This Control has the following implementation support Control(s):
Include quality of service requirements in the network management program., CC ID: 16429
Document the network design in the network management program., CC ID: 13135
Establish, implement, and maintain network documentation., CC ID: 16497
Disseminate and communicate the network standard to all interested personnel and affected parties., CC ID: 13129
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Overall responsibility for network management should be clearly assigned to individuals who are equipped with the know-how, skills and resources to fulfill their duties. Network standards, design, diagrams and operating procedures should be formally documented, kept up-to date, communicated to all r… (6.1.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
It is necessary to perform proper, efficient, and safe operation of networks by formulating procedures for management and usage approval of networks, and to inform all persons concerned of the procedures. (C8.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
In the case of connecting through open networks, such as connections by use of the Internet or remote access through public lines, where it is highly possible for a number of unspecified persons to invade the company systems, it is necessary to establish operational management methods for connection… (P34.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Network operation standards and protocols should be documented and made available to the operators, and should be reviewed periodically to ensure compliance. (Critical components of information security 24) viii. ¶ 1 q., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
following a risk-based approach, establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected information assets in the event of cyber-attacks; (Art. 9.4. ¶ 1(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Primarily, business-critical information and core processes should be determined and the corresponding applications, IT systems, networks and rooms should be identified. Here, the essential supporting processes and the mainly affected objects should be determined on the basis of the core processes o… (§ 3.2.1 Subsection 4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Virtual IT systems and networks should be treated like physical structures, but should be reasonably identified. (§ 3.2.4 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
If, contrary to the order presented here, the IT systems have been acquired first, often it will be helpful to collect the applications mainly on the basis of the IT systems. Due to their widespread impact, the servers should be the first items on which information is collected. In order to achieve … (§ 8.1.3 ¶ 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Procedures for the management and control of networks are defined. (5.2.7 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
Policies and procedures in accordance with the classification requirements for the use of network services are defined and implemented. (5.1.2 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security. (B4.c ¶ 1, NCSC CAF guidance, 3.1)
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. (CIS Control 12: Safeguard 12.1 Ensure Network Infrastructure is Up-to-Date, CIS Controls, V8)
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS. (CIS Control 12: Safeguard 12.3 Securely Manage Network Infrastructure, CIS Controls, V8)
Networks and network devices should be secured, managed and controlled to protect information in systems and applications. (§ 8.20 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection â Information security controls, Third Edition)
Management of network infrastructure (e.g., network and connectivity, remote access, and telecommunications management) and server and device management (e.g., servers, storage, and devices). (App A Objective 2:9c Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: (App A Objective 14:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Database administration, systems analysis, client support, systems administration, and network administration. (App A Objective 2:9c Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Conduct collection and processing of wireless computer and digital networks. (T0610, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Conduct survey of computer and digital networks. (T0623, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Test and maintain network infrastructure including software and hardware devices. (T0232, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Conduct collection and processing of wireless computer and digital networks. (T0610, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Conduct survey of computer and digital networks. (T0623, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
