Choosing and using network protection systems

Critical
High
Normal
Low

Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.

An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.

Connected other frameworks and requirements:
PR.PT-4: Communications and control networks
NIST CSF
9.2 (MIL1): Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2

A strategy for cyber security architecture

Critical
High
Normal
Low

The organization must have a strategy for developing and maintaining a cyber security architecture.

The strategy must match the organization's cyber security program and the organization's architecture.

The architecture must include:

  • Security measures for computer networks
  • Protection of information assets
  • Application security
  • Implementation of data protection and privacy
Connected other frameworks and requirements:
9.1 (MIL1): Establish and Maintain Cybersecurity Architecture Strategy and Program
C2M2
9.3 (MIL1): Implement IT and OT Asset Security as an Element of the Cybersecurity Architecture
C2M2
9.4 (MIL1): Implement Software Security as an Element of the Cybersecurity Architecture
C2M2
9.2 (MIL1): Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
9.5 (MIL1): Implement Data Security as an Element of the Cybersecurity Architecture
C2M2

Structural security of the network

Critical
High
Normal
Low

The data processing environment is separated from public data networks and other environments with a lower security level in a sufficiently safe manner.

Separation of data systems is one of the most effective factors in protecting confidential information. The goal of separation is to delimit the processing environment of confidential information into a manageable entity, and in particular to be able to limit the processing of confidential information to sufficiently secure environments only. Separation of environments can be implemented, for example, with the help of a firewall solution.

Connected other frameworks and requirements:
9.2 (MIL1): Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2

Network segmentation and filtering practices within the classification level

Critical
High
Normal
Low

Tietoliikenneverkon vyöhykkeistäminen ja suodatussäännöstöt on toteutettava monitasoisen suojaamisen periaatteen mukaisesti.

Tietoliikenneverkon jakaminen ko. turvallisuusluokan sisällä erillisille verkkoalueille (vyöhykkeet ja segmentit) voi tarkoittaa esimerkiksi tietojen suojaamisen näkökulmasta tarkoituksenmukaista työasema- ja palvelinerottelua, kattaen myös mahdolliset hankekohtaiset erottelutarpeet.

Vaatimus voidaan täyttää alla mainituilla toimenpiteillä:

  • Tietoliikenneverkko on jaettu ko. turvallisuusluokan sisällä erillisiin verkko-alueisiin (vyöhykkeet, segmentit).
  • Verkkoalueiden välistä liikennettä rajoitetaan ja ympäristöön sisäänpäin tulevaan liikenteeseen noudatetaan default-deny sääntöä.
  • Tietojenkäsittely-ympäristössä on varauduttu yleisiin verkkohyökkäyksiin.
Connected other frameworks and requirements:
I02: Verkon vyöhykkeistäminen ja suodatussäännöstöt
9.2 (MIL1): Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2

Network areas and structurally secure network design

Critical
High
Normal
Low

An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.

Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:

  • trust level (eg public, workstations, server)
  • organizational units (eg HR, financial management)
  • or by some combination (for example, a server domain that is connected to multiple organizational units)

Separation can be implemented either with physically separate networks or with logically separate networks.

Connected other frameworks and requirements:
13.1.3: Segregation in networks
ISO 27001
PR.AC-5: Network integrity
NIST CSF
8.22: Segregation of networks
ISO 27001
9.2 (MIL1): Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
No items found.