Back

Establish, implement, and maintain a network management program.


CONTROL ID
13123
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Document the network design in the network management program., CC ID: 13135
  • Disseminate and communicate the network standard to all interested personnel and affected parties., CC ID: 13129


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Overall responsibility for network management should be clearly assigned to individuals who are equipped with the know-how, skills and resources to fulfill their duties. Network standards, design, diagrams and operating procedures should be formally documented, kept up-to date, communicated to all r… (6.1.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Network operation standards and protocols should be documented and made available to the operators, and should be reviewed periodically to ensure compliance. (Critical components of information security 24) viii. ¶ 1 q., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. (CIS Control 12: Safeguard 12.1 Ensure Network Infrastructure is Up-to-Date, CIS Controls, V8)
  • Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS. (CIS Control 12: Safeguard 12.3 Securely Manage Network Infrastructure, CIS Controls, V8)
  • Networks and network devices should be secured, managed and controlled to protect information in systems and applications. (§ 8.20 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Management of network infrastructure (e.g., network and connectivity, remote access, and telecommunications management) and server and device management (e.g., servers, storage, and devices). (App A Objective 2:9c Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: (App A Objective 14:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Database administration, systems analysis, client support, systems administration, and network administration. (App A Objective 2:9c Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Conduct collection and processing of wireless computer and digital networks. (T0610, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct survey of computer and digital networks. (T0623, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Test and maintain network infrastructure including software and hardware devices. (T0232, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct collection and processing of wireless computer and digital networks. (T0610, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct survey of computer and digital networks. (T0623, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)