3.3.6 Network Architecture and Monitoring
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
IT event management and network architecture controls should be designed and implemented to continuously monitor IT operations in order to protect member organizations network from unauthorized access.
Control Requirements
| 1. | Member Organizations should define, approve and implement network architecture policy considering the following: | |
| a. | organization's stance with respect to acceptable network usage; | |
| b. | explicit rules for the secure use of specific network resources, services and applications; | |
| c. | consequences of failure to comply with security rules; | |
| d. | organization's attitude towards network abuse; and | |
| e. | rationale(s) for the policy, and for any specific security rules. | |
| 2. | Member Organizations should ensure the implementation of following network architecture controls, but not limited to: | |
| a. | network diagram showing the complete current infrastructure; | |
| b. | segmentation of network into multiple separate network domains based on the required trust levels (6.8. public domain, desktop domain, server domain) and in line with relevant architectural principles; | |
| c. | perimeter of each network domain should be well protected by a security gateway (e.g. firewall, filtering router). For each security gateway a separate service access (security) rules should be developed and implemented to ensure that only the authorized traffic is allowed to pass; | |
| d. | all internal traffic (head office users, branch users, third party users, etc.) passing to DMZ or internal servers should pass via 2 security gateway (firewall); | |
| e. | all outbound internet access from internal networks are routed via proxy server such that access is allowed only to approved authenticated users; | |
| f. | visitor network (wired/wireless network) should be isolated and segregated from the internal network; | |
| g. | the perimeter firewall to the DMZ should raise an alert and block active scanning; | |
| h. | web application firewall (WAF) should be implemented against customer facing applications; | |
| i. | ensure non-existence of single node of failure that affects the critical service availability; | |
| j. | centralized authentication server (AAA, TACACS or RADIUS, etc.) should be deployed for managing authentication and authorization of network devices; | |
| k. | centralized log server (e.g. syslog server) should be deployed to collect and store logs from all network devices; | |
| l. | retention period for logs should be 12 months minimum; | |
| m. | all network devices should synchronize their clock timings from a centralized NTP server; | |
| n. | all network communication over extranet (WLAN) and internet should be through an encrypted channel; | |
| o. | remote access should be restricted only to certain group of IP addresses; | |
| p. | remote administration should be over an encrypted channel (like SSL VPN, SSH); | |
| q. | remote administration access for vendors should be time-bound and granted on a need basis with approval; | |
| r. | scan for Member Organization's devices before accessing the network to ensure enforcement of security policies on devices before they access organization's network; and | |
| s. | segregation of duties within the infrastructure component (supported with a documented authorization profile matrix). | |
| 3. | Member Organizations should ensure that network monitoring is performed considering the following, but not limited to: | |
| a. | administrative trails including login and activity trails (like configuration change, rule change, etc.); | |
| b. | resource utilization (processor and memory); and | |
| c. | network connectivity to all branches and ATMs. | |