of the system. (App F § SC-7.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should limit the number of access points to allow the organization to more comprehensively monitor inbound and outbound communications and network traffic. (App F § SC-7(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should prevent the discovery of specific system devices or components that compose the managed interfaces. (App F § SC-7(16), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Administer accounts, network rights, and access to systems and equipment. (T0494, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Implement and enforce local network usage policies and procedures. (T0461, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The information system prevents discovery of specific system components composing a managed interface. (SC-7(16), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system prevents discovery of specific system components composing a managed interface. (SC-7(16) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Prevent the discovery of specific system components that represent a managed interface. (SC-7(16) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ mechanisms to support the management of accounts. (Table 2: Access Control Enhanced Security Measures Cell 5, Pipeline Security Guidelines)