The management of any network should be undertaken in a secure manner, and indeed provide support for the overall management of network security. This should be accomplished with due consideration of the different network protocols available and related security services.
In furtherance of this, an organization should consider a number of controls, the majority of which can be identified through using ISO/IEC 17799, and ISO/IEC 13335-2 when published. In addition, remote diagnostic ports, whether virtual or physical, should be protected from unauthorized access.
13.4.2 Networking Aspects
The various aspects of networking can be categorized as follows:
Network Users - personnel who are users and /or administrators of networks. The spectrum of users ranges from individuals accessing remote resources via the Internet, dial-up or wireless connections, to individuals using workstations or personal computers that are attached to a local network. Users connected to local networks may also be able to connect to remote resources via inter-network connections that may exist between their local network and other networks. Such underlying connections may be transparent to the user, End-Systems - computers, workstations and mobile devices (for example, smartphones and PDAs) that are connected to networks. This includes devices used to access networked facilities (e.g. client systems) and devices used to provide services (e.g. servers, host computer systems). This category encompasses the hardware, operating system software, and any local applications software, including software used to access the network.
Networked Applications - applications software, running on networked servers or host systems, and accessed via computer network connections, to provide, for example:
— financial transaction services,
— enterprise software services (e.g. CRM, EIS, MRP, etc.),
4 6 © ISO/IEC 2006 - All rights reserved
— web-based services,
— on-line database services,
— on-line storage facilities.
Network Services - services provided by the network, usually implemented in software on end-host or server systems that form part of the network infrastructure, for example:
— connectivity,
— e-mail,
— file transfer,
— directory services.
Network services may be:
— owned and operated by the organization,
— owned by the organization but operated by external agencies under contract,
— leased from external agencies,
— purchased ad-hoc from external providers,
— a combination of the above.
Network Infrastructure - the underlying hardware and software facilities, for example:
— premises,
— cabling,
— wireless facilities,
— network devices (e.g. routers, switches, modems, etc.).
As reflected in Clause 12 above, these aspects of network security should be modeled as network facets.
These facets build upon each other in effect to form a network security management framework, as shown in Figure 4 below:
Figure 4 — Facets in a Network Security Management Framework
There is inevitably some overlap, with some systems performing multiple roles in any realistic network scenario. However, these conceptual facets of functionality should assist the necessary systematic process of assessment required to determine the security risks present in any particular network scenario. Each facet in this conceptual security framework should be managed individually, and all the facets should be managed collectively, to ensure that the overall objectives are met for a secure network.
© ISO/IEC 2006 - All rights reserved 4 7
ISO/IEC18028-1:2006(E)
13.4.3 Roles and Responsibilities
The roles and responsibilities that should be instigated associated with network security management are as follows. (It should be noted that, depending upon the size of the organization, these roles may be combined.) Senior management:
— define the organization's security objectives,
— initiate, approve, publish, and impose the organization's security policy, procedures and rules,
— initiate, approve, publish, and impose the organization's acceptable usage policy,
— ensure security and acceptable usage policies are enforced, Network management:
— develop detailed network security policy,
— implement the network security policy,
— implement the acceptable usage policy,
— manage the interface with external stakeholders / external service providers to ensure conformance with internal and external network security policies,
Network Security team:
— acquire, develop, test, check and maintain security components and tools,
— maintain security tools and components to follow closely the evolution of threats (e.g. updating virus signature files),
— update security relevant configurations (e.g. access control lists ) according to changing business needs, Network administrators:
— install, update, use and protect network security services and components,
— carry out the necessary daily tasks to apply the security specifications, rules, and parameters required by the security policies in force,
— take appropriate measures to assure the protection of network security components (e.g. back-ups, monitoring network activity, responding to security incidents or alarms, etc.),
Network users:
— communicate their security requirements,
— comply with corporate security policy,
— comply with corporate acceptable usage policies for network resources,
— report network security incidents,
— provide feedback on network security effectiveness, Auditors (internal and/or external):
— review and audit (e.g. periodically test the effectiveness of network security),
— check compliance of systems with network security policy,
— check and test compatibility of operating security rules with the current business requirements and legal restrictions (e.g. lists granted for network accesses).
4 8 © ISO/IEC 2006 - All rights reserved
13.4.4 Network Monitoring
Network monitoring is a very important part of network security management. This is dealt with in Clause 13.7 below.
13.4.5 Evaluating Network Security
Network security is a dynamic concept. Security staff should keep up to date with developments in the field and ensure that any network continues to work with the most current security patches and fixes available from vendors. Steps should be taken periodically to audit existing security controls against established benchmarks, including by security testing - vulnerability scanning, etc. Security should be a primary consideration in evaluating new network technology.