Network controls
The ISO 27002 requires (in A.13.1.1) Control: „Networks should be managed and controlled to protect information in systems and applications“.
I am interested in particular for items f) and g).
What is meant by “systems on the network should be authenticated“ / „systems connection to the network should be restricted“ ?
What is meant by „systems“ ?
Can you please give me some example for better understanding ?
Assign topic to the user
By “system” you should understand software or set of software. For example, operational systems, Office 365, and SaaS applications are examples of systems.
When control A.13.1.1 (Network controls) requires a system to be authenticated, it means that the system must show proof that it is the system it claims to be (much like a human user must prove his identity when accessing a system or physical area), by means of presenting a password or one-time code provided by a token along with its identification. By adopting this control, you can ensure that only systems you know and have authorized can access your network. For example, when you access your organization’s network you need to provide your identification and authentication information, right? It is the same thing, only applied to systems (each system should have its own identification and authentication information).
When we talk about the restriction of system connection, we mean that a system should access only what is necessary for its activities. For example, a payment application should have access to the organization’s finance systems and customer databases, but most probably should not have access to HR systems or R&D applications.
These articles will provide you a further explanation about network controls:
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
- Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
These materials will also help you regarding network controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 18, 2021