Network Protection Policy - Threat Prevention
Network firewalls are used to protect a network from external threats. They can be configured to allow or deny traffic based on a variety of criteria, including source and destination IP addresses, port numbers, and protocols.
Firewall – Businesses shall implement a secure gateway (firewall) establishing an internal network perimeter to protect and segregate the internal network from external networks and any demilitarized zones (DMZs) to control access and information flow. This gateway should be capable of enforcing security policies and be configured to deny-by-default, allow-by-exception, filter traffic between domains, and block unauthorized access in accordance with the access control policy. All firewall exceptions/rules shall have documented business justifications prior to implementation and be based on the systems’ functionality, classification, and the risk assessment of respective security requirements.
Network Diagram – A network diagram documenting all high-risk environments, data flows, and connections to systems storing, processing, or transmitting covered information shall be developed and maintained. The diagram shall be updated upon any changes to the network and reviewed no less than every six months.
Wireless Access to Production – Direct access to the production network via a wireless connection is prohibited. Guest wireless network access is permitted provided the wireless network is physically and logically separated from the internal production network.
Remote Access – Remote connections to the Business network shall be made using a Business supplied VPN utilizing multi-factor authentication and a mechanism for monitoring unauthorized mobile devices on the network shall be implemented. The use of the “copy” command (including ‘print screen’), the movement, printing, and storage of sensitive data will be prohibited when accessing the network remotely. If a business need is determined for these functions to be enabled for specific users or roles, that need shall be documented and explicitly approved by the Security Officer.
Migration of Data – If the need arises for a physical server, application, or other data to be migrated to a virtualized environment, the network used for the migration shall be segregated from the production network.