 |
Information Security: Design, Implementation, Measurement, and Compliance |
Timothy P. Layton
222 pages; $89.95
Auerbach Publications |
|
|
|
|
In this excerpt of Chapter 13: Access Control from Information Security: Design, Implementation, Measurement, and Compliance author Timothy P. Layton examines how network services should be managed to ensure unauthorized access is prevented and provides questions that should be considered when establishing network-based access controls.
NETWORK ACCESS CONTROL
Network services provide critical and trusted services for the organization. Special care should be taken to prevent unauthorized access to networked services.
POLICY ON USE OF NETWORK SERVICES
Scope: Management should develop and create a written policy informing users that they should use only the network services they have been specifically granted.
Key Risk Indicator: No
Control Class:(O) Operations, (T) Technical
Key Questions:
Has management developed and published a written policy on the use of network services? If so, what is the scope of the policy?
What type of authorization is required to access the network or network services?
If a new network connection is established at the organization's facilities, what process is required to activate the network connection?
Additional Information:
Network connections and particularly Internet and wireless connections have the ability to introduce significant and unidentified risks in the environment. Management should develop a clear policy on the use and creation of networks and routinely monitor the environment to ensure that no new networks have been implemented without management approval.
USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
Scope: A secure form of authentication should be used to control external network connections to the information processing facility.
Key risk indicator: No
Control Class: (O) Operations, (T) Technical
Key questions:
How does your organization control access and authentication of remote network connections to the information processing facilities?
Does your organization allow VPN, dial-up, or broadband access to the information processing environment?
EQUIPMENT IDENTIFICATION IN NETWORKS
Scope: As appropriate, equipment can be a secure means to authenticate network communications from a specific controlled environment and piece of equipment.
Key Risk Indicator: No
Control Class: (T) Technical
Key questions:
Does your organization authenticate any remote network devices based on location or equipment? If so, how is this accomplished and were all other methods determined to be inappropriate?
If remote authentication is allowed based on location, is the remote location properly secured physically and logically?
REMOTE DIAGNOSTIC AND CONFIGURATION PORT PROTECTION
Scope: Diagnostic and remote ports to networking and telecommunications equipment should be closely controlled and protected from unauthorized access.
Key risk indicator: No
Control class: (O) Operations, (T) Technical
Key questions:
Does your organization allow the use of remote diagnostic ports? If so, are external vendors or third parties allowed to access the system via the remote ports?
Does your organization use modems for remote port connection? If so, please describe the process for modem use.
For equipment with diagnostic or remote port management installed by default, how does your organization manage this risk?
SEGREGATION IN NETWORKS
Scope: Services on the network should be segregated in logical networks when possible to increase the depth of controls.
Key risk indicator: Yes
Control Class: (O) Operations, (T) Technical
Key questions:
How does your organization segregate Internet services from the internal network?
Does your organization allow wireless networking? If so, is wireless network traffic segregated in any way? If so, describe how.
Does your organization require segregation in network services? If so, under what circumstances?
Has management published a written policy on segregation of network services and associated procedures or guidelines?
Additional Information: Network services are simply network-based services such as Internet services, internal networking, wireless networking, IP telephony, video broadcasting, etc.
NETWORK CONNECTION CONTROL
Scope: When networks extend beyond organizational boundaries, special care should
be taken to implement safeguards and controls to limit user connectivity and access
to the network.
Key risk indicator: No
Control Class: (O) Operations, (T) Technical
Key questions:
Does your organization's network extend beyond your facilities and direct control? If so, is this section of the network required to comply with other network controls such as the access control policy, etc.?
Specifically, what type of technical and operational controls does your organization implement for networks extending beyond the direct control of the organization?
Has management published written guidelines or procedures for connection or interconnecting with networks beyond the direct control of the organization?
Additional Information: Controlling network connections to third-party vendors or external business partners can be challenging from an information security perspective and is often overlooked because they may be considered trusted network connections.
NETWORK ROUTING CONTROL
Scope: Logical control of network routes can be critical to control the flow of data and information. Network routing control should be developed in conjunction with the access control policy of specific applications and services.
Key Risk Indicator: No
Control Class: (T) Technical
Key Questions:
Does your organization's network extend to external parties or vendors?
If so, how does management control the flow of traffic to and from the external source?
If network routing controls have been implemented, what type of logging is used and how often are the routing controls reviewed to ensure that they are operating as designed?
Additional Information: Network routing control is a highly technical subject and, typically, only a very select few individuals in the IT department possess the knowledge to design and implement this type of control. This control is a prime candidate for validation by an external subject matter expert.
Copyright 2006 Timothy P. Layton. Used with permission of the publisher.
Want more from Chapter 13: Access Control? Download the full pdf.
