Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Segregation of network access related to offered cloud services

Critical
High
Normal
Low

Network segregation is used to divide networks into smaller parts (called subnetworks or segments). The main purpose is to achieve least privilege principles by limiting the access e.g. a user or any particular device can have.

When offering cloud services, the organisation should implement network access segregation to:

  • Strongly separate tenants in multi-tenant environments
  • Strongly separate provider’s own internal administration environment and customers cloud computing environment

Organisation should be able to help the customer to verify the segregation implementation.

Connected other frameworks and requirements:
PR.AC-5: Network integrity
NIST CSF
13.1.3: Segregation in networks
ISO 27017

Determining the responsibility of network devices

Critical
High
Normal
Low

Owners have been assigned to various network devices, who are responsible for ensuring that the information processed on the networks and related services are protected from unauthorized access. Where appropriate, liability for network equipment must be separated from other related responsibilities.

Connected other frameworks and requirements:
13.1.1: Network controls
ISO 27001
PR.AC-5: Network integrity
NIST CSF
DE.CM-1: The network monitoring
NIST CSF
8.20: Networks security
ISO 27001

Separation of critical environments

Critical
High
Normal
Low

Isolate technical environments where the consequences can be very damaging.

Connected other frameworks and requirements:
13.1.3: Segregation in networks
ISO 27001
PR.AC-5: Network integrity
NIST CSF
8.22: Segregation of networks
ISO 27001

Network usage log and process for detecting inappropriate network traffic

Critical
High
Normal
Low

An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.

The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).

Connected other frameworks and requirements:
I11: Poikkeamien havainnointikyky ja toipuminen
12.4.1: Event logging
ISO 27001
13.1.1: Network controls
ISO 27001
PR.AC-3: Remote access management
NIST CSF
PR.AC-5: Network integrity
NIST CSF

Network areas and structurally secure network design

Critical
High
Normal
Low

An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.

Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:

  • trust level (eg public, workstations, server)
  • organizational units (eg HR, financial management)
  • or by some combination (for example, a server domain that is connected to multiple organizational units)

Separation can be implemented either with physically separate networks or with logically separate networks.

Connected other frameworks and requirements:
13.1.3: Segregation in networks
ISO 27001
PR.AC-5: Network integrity
NIST CSF
8.22: Segregation of networks
ISO 27001
9.2 (MIL1): Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
No items found.