Information Systems Security Controls Guidance: Network Security
Network Security – Section 11(c)(9)(i)
Section 11(c)(9)(i) requires the registered entity to “ensure that all external connections to systems which manage sec urity for the registered space are isolated or have controls that permit only authorized and authenticated users.” There are several methods for securing the network from intrusion. The entity should work with the IT department to ensure that specific provisions are in place for registered spaces. The entity may use one or more of the following to meet the requirements:
Logical Network Separation
Logical network separation means that all of the end points (computers, servers, etc.) are contained within the same local area network.
- Wireless Network – A computer network not connected by cables of any kind to create secure connection between different equipment locations.
- Segregated Network – A network of computers that is split into subnetworks to contain a local network and is not visible from the outside.
- Encrypted VPN (Virtual Private Network) – A web of computers that are linked together and able to share files and resources that is encrypted so that they can access the internet without compromising security.
- LAN (Local Area Network) or VLAN (Virtual Local Area Network) – A broadcast domain within a switched network. Devices in this network setup can communicate with one another without a router.
Physical Network Separation
A physically separated network is not connected to the internet and is physically isolated by purpose-built hardware and software security barriers.