Objective: To ensure the protection of information in networks and its supporting information processing facilities.<\/p>\n
Objective: To maintain the security of information transferred within an organization and with any external entity.\u00a0\u00a0<\/p> <\/div>\n<\/div>\n\n\t <\/div>\n\t \t<\/div>\n\t\t
Networks should be managed and controlled to protect information in systems and applications.<\/span><\/em><\/p>\n Additional guidance can be found in ISO\/IEC 27033. See also\u00a0CIS Control 12 Network Infrastructure Management<\/a>.\u00a0\u00a0<\/p>\n<\/li>\n<\/ul>\n Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.<\/span><\/em><\/p>\n Network services include: These services can range from simple unmanaged bandwidth to complex value-added offerings.<\/p>\n<\/li>\n<\/ul>\n Groups of information services, users and information systems should be segregated on networks.<\/span><\/em><\/p>\n Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities.<\/span><\/em><\/p>\n Information transfer occurs through the use of a number of different types of communication facilities, including email, voice recordings\/ voice mail, chat, and video\/ video conference, as well as face-toface\/ verbal.<\/p>\n Software transfer may occur through a number of different mediums, including downloading from the Internet and acquisition from vendors\u2019 off-the-shelf products.<\/p>\n Consider the business, legal and security implications associated with the information transfr and electronic communications and the requirements for security controls.<\/p>\n See also\u00a0CIS Control 9 Email and Web Browser Protection<\/a>.\u00a0<\/p>\n<\/li>\n<\/ul>\n Agreements should address the secure transfer of business information between the organization and external parties.<\/span><\/em><\/p>\n Information involved in electronic messaging should be appropriately protected.<\/span><\/em><\/p>\n Requirements for confidentiality or non-disclosure agreements reflecting the organization\u2019s needs for the protection of information should be identified, regularly reviewed and documented.<\/span><\/em><\/p>\n Confidentiality and non-disclosure agreements protect organizational information and inform signatories of their responsibility to protect, use and disclose information in a responsible and authorized manner.<\/p>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/section> <\/div>\n<\/div>\n\n\t <\/div>\n\t \t<\/div>\n\t\t <\/div>\n\t \n\t<\/div>\n\t\n\t<\/div>\n\n\n","protected":false},"excerpt":{"rendered":" 8.Communications security 8.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-108","page","type-page","status-publish","hentry","has-post-title","has-post-date","has-post-category","has-post-tag","has-post-comment","has-post-author",""],"builder_content":" Objective: To ensure the protection of information in networks and its supporting information processing facilities.<\/p> Objective: To maintain the security of information transferred within an organization and with any external entity.\u00a0\u00a0<\/p>\n Networks should be managed and controlled to protect information in systems and applications.<\/em><\/p> \n
a) establish responsibilities and procedures for the management of networking equipment;
b) separate operational responsibility for networks from computer operations where appropriate;
c) establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications; special controls may also be required to maintain the availability of the network services and computers connected;
d) apply appropriate logging and monitoring to enable recording and detection of actions that may affect, or are relevant to, information security;
e) closely coordinate management activities both to optimize the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure;
f) authenticate systems on the network and restrict systems connection to the network.\n8.1.2 Security of network services<\/b><\/h4>\n
\n
a) technology applied for security of network services, such as authentication, encryption and network connection controls;
b) technical parameters required for secured connection with the network services in accordance with the security and network connection rules;
c) procedures for the network service usage to restrict access to network services or applications, where necessary.\n
– the provision of connections,
–\u00a0private network services and value added networks,
–\u00a0managed network security solutions such as firewalls and intrusion detection systems.<\/p>\n8.1.3 Segregation in networks<\/b><\/h4>\n
\n
a)\u00a0access between network domains is allowed, but control it at the perimeter using a gateway (e.g. firewall, filtering router).
b)\u00a0base the criteria for segregation of networks into domains, and the access allowed through the gateways, on an assessment of the security requirements of each domain.\u00a0 \u00a0\u00a0
c)\u00a0align the assessment with the access control policy, access requirements, value and classification of information processed and also take account of the relative cost and performance impact of incorporating suitable gateway technology.\u00a0<\/li>\n<\/b>8.2.1 Information transfer policies and procedures<\/b><\/h4>\n
\n
a) procedures designed to protect transferred information from interception, copying, modification, mis-routing and destruction;
b) procedures for the detection of and protection against malware that may be transmitted through the use of electronic communications;
c) procedures for protecting communicated sensitive electronic information that is in the form of an attachment;
d) policy or guidelines outlining acceptable use of communication facilities;
e) personnel, external party and any other user\u2019s responsibilities not to compromise the organization, e.g. through defamation, harassment, impersonation, forwarding of chain letters, unauthorized purchasing, etc.;
f) use of cryptographic techniques e.g. to protect the confidentiality, integrity and authenticity of information;
g) retention and disposal guidelines for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations; h) controls and restrictions associated with using communication facilities, e.g. automatic forwarding of electronic mail to external mail addresses; advise the personnel in general about the problems of \u201creply all\u201d ot \u201cforward\u201d functionalities in communication
i) advising personnel to take appropriate precautions not to reveal confidential information;
j) not leaving messages containing confidential information on voicemail or video since these may be replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialling;\u00a0<\/li>\n8.2.2 Agreements on information transfer<\/b><\/h4>\n
\n
a) management responsibilities for controlling and notifying transmission, dispatch and receipt;
b) procedures to ensure traceability and non-repudiation;
c) minimum technical standards for packaging and transmission;
d) escrow agreements;
e) courier identification standards;
f) responsibilities and liabilities in the event of information security incidents, such as loss of data;
g) use of an agreed labelling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected;
h) technical standards for recording and reading information and software;
i) any special controls that are required to protect sensitive items, such as cryptography;
j) maintaining a chain of custody for information while in transit;
k) acceptable levels of access control.<\/li>\n8.2.3 Electronic messaging<\/b><\/h4>\n
\n
a) protecting messages from unauthorized access, modification or denial of service commensurate with the classification scheme adopted by the organization;
b) ensuring correct addressing and transportation of the message;
c) reliability and availability of the service;
d) legal considerations, for example requirements for electronic signatures;
e) obtaining approval prior to using external public services such as instant messaging, social networking or file sharing;
f) stronger levels of authentication controlling access from publicly accessible networks.<\/li>\n<\/ul>\n8.2.4 Confidentiality or non-disclosure agreements<\/b><\/h4>\n
\n
b) expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
c) required actions when an agreement is terminated;
d) responsibilities and actions of signatories to avoid unauthorized information disclosure;
e) ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
f) the permitted use of confidential information and rights of the signatory to use information;
g) the right to audit and monitor activities that involve confidential information;
h) process for notification and reporting of unauthorized disclosure or confidential information leakage;
i) terms for information to be returned or destroyed at agreement cessation;
j) expected actions to be taken in case of a breach of the agreement.<\/u>\u00a0<\/li>\n8.Communications security<\/b><\/h4>\n
8.1 Network security management<\/b><\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
\u00a0<\/h4>
8.2 Information transfer<\/b><\/h4>
8.1.1 Network controls<\/b><\/h4>
a) establish responsibilities and procedures for the management of networking equipment;
b) separate operational responsibility for networks from computer operations where appropriate;
c) establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications; special controls may also be required to maintain the availability of the network services and computers connected;
d) apply appropriate logging and monitoring to enable recording and detection of actions that may affect, or are relevant to, information security;
e) closely coordinate management activities both to optimize the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure;
f) authenticate systems on the network and restrict systems connection to the network.