ISO 27001 Annex : A.13 Communications Security

This article explains A.13.1 Network Security Management, A.13.1.1 Network Controls, A.13.1.2 Security of Network Services, A.13.1.3 Segregation in Networks.

A.13.1 Network Security Management

Its goal is to provide support for information processing and secure handling of data in various network environments.

A.13.1.1 Network Controls

Control

Networks should be monitored and managed to ensure the security of information in systems.

Implementation Guidance

The network information security and the security of connected networks should be monitored and protected. Among the things that will be considered are:

1. Establish responsibilities and processes for the management of network equipment;
2. Network operation and computer operation responsibilities can, where necessary, be separated;
3. Controls should be in place to ensure the confidentiality and integrity of data transmissions through public and wireless networks, as well as protected networks and applications; in addition, specific controls may need to be implemented to ensure network service availability and connectivity;
4. Record and monitor actions that may affect information security so that actions related to it can be observed and analyzed;
5. There must be close coordination of all management activities in order to ensure effective management of all information processing infrastructures and to improve the service provided to the company;
6. Authenticating network systems;
7. Network connections should be restricted to specific devices.

Other Information

ISO / IEC 27033 contains additional information about network security.

A.13.1.2 Security of Network Services

Control

Quality of service, security protocols, and management criteria should be designed into all network service agreements, whether they are provided in-house or as outsourced services.

Implementation Guidance

It is important to assess and monitor the network service provider’s ability to deliver the agreed services, and to establish audit rights to ensure they do so.

Specific security structures, such as security features, rates, and management rules, should be defined for each facility. This will ensure that network service providers enforce these steps.

Other Information

Network services provide connection provisions, private network connectivity, and services for managing security in networks, including firewalls and intrusion detection systems. A broad range of products and services are available, ranging from basic unmanaged bandwidth to complex value-added solutions.

The following features should be included in network infrastructure security:

1. Network services security technology including authentication, encryption and security of connections with networks;
2. All security criteria and guidelines for the management of network connections must be met to ensure secure network service reference;
3. Systematic procedures used by network services for limiting access to network resources.

A.13.1.3 Segregation in Networks

Control

Network segregation must be established between the users, the services, and the information systems.

Implementation Guidance

Managing large networks in sequence requires that they be divided into distinct network areas. Depending on confidence, domains can be selected (including public access domains, desktop domains, and servers domains) as well as organizational units (for example, human resources, finance, and marketing). Different physical networks can be used for segregation, as well as different logical networks (e.g. virtual private networks).

Any domain can be described by its perimeter. It is permitted to establish connections between domains, but the gateways (firewalls, filter routers) on the perimeter must be managed. An evaluation of the security requirements for each domain should determine requirements for domain segregation and gateway access. In addition to understanding of the relative costs and performance impacts of incorporating suitable gateway technology, the evaluation should be tailored to conform to the access control policy, access requirements, information processing value, and classification.

Wireless networks need to be handled differently due to the poorly defined network perimeter. If the environment is sensitive, all wireless connections should be considered external, separate from internal networks, until a gateway is in place according to the policy for network control before internal systems can be accessed.

The use of modern, standard wireless authentication, encryption, and user-level access control technologies for direct access to companies’ internal networks are ideal if they are properly implemented.

Other Information

Networks often extend beyond company borders due to corporate partnerships that connect or distribute information processing and networking resources. The risk of unauthorized access increases with such extensions, some of which are sensitive or critical to other network users and therefore require protection.

Related Questions

1. Can you describe ISO 27001 Annex : A.13 Communications Security in a few sentences?
2. What does communication channel security mean?
3. Which form of communication is most secure?
4. Which protocol signifies a secure communication method?
5. What are the controls in ISO 27001 Annex : A.13 Communications Security?