Back

Configure virtual networks in accordance with the information security policy.


CONTROL ID
13165
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The below covers full virtualization environments that are most commonly used in servers. A few major indicative measures are provided below. Additionally, detailed vendor recommended security measures may be followed. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks need to be aware that using VPNs to allow remote access to their systems can create holes in their security infrastructure. The encrypted traffic can hide unauthorized actions or malicious software that can be transmitted through such channels. Intrusion detection systems and virus scanners ab… (Critical components of information security 25) vi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • All computers with wireless LAN devices must utilize a Virtual Private Network (VPN) that configured to drop all unauthenticated and unencrypted traffic (Critical components of information security 28) xvi. Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should establish policies and standards to manage virtual images and snapshots. The standards should include details that govern the security, creation, distribution, storage, use, retirement and destruction of virtual images and snapshots so as to protect these assets against unauthorised ac… (§ 11.4.3, Technology Risk Management Guidelines, January 2021)
  • Virtualisation allows staff to have on-demand access to enterprise computing resources and data from their personal devices. Strict security policies should be enabled within the virtual environment to restrict copying and use of peripheral devices, such as printers and removable attached storage, t… (Annex B.1(b) ¶ 1, Technology Risk Management Guidelines, January 2021)
  • When accessing an organisation system via a VPN connection, split tunnelling is disabled. (Security Control: 0705; Revision: 3, Australian Government Information Security Manual, March 2021)
  • In the case of IaaS/PaaS, the secure separation is ensured by physically separated networks or by means of strongly encrypted VLANs. (Section 5.9 KOS-05 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. (CIS Control 12: Safeguard 12.7 Ensue Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure, CIS Controls, V8)
  • The cloud service provider should define and document an information security policy for the configuration of the virtual network consistent with the information security policy for the physical network. The cloud service provider should ensure that the virtual network configuration matches the info… (Annex A: § CLD.13.1.4 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Encrypt network traffic within the virtual environment. (§ 5.10.3.2 ¶ 2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system – secured as independently as possible. (§ 5.10.3.2 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Allocate publicly accessible information system components (e.g. public Web servers) to separate sub networks with separate, network interfaces. Publicly accessible information systems residing on a virtual host shall follow the guidance in Section 5.10.3.2 to achieve separation. (§ 5.10.1.1 ¶ 1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Allocate publicly accessible information system components (e.g. public Web servers) to separate sub networks with separate, network interfaces. Publicly accessible information systems residing on a virtual host shall follow the guidance in Section 5.10.3.2 to achieve separation. (§ 5.10.1.1 ¶ 1 6., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)