Network Security Controls
Purpose
Bramble architects a defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services and ensures sufficient security and privacy controls are executed to protect the confidentiality, integrity, availability and safety of the organization’s network infrastructure, as well as to provide situational awareness of activity on Bramble’s networks.
Scope
This control applies to production Brmbl.io environments. For each, lesser environments in which development and testing occur must be logically segregated from the production environments.
Ownership
This control is owned by Infrastructure
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| NET-01 | Network Security Management | Bramble Group Corp. has implemented mechanisms to develop, govern & update procedures to facilitate the implementation of network security controls. | Does the organization develop, govern & update procedures to facilitate the implementation of network security controls? | 1. Identify policies, procedures, or other relevant documentation that govern network security controls. | 2. Interview key organizational personnel within Bramble to discuss high level workflows that support the implementation of network security controls. 3. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements. |
| NET-02 | Layered Network Defenses | Bramble Group Corp. has implemented mechanisms for security functions as a layered structure that minimizes interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | Does the organization implement security functions as a layered structure that minimizes interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers? | 1. Examine the policies, procedures and related documents associated with the design and access between the functional layers of the network structure for logical access controls and network segregation. 2. Interview key organizational personnel within Bramble to discuss high level planning, network operations and data flows that support the logical access and network segmentation between the functional layers of the network structure. |
1. Examine a network diagram for functional layers of the network. 2. Examine automated configurations or manual processes to support logical access security in order to minimize network layer interactions. 3. Examine network segregation or segmentation for evidence that the network design is consistent with the network diagram reviewed in the ToD. |
| NET-03 | Boundary Protection | Bramble Group Corp. has implemented mechanisms to limit network access points by monitoring and controlling communications at the external network boundary and at key internal boundaries within the network. | Are boundary protection mechanisms utilized to monitor and control communications at the external network boundary and at key internal boundaries within the network? | 1. Examine the policies, procedures and related documents associated with the design and access between the functional layers of the network structure for internal and external network boundary access points and communication configurations. 2. Interview key organizational personnel within Bramble to discuss high level planning, network operations and data flows that support the internal and external boundary access points and communication configurations. |
1. Examine a network diagram for internal and external boundary access points. 2. Examine automated configurations or manual processes to support limiting, monitoring and controlling communications at both the external network boundary and key internal boundaries. |
| NET-04 | Data Flow Enforcement – Access Control Lists (ACLs) | Bramble Group Corp. has implemented mechanisms to design, implement and review firewall and router configurations to restrict connections between untrusted networks and internal systems and deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception). | Does the organization design, implement and review firewall and router configurations to restrict connections between untrusted networks and internal systems? | 1. Examine the policies, procedures and related documents associated with the design, implementation and review of firewall and router configurations. 2. Interview key organizational personnel within Bramble to discuss high level planning, network operations and data flows that support the design, implementation and review of firewall and router configurations. 3. Examine policies, procedures, related documents, manual or automated firewall and router configurations for evidence to support routers and firewall configurations are: Configured to restrict connections between untrusted networks and internal systems Deny network traffic by default Allow network traffic by exception Reviewed, approved and implemented at a specific cadence according to policy (annual, quarter etc.). |
1. Examine a network diagram that outlines firewall and router configuration. 2. Examine automated configurations or manual processes to support router and firewall configuration and processes as outlined in the ToD. 3. Examine firewall and router configuration against the reviewed and approved firewall configuration for evidence that the existing configuration matches the approved configuration. |
| NET-06 | Network Segmentation | Bramble Group Corp. has implemented mechanisms to logically or physically segment information flows to accomplish network segmentation to other components of the system and implementing security management subnets to isolate security tools. | Does the organization logically or physically segment information flows to accomplish network segmentation? | 1. Examine the policies, procedures and related documents associated with the design and information flows between segments of the network. 2. Interview key organizational personnel within Bramble to discuss high level planning, network operations and data flows that support the logical or physical information segmentation for each segmented network including a segmented (isolated) layer for security tools. |
1. Examine a network diagram for network segmentation. 2. Examine automated configurations or manual processes to support logical or physical information segmentation including the segmented or subnet layer for security tools. |
| NET-08 | Network Intrusion Detection / Prevention Systems (NIDS / NIPS) | Bramble Group Corp. has implemented mechanisms to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network. | Are Network Intrusion Detection / Prevention Systems (NIDS/NIPS) used to detect and/or prevent intrusions into the network? | 1. Examine the policies, procedures and related documents associated with Network Intrusion Detection / Prevention Systems (NIDS/NIPS) utilized to prevent, detect and act upon intrusions into the network. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the mechanisms used with Network Intrusion Detection / Prevention Systems (NIDS/NIPS) utilized to prevent, detect and act upon intrusions into the network. |
1. Identify NIDS/NIPS used to prevent, detect and act upon intrusions into the network. 2. Examine policies, procedures, related documentation and automated configurations used to support NIDS/NIPS. 3. Examine the NIDS/NIPS logs during the examination period for evidence to support manual and automated configurations documented and alerted on network intrusions including but not limited to: unauthorized or malicious software installation Unauthorized changes to software and configurations. |
| NET-12 | Safeguarding Data over Open Networks | Bramble Group Corp. has implemented cryptographic mechanisms for strong cryptography and security protocols to safeguard sensitive data during transmission over open, public networks. | Do cryptographic mechanisms use strong cryptography and security protocols to safeguard sensitive data during transmission over open, public networks? | 1. Examine the policies, procedures and related documents associated with safeguarding data transmission over open, public networks and to protect internal and external wireless links from signal parameter attacks through monitoring. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the safeguarding data transmission over open, public networks and to protect internal and external wireless links from signal parameter attacks through monitoring. |
1. Identify cryptographic mechanisms used to secure sensitive data during transmission over open, public networks. 2. Examine policies, procedures, related documentation and automated configurations used to support monitoring for signal parameter attacks and unauthorized wireless connections and scanning for both internal and external wireless links. 3. Examine manual and automated configurations and monitoring logs during the examination period for evidence to support cryptographic mechanisms and security protocols are enabled and monitored for unauthorized connections and use. |
| NET-13 | Electronic Messaging | Bramble Group Corp. has implemented mechanisms to protect information involved in electronic messaging communications | Does the organization protect information involved in electronic messaging communications? | 1. Examine the policies, procedures and related documents associated with protecting information involved in electronic messaging communications. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the protection of information involved in electronic messaging communications including logical access security and restrictions for transmission, movement and removal of information by both internal and external users. |
1. Identify mechanisms used to protect electronic message communications. 2. Examine policies, procedures, related documentation and automated configurations used to support the protection of information involved in electronic messaging communications including logical access security and restrictions for transmission, movement and removal of information by both internal and external users. 3. Examine manual and automated configurations and monitoring logs during the examination period for evidence to support electronic message communications were protected according to documentation outlined in ToD. |
| NET-14 | Remote Access | Bramble Group Corp. has implemented mechanisms to define, control and review remote access methods. | Does the organization define, control and review remote access methods? | 1. Examine the policies, procedures and related documents associated with the definition, control and review of remote access methods including but not limited to: Logical access security measures Remote access management Network policy enforcement (as applicable). 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the design, control and review of remote access including. |
1. Identify mechanisms used to define, control and review remote access methods. 2. Examine policies, procedures, related documentation and automated configurations used for remote access methods including those noted in ToD. 3. Pull a population of all users (as applicable) for evidence to support remote access methods assigned to users based on logical security are being followed according to policies, procedures, configuration etc. |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.