Annex A.13.1 is about network security management. The objective of this Annex is to ensure the protection of information in networks and its supporting information processing facilities. Communications encompass the breadth of digital data flows both within an organization and between external entities across network infrastructures. These flows now include data, voice, video, and all of their associated signaling protocols. Securing this information flows as they traverse Intranets, Extranets, and the Internet requires effective network infrastructure management as well as controls, policies, and procedures. This control provides guidance in planning, developing, and implementing the most essential elements of a Communications Security strategy.
‘A.13.Communications Security’ stresses the security of the network and network services through controls such as segregation of networks, network service level agreements and other network controls that are applicable to the environment. Along with ensuring network security, the domain also guides the organization in safeguarding the information in transit through controls such as policies and procedures for information transfer, agreements to ensure secure transfer of information between the parties involved, controls specific to electronic messaging, etc.
Networks must be managed and controlled in order to protect information within systems and applications. Put in simple terms, the organization should use appropriate methods in order to ensure it is protecting any information within its systems and applications. These network controls should consider all operations of the business carefully, be adequately and proportionately designed, and implemented according to business requirements, risk assessment, classifications and segregation requirements as appropriate. Some possible examples of technical controls for consideration may include; Connection control and endpoint verification, firewalls and intrusion detection/prevention systems, access control lists, and physical, logical or virtual segregation. It is also important to enforce the fact that when connecting to public networks or those of other organizations outside organizational control, consider the increased risk levels and to manage these risks with additional controls as appropriate. You will need to bear in mind that the auditor will be looking to see these implemented controls are effective and managed appropriately, including the use of formal change management procedures.
A. 13.1 Network security management
To ensure the protection of information in networks and its supporting information processing facilities.
13.1.1 Network controls
Networks should be managed and controlled to protect the information in systems and applications.
Controls should be implemented to ensure the security of information in networks and the protection of connected services from unauthorized access. In particular, the following items should be considered:
a) responsibilities and procedures for the management of networking equipment should be established;
b) operational responsibility for networks should be separated from computer operations where appropriate ;
c) special controls should be established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications; special controls may also be required to maintain the availability of the network services and computers connected;
d) appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, information security;
e) management activities should be closely coordinated both to optimize the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure;
f) systems on the network should be authenticated;
g) systems connected to the network should be restricted.
13.1.2 Security of network services
Security mechanisms, service levels and management requirements of all network services should be identified and included in-network services agreements, whether these services are provided in-house or outsourced.
The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored, and the right to audit should be agreed. The security arrangements necessary for particular services, such as security features, service levels, and management requirements, should be identified. The organization should ensure that network service providers implement these measures.
Network services include the provision of connections, private network services and value-added networks and managed network security solutions such as firewalls and intrusion detection systems. These services can range from simple unmanaged bandwidth to complex value-added offerings. Security features of network services could be:
a) technology applied for the security of network services, such as authentication, encryption, and network connection controls;
b) technical parameters required for secured connection with the network services in accordance with the security and network connection rules;
c) procedures for the network service usage to restrict access to network services or applications, where necessary.
13.1.3 Segregation in networks
Groups of information services, users and information systems should be segregated on networks.
One method of managing the security of large networks is to divide them into separate network domains. The domains can be chosen based on trust levels (e.g. public access domain, desktop domain, server domain), along with organizational units (e.g. human resources, finance, marketing) or some combination (e.g. server domain connecting to multiple organizational units). The segregation can be done using either physically different networks or by using different logical networks (e.g.virtual private networking). The perimeter of each domain should be well defined. Access between network domains is allowed but should be controlled at the perimeter using a gateway (e.g. firewall, filtering router). The criteria for segregation of networks into domains and the access allowed through the gateways should be based on an assessment of the security requirements of each domain. The assessment should be in accordance with the access control policy, access requirements, value and classification of information processed and also take account of the relative cost and performance impact of incorporating suitable gateway technology. Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive environments, consideration should be made to treat all wireless access as external connections and to segregate this access from internal networks until the access has passed through a gateway in accordance with network controls policy before granting access to internal systems. The authentication, encryption, and user-level network access control technologies of modern, standards-based wireless networks may be sufficient for direct connection to the organization’s internal network when properly implemented.
Networks often extend beyond organizational boundaries, as business partnerships are formed that require the interconnection or sharing of information processing and networking facilities. Such extensions can increase the risk of unauthorized access to the organization’s information systems that use the network, some of which require protection from other network users because of their sensitivity or criticality.
Network security management includes the following controls:
- Network controls that will ensure information communicated through the networks will be protected – for example, logging and monitoring of the actions in the network, restrictions of the connections to the network. authentication of the systems connected to the network, etc. Annex A doesn’t require documenting this control; however, in order to ensure effective network controls, responsibilities and
procedures for managing network equipment can be documented.
- Security of network services will be managed by deﬁning network service agreements with relevant security parameters and requirements such as the implementation of ﬁrewall and intrusion detection systems and monitoring the performance of the network providers. This control should be documented by signing the network service agreements.
- Segregation in networks is one of the methods to manage the security of networks. This means dividing the network into smaller separate networks that are easier to manage and protect. This division can be made based on the criticality of the domain (for public access, server domain, etc), based on the organizational departments (for example, for top management, for ﬁnance department, etc.), or some other combination suitable for the organization. ISO 27001 doesn’t require documenting this control.
Establishing Responsibility and Procedures for Network Management and Operations
Information flowing across networks cannot be secured without effective management of the physical and logical network infrastructure, including physical cabling, logical topologies, network devices, and network services. A centralized entity with appropriate responsibility and authority is generally the most effective way to ensure consistency and manageability across the organization’s Intranet and Extranets. In many organizations achieving a single point of responsibility and authority for all network infrastructure can be challenging. Management of network infrastructure includes network operations, which is a separate function from the data center or information processing operations. Network security operations is often another distinct function but must coordinate closely with network operations.
The large scale and high complexity of modern networks in the modern organization contribute to a challenging environment for security professionals and network administrators. The fundamental aspects of network services and protocols were not designed with information confidentiality in mind. Network Controls have been designed and implemented to compensate for this lack of security and continue to evolve as threat actors and their attack methods become more sophisticated.
Methods of Attack
Before determining which controls should be implemented and in which order, it is helpful to understand the common methods of attack. Note that a risk management approach is recommended to fully analyze all threats and responses. The ultimate goal of attackers is to gain access to or modify data of value. Their targets are typically servers, workstations, or other computers connected to your University’s networks, but they will make use of networks, other computers, people, or any other tool to achieve their objectives. Their attack strategies typically involve some form of reconnaissance, followed by exploitation – attempts to bypass or disable network or host security controls by exploiting vulnerabilities, and finally data modification or exfiltration. A Denial of Service (DoS) is a specific type of attack designed to disrupt operations or make networks and systems unavailable.
Reconnaissance – Attackers use reconnaissance to discover networks, hosts, or vulnerabilities. A variety of freely available tools are available that allow scanning or probing of systems accessible to the Internet. In targeting a specific University, an attacker need only know publicly available information such as the range of IP subnets used by the school. Scanning often involves discovering what TCP or UDP ports are active on the various hosts within the University’s networks. Firewalls, IDS/IPS, network isolation, authentication, and logging are some of the tools network or security administrators use to limit or detect reconnaissance activities.
Exploitation – The protocols used across the Internet and within the Intranets and Extranets were designed for availability and openness rather than security and privacy. Attackers abuse and exploit the inherent lack of security of TCP/IP and the other various protocols and their associated network devices to their advantage. Their specific methods are numerous and varied, but can generally be categorized as follows:
- Sniffing – intercepting and examining network traffic
- Spoofing – impersonating a network host or user
- Man-in-the-Middle – covertly impersonating an intermediary host or network service such that the parties on either end of the connection are unaware that their communications are being captured and possibly altered
- Hijacking – taking over or re-routing one end of an otherwise valid communication between two parties
- Replay attacks – using intercepted communications or authentication interactions to falsely authenticate
- Password Cracking – using sophisticated or simple brute force attacks to guess weak passwords
- System or Application exploitation – once an attacker is in contact with a system at any of the application layer protocols such as FTP, Telnet, SSH, HTTP, HTTPS, SNMP, and others, weaknesses in the Operating System or the applications can be exploited to gain unauthorized access
Data Modification and Exfiltration – Once access to systems or data is gained, the data can be modified or copied (exfiltrated). While data owners might quickly know if data is modified, data exfiltration can take place in relative secrecy unless there are sufficient monitoring and controls in place to detect it. Most Universities have reasonable protections in place to prevent or detect external attacks but are not as diligent in monitoring outbound traffic to detect confidential or sensitive data that is being copied by a successful attacker.
Like other types of security controls, network controls can be categorized into various types, depending on their primary function.
Preventive controls seek to stop or prevent attacks or intrusions before they occur. Firewalls, Intrusion Prevention Systems, Web Gateways, and physical Isolation of network cabling and devices are all examples of preventive controls.
Detective Controls seek to detect attacks or intrusions in progress or after (ideally very soon after!) they have already taken place. Intrusion Detection Systems, Log collection and review, Security Information and Event Management (SIEM) systems, AntiVirus software, and video surveillance in data centers and communications facilities are examples of detective controls.
Administrative controls direct users – employees, faculty, students, contractors, and partners – to follow specific procedures. Examples include policies against connecting rogue hubs, switches, or routers to the network, the use of network traffic sniffers, unauthorized network services, and procedures for provisioning network access accounts.
Technical controls often enforce administrative controls, but can also limit or prevent network activity/traffic, or isolate network segments or users to increase overall security. Examples include network access control, group policy objects, strong authentication, encryption, and Virtual Private Network (VPN) technology.
A sound network control strategy employs the concept of Defense In-Depth to provide optimal security. Firewalls at the network perimeter limit the traffic that is allowed in and out of the network. IDS/IPS devices detect and prevent traffic that is suspicious or known to be malicious. Internal network isolation limits the visibility of network traffic to devices and users by department or role. Access to wireless and wired networks is restricted to authenticated users only. Strong passwords are enforced for all network computers. Computers run host-based firewalls and AntiVirus software. Certain sensitive network traffic is encrypted so that it cannot be intercepted. All of these controls are combined together to provide a layered or In-Depth defensive strategy.
Network Design and Architecture
Centralized management of networks allows for strategic network design and architecture that can be more readily optimized for performance, availability, and security. All endpoints should terminate to network switches to remove the possibility of internal network traffic sniffing by computers and users. Highly sensitive data and traffic such as for Data Centers or communications facilities should be isolated through virtual LAN (VLAN) technology and/or Firewalls. Highly unregulated traffic such as for student residence halls should also be isolated. The architecture of the network should allow for the strategic placement of firewalls, demilitarized zones (DMZ’s), and IDS/IPS devices such that all network traffic between the University Intranet and the Internet can be adequately controlled and monitored.
Perimeter controls must be strategically placed such that all network traffic flowing in and out of the Organization’s internal networks, i.e. its Intranet, can be controlled and monitored. These controls are critical to network functionality and security and therefore must be fault-tolerant and have redundant backups available. In addition, they must be capable of processing the anticipated peak volume of network traffic. This is especially important for larger Universities with extremely high aggregate Internet bandwidth. Typical perimeter controls include:
- Routers – The border router is typically capable of allowing or denying connections, but its primary purpose is to route traffic at the network border or DMZ
- Firewalls – firewalls (sometimes called border firewalls) block or limit traffic, typically by TCP/UDP port
- IDS/IPS – An Intrusion Detection System and/or Intrusion Prevention System adds an extra layer of protection, examining, limiting, or blocking traffic that was allowed through the border firewall, but is highly suspicious or known to be malicious
- Data Loss Prevention (DLP) – some DLP solutions inspect all network traffic to detect or block confidential data from leaving the Intranet
- “Next Generation” Firewalls – The term “NextGen” is a marketing term used by some vendors to imply a higher level of sophistication and thus a higher level of protection. While many of these products do perform as advertised, they are essentially serving the same or combined functions like firewall and IDS/IPS technology.
- Web Gateway – A secure web gateway does not necessarily sit at the perimeter, but does filter web-based traffic, providing more granular IDS/IPS functionality for web-based traffic or content
- Network Address Translation (NAT) – not strictly a security control, NAT limits the visibility of endpoints within the University Intranet from potential attackers on the Internet.
Note on encryption – while encryption is an effective control for data in transit, security administrators should also be aware that too much encryption of network traffic can severely limit many perimeter controls such as IDS/IPS, DLP, and Secure Web Gateways. Many vendors are now providing cloud-based network protection, which can supplement or replace many of the on-premise perimeter or interior controls network and security administrators have used.
Isolation – Network segments or subnets within the University Intranet should be appropriately isolated according to the security requirements of the users and endpoints. Virtual LAN (vLAN) technology is the primary control used to isolate users and endpoints.
Endpoint Hardening – All network devices and endpoints should be hardened to reduce their attack surface. Hardening involves maintaining current patch levels, AntiVirus, host-based firewalls, host-based IDS/IPS, disabling unnecessary services, using strong passwords, and other protections as appropriate. Software whitelisting can also provide additional endpoint protection. Network and security administrators should not neglect printers, multi-function devices, and other network-attached devices which often have insecure services opened up, such as FTP, Telnet, or SNMP.
Vulnerability Management – A Vulnerability Management System can help ensure that all endpoints on the network are adequately hardened. Vulnerability Management should ideally include web-based applications to reduce vulnerability to SQL-Injection, Cross-Site Scripting, and other web-based exploits.
Network Access Control (NAC) – Registering all endpoints before allowing connection to the network can prevent unauthorized devices from connecting as well as enforce security baselines. For instance, University IT Security Policies may state that all endpoints have automatic security updating enabled, authentication must be done via the central Active Directory domain, and AntiVirus and Firewall must be active. NAC can prevent systems that do not meet these requirements from accessing all or certain portions of the network.
WiFi Security Controls – The WiFi should be protected and in most cases, isolated from all other internal networks, particularly when the Organization has chosen to make WiFi open-access. Open-access WiFi allows any computer within range to connect and therefore should be provided limited services such as Internet access only. WiFi that connects to more sensitive portions of the network should be limited to authorized users only. All WiFi should use WPA2 or stronger encryption. Note that enabling these levels of control across a large campus can be costly and require sophisticated equipment.
Remote Access – remote access to internal or Intranet networks can be a high-security risk if not properly planned and secured. While a Virtual Private Network (VPN) service is an excellent way to allow remote users to securely connect to your internal networks or Intranet, it provides no assurance that the connecting endpoint computer is itself secure. Security administrators should strongly consider enforcing Network Access Control for VPN connections or strictly limiting the use of VPN to selected trusted users. Outbound VPN can also introduce the risk of opening up internal networks to potentially unsecured external networks. Many organizations chose to block outbound VPN at the firewall for this reason. Other remote access tools and protocols need to be carefully controlled or limited. Remote Desktop Protocol (RDP) and Secure Shell (SSH) can introduce additional risks. RDP is best blocked at the firewall or provided through an RDP Gateway. While SSH is a secure protocol, the Linux and Unix systems that typically use SSH are often administered outside of the campus directory service and can thus have weak passwords. External attackers routinely look for open SSH ports and attempt to use Rainbow tables or Brute Force to crack passwords. Web-based services such as LogMeIn, VNC, GoToMyPC, etc. can also introduce the risk of unauthorized remote access. Security administrators should carefully assess the risks associated with these services.
Back Doors – Remote Access protocols and services can create “back doors” of access to internal networks and should be carefully administered. Other back doors include analog modems, cellular services on smartphones and tablets, Bluetooth personal area networks, and removable media such as USB and CD/CDRW drives.
Encryption- Encryption of certain network traffic is an essential network control. All confidential or sensitive information leaving the network should be encrypted with proven strong encryption algorithms. Authentication protocols that transmit passwords or encryption keys over the network should also be encrypted. Secure Sockets Layer (SSL) is a common encryption protocol used for web traffic.
Network Security Policies
A strong set of network security policies complements technical controls. While policies cannot always be technically enforced, users need to be aware of behaviors that are unacceptable by the policy. Examples include:
- Use of strong passwords
- No sharing of user account credentials
- Users are not allowed to install and run illegal software, such as network sniffing/scanning or P2P File Sharing software
- All user accounts must be centrally managed and issued
- Prohibition of rogue switches, routers, hubs
- All network cabling and outlets must be installed by central network services
- The limited expectation of privacy
Security policies provide a means of enforcement in the event of known violations.
Log Management and Auditing
Routers, switches, IDS/IPS, firewalls, Directory Services controllers, and other network devices have a wealth of information about activity on the network. However, the massive amount of data they produce makes it difficult to adequately correlate and review for possible intrusions or perform forensic investigations. A Security Information and Event Management (SIEM) solution can greatly reduce the effort and expense involved and provide a much higher level of visibility for security. Network Access Control
All network controls should be routinely validated by an authorized external third party. The process is typically referred to as Penetration Testing (Pen Tests). A qualified Pen Tester can help ensure that the controls you have carefully implemented are working effectively. Many organizations are required to perform such testing on an annual or biennial basis.
Security of network services
Network services include Directory services, Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), authentication services, messaging/email, remote access, and others. These services have traditionally been provided on-premise by network and/or security administrators. Today, many organizations are turning to outsourced cloud providers for many of these services. Security mechanisms, service levels and management requirements of all network services need to be identified and included in-network services agreements, whether these services are provided in-house or outsourced. Put into simple terms, the organization should include all the various security measures it is taking in order to secure its network services, in its network services agreements. Your auditor will want to see that the design and implementation of networks take into account both the business requirements and security requirements, achieving a balance that is adequate and proportionate to both. They will be looking for evidence of this, along with evidence of a risk assessment.
Most organizations utilize some form of Directory Service, such as Microsoft Active Directory. Other essential services include DHCP, DNS, and remote access services such as VPN. Because these services operate at the network and IP layers of the OSI stack, and they perform essential functions for all network hosts, they must be well-managed and secured. Only a very small number of network administrators should have administrative access to the underlying servers. These servers must also be hardened and kept up to date with security patches. Logging to an external aggregator or SIEM is also strongly recommended.
External Network Services
Highly available Internet connectivity has opened the door for organizations to shift network and other application services to external cloud providers. While there are many reputable and very capable providers, it is nonetheless more difficult to hold an external entity accountable at the same levels possible with internal staff. Organizations entering into agreements with cloud providers need to carefully review and negotiate the specific terms and conditions of these agreements. Service Level Agreements, Confidentiality Statements, and Privacy Policies are among the types of documents that must be carefully reviewed and updated. The default versions of these documents will typically be written in favor of the external provider rather than their customers. External service providers should be held to the same level of security controls as those that apply to internal services. Organizations should write into their agreements language that specifies required security controls, limitation of access by provider’s employees, confidentiality statements, the right of the Organizations to audit security controls, and any other provisions that reduce risks of data disclosure, alteration, or loss.
Segregation in networks
Groups of information services, users and information systems should be segregated on networks. Wherever possible consider segregating duties of network operations and computer/system operations e.g. public domains, dept x or y domains. The network design and control must align to and support information classification policies and segregation requirements. One way to protect your confidential and/or critical systems is to segregate your networks along physical or logical lines. Using VLANs to separate your systems creates an additional layer of security between your regular network and your most sensitive systems. This method is often utilized in order to protect data centers, credit card processing systems covered by PCI DSS, SCADA systems, and other systems considered to be sensitive or mission-critical. In order to properly control access to your segregated networks, you should place a firewall or router at the perimeter of each network. That way, different networks can have different access control policies based on the sensitivity classification of the data that they create, transmit, and/or store. Special consideration should be given to wireless networks that allow anyone to connect for Internet access – if you offer an unsecured connection to your wireless network, you should take steps to ensure that wireless traffic is kept separate from the rest of your network or networks. Wireless users should not be able to access domain resources on your wired network without authenticating first, at least; most organizations now offer a secure wireless option (sometimes in addition to a separate, cordoned-off unsecured wireless option) to help maintain the confidentiality and integrity of their wired network.
A.13.2 Information transfer
To maintain the security of information transferred within an organization and with any external entity.
A.13.2.1 Information transfer policies and procedures
Formal transfer policies, procedures, and controls should be in place to protect the transfer of information through the use of all types of communication facilities.
The procedures and controls to be followed when using communication facilities for information transfer should consider the following items:
a) procedures designed to protect transferred information from interception, copying, modification, misrouting and destruction;
b) procedures for the detection of and protection against malware that may be transmitted through the use of electronic communications;
c) procedures for protecting communicated sensitive electronic information that is in the form of an attachment;
d) policy or guidelines outlining the acceptable use of communication facilities;
e) personnel, external party and any other user’s responsibilities not to compromise the organization, e.g. through defamation, harassment, impersonation, forwarding of chain letters, unauthorized purchasing, etc.;
f) use of cryptographic techniques e.g. to protect the confidentiality, integrity, and authenticity of the information;
g) retention and disposal guidelines for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations;
h) controls and restrictions associated with using communication facilities, e.g. automatic forwarding of electronic mail to external mail addresses;
i) advising personnel to take appropriate precautions not to reveal confidential information;
j) not leaving messages containing confidential information on answering machines since these may be replayed by unauthorized persons, stored on communal systems or stored incorrectly as a result of misdialling;
k) advising personnel about the problems of using facsimile machines or services, namely:
- unauthorized access to built-in message stores to retrieve messages;
- deliberate or accidental programming of machines to send messages to specific numbers;
- sending documents and messages to the wrong number either by misdialling or using the wrong stored number.
In addition, personnel should be reminded that they should not have confidential conversations in public places or over insecure communication channels, open offices and meeting places. Information transfer services should comply with any relevant legal requirements.
Information transfer may occur through the use of a number of different types of communication facilities, including electronic mail, voice, facsimile, and video. Software transfer may occur through a number of different mediums, including downloading from the Internet and acquisition from vendors selling off-the-shelf products. The business, legal and security implications associated with electronic data interchange, electronic commerce, and electronic communications and the requirements for controls should be considered.
13.2.2 Agreements on information transfer
Agreements should address the secure transfer of business information between the organization and external parties.
Information transfer agreements should incorporate the following:
a) management responsibilities for controlling and notifying transmission, dispatch, and receipt;
b) procedures to ensure traceability and non-repudiation;
c) minimum technical standards for packaging and transmission;
d) escrow agreements;
e) courier identification standards;
f) responsibilities and liabilities in the event of information security incidents, such as loss of data;
g) use of an agreed labeling system for sensitive or critical information, ensuring that the meaning of the labels is immediately understood and that the information is appropriately protected;
h) technical standards for recording and reading information and software;
i) any special controls that are required to protect sensitive items, such as cryptography;
j) maintaining a chain of custody for information while in transit;
k) acceptable levels of access control.
Policies, procedures, and standards should be established and maintained to protect information and physical media in transit and should be referenced in such transfer agreements. The information security content of any agreement should reflect the sensitivity of the business information involved.
Agreements may be electronic or manual and may take the form of formal contracts. For confidential information, the specific mechanisms used for the transfer of such information should be consistent for all organizations and types of agreements.
13.2.3 Electronic messaging
The information involved in electronic messaging should be appropriately protected.
Information security considerations for electronic messaging should include the following:
a) protecting messages from unauthorized access, modification or denial of service commensurate with the classification scheme adopted by the organization;
b) ensuring correct addressing and transportation of the message;
c) reliability and availability of the service;
d) legal considerations, for example, requirements for electronic signatures;
e) obtaining approval prior to using external public services such as instant messaging, social networking or file-sharing;
f) stronger levels of authentication controlling access from publicly accessible networks.
There are many types of electronic messaging such as email, electronic data interchange and social networking which play a role in business communications.
13.2.4 Confidentiality or non-disclosure agreements
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented.
Confidentiality or non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable to external parties or employees of the organization. Elements should be selected or added in consideration of the type of the other party and its permissible access or handling of confidential information. To identify requirements for confidentiality or non-disclosure agreements, the following elements should be considered:
a) a definition of the information to be protected (e.g. confidential information);
b) expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely;
c) required actions when an agreement is terminated;
d) responsibilities and actions of signatories to avoid unauthorized information disclosure;
e) ownership of information, trade secrets and intellectual property, and how this relates to the protection of confidential information;
f) the permitted use of confidential information and rights of the signatory to use information;
g) the right to audit and monitor activities that involve confidential information;
h) process for notification and reporting of unauthorized disclosure or confidential information leakage;
i) terms for information to be returned or destroyed at agreement cessation;
j) expected actions to be taken in case of a breach of the agreement.
Based on an organization’s information security requirements, other elements may be needed in a confidentiality or non-disclosure agreement. Confidentiality and non-disclosure agreements should comply with all applicable laws and regulations for the jurisdiction to which they apply. Requirements for confidentiality and non-disclosure agreements should be reviewed periodically and when changes occur that influence these requirements.
Confidentiality and non-disclosure agreements protect organizational information and inform signatories of their responsibility to protect, use and disclose information in a responsible and authorized manner. There may be a need for an organization to use different forms of confidentiality or non-disclosure agreements in different circumstances.
The information transfer aspect includes the following controls:
- Information transfer can happen using different communication channels (for example, e-mail, instant messaging tools, telephones, faxes, etc). For that purpose, companies should deﬁne the acceptable use of all these communication tools, what kind of information should be transferred, and how these communication channels will be protected. These policies and procedures should be communicated to the relevant personnel.
- Agreements on information transfer – in some cases, when your company transfers sensitive information to third parties, formal agreements should be signed. These agreements can include elements such as rules for labeling the information, usage of cryptography, deﬁning access controls, defining responsibilities for managing security incidents, etc.
- Electronic messaging – meaning protection of the information involved in electronic messaging, by deﬁning which public services are allowed to be used (for example, social networks, ﬁle sharing, etc.), using electronic signatures, etc.
- Conﬁdentiality and non-disclosure agreements – one way of protecting sensitive company data is by using legal means through conﬁdentiality statements and non- disclosure agreements. These should be signed by both employees and external parties.
This section is signiﬁcant because it covers the controls for communicating information inside and outside the organization, which is an essential activity of all organizations operating in today’s information age. Communications security is also critical because the conﬁdentiality, availability, and integrity of the information might be endangered during the transit.
Information transfer policies and procedures
Clear policies and procedures that govern the transfer of information between individuals both within and outside your organization should be established. Be sure to consider all possible methods of communication, including face-to-face, e-mail, voice, fax, and video, when drafting your policies. General policies about information transfer should include guidelines for acceptable use, and more specific procedures can be established to ensure secure transfer using approved methods. Make sure your users are aware of the limitations of each system (e.g., transferring information via fax machine is only a secure option if physical access to the machine on the other end is restricted). In addition to establishing policies, technical controls should be implemented, when feasible, to protect the confidentiality, integrity, and availability of the information being transferred. Most anti-virus and anti-malware solutions have tools that can scan e-mails in real-time, and encrypting important e-mails can be done for free (using PGP, for instance) or implemented enterprise-wide. These controls can provide the first line of defense against infection and/or compromise. It is still important, however, to discuss information transfer as a part of your organization’s information security awareness program. Educating your users about not communicating confidential information over insecure channels, state and organizational retention guidelines, and the dangers of e-mail auto-forwarding, among other topics, can go a long way toward ensuring that your systems and data remain secure. Formal transfer policies, procedures, and controls must be in place to protect the transfer of information through the use of all types of communication facilities. Whatever type of communication facility is in use, it is important to understand the security risks involved in relation to the confidentiality, integrity, and availability of the information and this will need to take into account the type, nature, amount and sensitivity or classification of the information being transferred. It is especially important to implement such policies and procedures when information is being transferred out of or into the organization from third parties. Different but complementary controls may be required to protect information being transferred from interception, copying, modification, misrouting and destruction and should be considered holistically when identifying which controls are to be selected.
Agreements on information transfer
Information may be transferred digitally or physically and agreements must address the secure transfer of business information between the organization and any external parties. Formal transfer policies procedures and technical controls should be selected, implemented, operated, monitored, audited and reviewed to ensure ongoing effective security protection. Often, communications and transfer systems and procedures are put in place, without a real understanding of the risks involved which therefore creates vulnerabilities and possible compromise. ISO 27002 touches on implementation considerations including consideration of notifications, traceability, escrow, identification standards, the chain of custody, cryptography, access control, and others. If your organization has a business need to transfer information to a third party, then you should (and, in some cases, are legally required) to enter into an official agreement with them in order to preserve the security of that information. These agreements generally set minimum standards for protecting your data, and may also establish the limits of liability for both parties in the event of a breach or other unauthorized disclosure of data. If the data being transferred is considered HIPAA-protected then the two parties must enter into a Business Associate Agreement (BAA). BAA’s are required to include clauses covering data security data disclosure, and data destruction, among others. Similarly, if the data is considered highly sensitive (e.g., social security numbers, bank account numbers), then your organization may require additional data security provisions, similar to those found in a BAA, for such a contract. Information transfer agreements may also include the following: agreed-upon cryptographic standards for encrypting data in transit and at rest, and chain of custody for physical transfer. For example, any agreement between your organization and a company that provides off-site backup storage for your critical systems and data should include clauses that cover minimum standards for protection of your data in transit from one location to the other (e.g., are the tapes secured in a locked box? Who has the key?), and procedures for identifying and authorizing individuals from one organization or the other (since neither company can reasonably be expected to know all the other’s employees).
Electronic messaging includes e-mail, peer-to-peer file transfer, social network-based communications (e.g., Twitter, Facebook chats, LinkedIn, Skype, etc.) and more. Your organization should consider introducing a policy that governs the authorized use of these mediums; at a minimum, such a policy should establish the authority to represent your organization in an official capacity on the Internet. Also, because your organization is unable to apply technical controls to third-party electronic messaging mediums – Twitter, Facebook, et. al. – there is no way for you to quantify or improve their level of security in order to effectively secure a confidential message traveling across one of these mediums. The solution to this problem is to clearly state in your policy that organization-related business is only to be communicated and/or conducted using approved, secured methods (e.g., e-mail). Any information that is involved in any form of electronic messaging needs to be appropriately protected. Put in simple terms, when using electronic messaging, it should be protected to ensure no unauthorized access can be gained The organization should create a policy which sets out which forms of electronic messaging should be used for the different types of information being transferred, e.g. depending on how secure they are. Considerations will also need to be made for voice & fax communications transfer, and physical transfer (e.g. via postal systems). This should align with access controls and other secure authentication policies and log-on procedures.
Confidentiality or non-disclosure agreements
Confidentiality or non-disclosure agreements are legally enforceable documents designed to protect your organization’s confidential information and intellectual property. These agreements, signed by the organization and its employees and/or third parties, establish the responsibilities of all parties to ensure that no one discloses sensitive data in an unauthorized manner. A good control describes how the requirements for confidentiality or non-disclosure agreements that reflect the organization’s needs for the protection of information must be identified, regularly reviewed and documented. As such the organization needs to ensure that any information that needs to be protected, is done so through the use of confidentiality and non-disclosure agreements. Agreements are usually specific to the organization and should be developed with its control needs in mind following the risk analysis work. Standard agreements for confidentiality and non-disclosure that may warrant consideration here include:
- General non-disclosure and mutual non-disclosure agreements e.g. when sharing sensitive information e.g. about new business ideas.
- Customer agreements using standard terms and conditions – expressing confidentiality within the context of the use of products sold and any complimentary services outlined in a related order form.
- Associate/supplier/partner agreements used for small suppliers and independent service providers who the organization use for delivery of services.
- Employment-related terms.
- Privacy policies e.g. from email footers.
If you need assistance or have any doubt and need to ask any question contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.