Network-level security boundaries and controls cannot be ignored as they protect against intrusions, data exploitation, and support the management of system performance. Organizations need to implement defense-in-depth controls.
While endpoint controls are critically important, neglecting network-level security boundaries and controls exposes organizations to a myriad of potential external threats that are simply not tolerable for sustaining secure business operations. Network controls are the focus of pitfall #57 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Network security boundaries and controls should be managed and controlled to protect your organization from threats that may originate externally or internally. Your organization should maintain security controls for information systems and applications that use the network. This includes the protection of information that is in transit. Security features, services levels, and management requirements of network services should be identified. These requirements should be included in any network services agreement, whether these services are provided in-house or outsourced.
Procedures that include appropriate roles and responsibilities should be established for the management of equipment on the network, including equipment in user work areas. User functionality, including user interface services, should be separated from system management functionality.
Unauthorized information transfer via shared systems resources should be prevented using appropriate controls. Network diagrams that show how information flows over the network should be maintained and updated at least annually. Network diagrams should document all connections to systems that store, process, or transmit information. This includes all approved wireless networks.
Firewalls should be implemented between any wireless networks and the organization’s internal network. Firewall configurations should be implemented to restrict connections between untrusted networks and any systems in the protected information environment to only what is necessary. Firewall rules should be audited, verified, and updated at least semi-annually.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.