DS5.10:
DS 5.10 Network Security
Control Objective:
Ensure that security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, and intrusion detection) are used to authorize access and control information flows from and to networks.
Applicability:
- Sarbanes-Oxley
- HIPAA
- GLBA
- PCI
- FISMA
- NIST SP 800-66
- Ditscap
- Control Exception
- User Defined
Risk Association Control Activities:
- 1. Risk: Ongoing operations, problem resolution, an future application maintenance may not be adequately supported and users may not receive appropriate application change training.
- a. SOX.1.4 The organization has policies and procedures regarding program development, program change, access to programs and data, and computer operations, which are periodically reviewed, updated and approved by management.
- a. SOX.1.4 The organization has policies and procedures regarding program development, program change, access to programs and data, and computer operations, which are periodically reviewed, updated and approved by management.
- 1. Risk: Ongoing operations, problem resolution, an future application maintenance may not be adequately supported and users may not receive appropriate application change training.
- 2. Risk: System security may be undermined by inappropriate external system connections.
- a. SOX.3.1.3 External system connections should be used for valid business purposes only and controls should be in place to prevent these connections from undermining system security.
- 2. Risk: System security may be undermined by inappropriate external system connections.
- PCI-1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.
- PCI-1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.
- PCI-1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet.
- PCI-1.1.4 Description of groups, roles, and responsibilities for logical management of network components.
- PCI-1.1.5 Documented list of services/ports necessary for business.
- PCI-1.1.6 Justification and documentation for any available protocols besides HTTP and SSL, SSH, and VPN.
- PCI-1.1.7 Justification and documentation for any risky protocols allowed (FTP, etc.), which includes reason for use of protocol and security features implemented.
- PCI-1.1.8 Periodic review of firewall/router rule sets.
- PCI-1.1.9 Configuration standards for routers.
- PCI-1.2.1 Web protocols - HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443).
- PCI-1.2.2 System administration protocols (e.g., Secure Shell (SSH) or Virtual Private Network (VPN).
- PCI-1.2.3 Other protocols required by the business (e.g., for ISO 8583).
- PCI-1.3.1 Restricting inbound Internet traffic to IP addresses within the DMZ (ingress filters).
- PCI-1.3.2 Restricting inbound and outbound Internet traffic to ports 80 and 443.
- PCI-1.3.3 Not allowing internal addresses to pass from the Internet into the DMZ (egress filters).
- PCI-1.3.4 Statefull inspection, also known as dynamic packet filtering (only ”established” connections are allowed into the network).
- PCI-1.3.5 Placing the database in an internal network zone, segregated from the DMZ.
- PCI-1.3.6 Restricting outbound traffic to that which is necessary for the payment card environment.
- PCI-1.3.7 Securing and synchronizing router configuration files (e.g., running configuration files used for normal running of the routers, and start-up configuration files - used when machines are re-booted, should have the same, secure configuration).
- PCI-1.3.8 Denying all other inbound and outbound traffic not specifically allowed.
- PCI-1.3.9 Installation of perimeter firewalls between any wireless networks and the payment card environment, and configuration of these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment.
- PCI-1.3.10 Installation of personal firewall software on any mobile and/or employee owned computers with direct connectivity to the Internet (e.g., laptops used by employees), which are used to access the organization’s network.
- PCI-1.4.1 Implement a DMZ to filter and screen all traffic, to prohibit direct routes for inbound and outbound Internet traffic.
- PCI-1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ.
- PCI.1.5: Implement Internet Protocol (IP) masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as Port Address Translation (PAT) or Network Address Translation (NAT).
Implementation Guide:
Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.
Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.
File:Someimage.jpg
Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.
Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.
Evidence Archive Location
Insert Evidence Description Here.
Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.
File:Redlock.jpg
Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.
Supplemental Information:
--Mdpeters 08:31, 23 June 2006 (EDT)