Back

Test network access controls for proper Configuration Management settings.


CONTROL ID
01281
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Management program., CC ID: 00867

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur. (Security Control: 1610; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Gateways undergo testing following configuration changes, and at regular intervals no more than six months apart, to validate they conform to expected security configurations. (Control: ISM-1037; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Gateways undergo testing following configuration changes, and at regular intervals no more than six months apart, to validate they conform to expected security configurations. (Control: ISM-1037; Revision: 6, Australian Government Information Security Manual, September 2023)
  • Backup e-mail gateways or alternative e-mail gateways must be maintained at the same standard as the primary e-mail gateway. (Control: 0570, Australian Government Information Security Manual: Controls)
  • Are layer 2 switches employed in lieu of hubs? (Table Row XIII.16, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Get and examine documentation to verify that the firewall and router rule sets are reviewed at least every six months. (§ 1.1.6.b, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the organizational policies and configuration standards to verify that the personal firewall software is configured so that mobile device users and/or employee-owned device users cannot change the configuration settings. (Testing Procedures § 1.4.a Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the organizational policies and configuration standards to verify that personal firewall software is required for all mobile devices and/or employee-owned devices that are used to connect to the Internet outside the network and used to access the network. (Testing Procedures § 1.4.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the organizational policies and configuration standards to verify that specific configuration settings have been defined for the personal firewall software. (Testing Procedures § 1.4.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the organizational policies and configuration standards to verify that the personal firewall software has been configured to actively run. (Testing Procedures § 1.4.a Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Inspect a sample of mobile devices and/or employee-owned devices to verify that personal firewall software is installed and configured in accordance with the organization's configuration settings. (Testing Procedures § 1.4.b Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the system configuration standards and verify they are consistent with industry-accepted system hardening standards. (Testing Procedures § 2.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Obtain and examine documentation to verify that the firewall and router rule sets are reviewed at least every six months. (§ 1.1.6.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviation… (Control 11.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should compare the configuration for the firewall, router, and switch against the standard secure configuration for each type of network device. (Critical Control 10.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. (Annex A: § CLD.13.1.4 ¶ 2, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Implementing a governance process to establish, monitor, maintain, and test controls to mitigate interconnectivity risk. (App A Objective 12:8 h., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Does the firewall run on a hardware appliance? (IT - Firewalls Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the firewall run under a general purpose Operating System, e.g., solaris or Windows NT. (IT - Firewalls Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the firewall limit access to specific ports and services? (IT - Firewalls Q 23, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Do the configuration policies and procedures include configuring components based on the security required for the installed applications? (IT - Networks Q 24, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Do the configuration policies and procedures include implementing the necessary logical access controls? (IT - Networks Q 26, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • If possible, the organization should use centralized security management to ensure all handheld devices are in compliance with the organization's mobile device security policy. This system should periodically ensure through communications with handheld devices that they are in compliance with polici… (§ 4.1.9, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)