8.1.1 Network controls

Networks should be managed and controlled to protect information in systems and applications.

• Implement controls to ensure the security of information in networks and the protection of connected services from unauthorized access. Consider the following:
  a) establish responsibilities and procedures for the management of networking equipment;
  b) separate operational responsibility for networks from computer operations where appropriate;
  c) establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications; special controls may also be required to maintain the availability of the network services and computers connected;
  d) apply appropriate logging and monitoring to enable recording and detection of actions that may affect, or are relevant to, information security;
  e) closely coordinate management activities both to optimize the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure;
  f) authenticate systems on the network and restrict systems connection to the network.

  Additional guidance can be found in ISO/IEC 27033. See also CIS Control 12 Network Infrastructure Management.  

8.1.2 Security of network services

Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.

• Determine and regularly monitor the ability of the network service provider to manage agreed services in a secure way, and agree the right to audit. 
• Identify the security arrangements necessary for particular services, such as security features, service levels and management requirements. 
• Ensure that network service providers implement these measures. 
• Consider the following security features:
  a) technology applied for security of network services, such as authentication, encryption and network connection controls;
  b) technical parameters required for secured connection with the network services in accordance with the security and network connection rules;
  c) procedures for the network service usage to restrict access to network services or applications, where necessary.

  Network services include:
  – the provision of connections,
  – private network services and value added networks,
  – managed network security solutions such as firewalls and intrusion detection systems.

  These services can range from simple unmanaged bandwidth to complex value-added offerings.

8.1.3 Segregation in networks

Groups of information services, users and information systems should be segregated on networks.

• Select an appropriate method of managing the security of large networks, e.g. to divide them into separate network domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks (e.g.virtual private networking). 
• Define the perimeter of each domain.    
  a) access between network domains is allowed, but control it at the perimeter using a gateway (e.g. firewall, filtering router).
  b) base the criteria for segregation of networks into domains, and the access allowed through the gateways, on an assessment of the security requirements of each domain.    
  c) align the assessment with the access control policy, access requirements, value and classification of information processed and also take account of the relative cost and performance impact of incorporating suitable gateway technology. 
• For sensitive environments, consider to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls policy before granting access to internal systems. 
• The authentication, encryption and user level network access control technologies of modern, standards based wireless networks are sufficient for direct connection to the internal network when properly implemented. 
• When business partnerships are formed that require the interconnection or sharing of information processing and networking facilities, networks extend beyond organizational boundaries. Such extensions require protection from other network users because of their sensitivity or criticalit, as the risk of unauthorized access to the organization’s information systems that use the network increases.

8.2.1 Information transfer policies and procedures

Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities.

• Consider the following for the procedures and controls to be followed when using communication facilities for information transfer:
  a) procedures designed to protect transferred information from interception, copying, modification, mis-routing and destruction;
  b) procedures for the detection of and protection against malware that may be transmitted through the use of electronic communications;
  c) procedures for protecting communicated sensitive electronic information that is in the form of an attachment;
  d) policy or guidelines outlining acceptable use of communication facilities;
  e) personnel, external party and any other user’s responsibilities not to compromise the organization, e.g. through defamation, harassment, impersonation, forwarding of chain letters, unauthorized purchasing, etc.;
  f) use of cryptographic techniques e.g. to protect the confidentiality, integrity and authenticity of information;
  g) retention and disposal guidelines for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations; h) controls and restrictions associated with using communication facilities, e.g. automatic forwarding of electronic mail to external mail addresses; advise the personnel in general about the problems of “reply all” ot “forward” functionalities in communication
  i) advising personnel to take appropriate precautions not to reveal confidential information;
  j) not leaving messages containing confidential information on voicemail or video since these may be replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialling; 
• Remind the personnel that not to have confidential conversations in public places or over insecure communication channels, open offices and meeting places. Information transfer services should comply with any relevant legal requirements.

  Information transfer occurs through the use of a number of different types of communication facilities, including email, voice recordings/ voice mail, chat, and video/ video conference, as well as face-toface/ verbal.

  Software transfer may occur through a number of different mediums, including downloading from the Internet and acquisition from vendors’ off-the-shelf products.

  Consider the business, legal and security implications associated with the information transfr and electronic communications and the requirements for security controls.

  See also CIS Control 9 Email and Web Browser Protection. 

8.2.2 Agreements on information transfer

Agreements should address the secure transfer of business information between the organization and external parties.

• Incorporate the following into the agreements on information transfer:
  a) management responsibilities for controlling and notifying transmission, dispatch and receipt;
  b) procedures to ensure traceability and non-repudiation;
  c) minimum technical standards for packaging and transmission;
  d) escrow agreements;
  e) courier identification standards;
  f) responsibilities and liabilities in the event of information security incidents, such as loss of data;
  g) use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected;
  h) technical standards for recording and reading information and software;
  i) any special controls that are required to protect sensitive items, such as cryptography;
  j) maintaining a chain of custody for information while in transit;
  k) acceptable levels of access control.
• Establish and maintain policies, procedures and standards to protect information and physical media in transit. 
• Reflect the sensitivity of the business information involved in the information security content of any agreement. 
• For confidential information, esure the consistency of the specific mechanisms used for the transfer for all organizations and types of agreements.

8.2.3 Electronic messaging

Information involved in electronic messaging should be appropriately protected.

• Include the following into security considerations for electronic messaging:
  a) protecting messages from unauthorized access, modification or denial of service commensurate with the classification scheme adopted by the organization;
  b) ensuring correct addressing and transportation of the message;
  c) reliability and availability of the service;
  d) legal considerations, for example requirements for electronic signatures;
  e) obtaining approval prior to using external public services such as instant messaging, social networking or file sharing;
  f) stronger levels of authentication controlling access from publicly accessible networks.

8.2.4 Confidentiality or non-disclosure agreements

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented.

• Address in the confidentiality or non-disclosure agreements the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organization. 
• Select or add elements in consideration of the type of the other party and its permissible access or handling of confidential information. The following may help as a minimum to identify requirements for confidentiality or non-disclosure agreements: a) a definition of the information to be protected (e.g. confidential information);
  b) expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
  c) required actions when an agreement is terminated;
  d) responsibilities and actions of signatories to avoid unauthorized information disclosure;
  e) ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
  f) the permitted use of confidential information and rights of the signatory to use information;
  g) the right to audit and monitor activities that involve confidential information;
  h) process for notification and reporting of unauthorized disclosure or confidential information leakage;
  i) terms for information to be returned or destroyed at agreement cessation;
  j) expected actions to be taken in case of a breach of the agreement. 
• Periodically review the requirements for confidentiality and non-disclosure agreements and when changes occur that influence these requirements. 
• There may be a need for an organization to use different forms of confidentiality or non-disclosure agreements in different circumstances.

  Confidentiality and non-disclosure agreements protect organizational information and inform signatories of their responsibility to protect, use and disclose information in a responsible and authorized manner.