Content library
Network security
Remote connection management

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Configuration management and change log
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
11
requirements

Examples of other requirements this task affects

8.9: Configuration management
ISO 27001
CC7.1: Procedures for monitoring changes to configurations
SOC 2
1.2.4: Definition of responsibilities with service providers
TISAX
PR.IP-3: Configuration change control processes are in place.
CyberFundamentals
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Configuration management and change log
1. Task description

Current configurations of devices, data systems and networks are documented and a log is maintained of configuration changes.

Changes to configurations must be controlled and go through the change management procedure. Only authorized personnel are allowed to make changes to the configurations.

Configuration information may include e.g.:

  • property owner and contact point information
  • date of last configuration change
  • configuration model version
  • connections to other assets
Defining standard templates for secure configurations
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
12
requirements

Examples of other requirements this task affects

8.9: Configuration management
ISO 27001
ASSET-3: Manage IT and OT Asset Configuration
C2M2
CC7.1: Procedures for monitoring changes to configurations
SOC 2
1.2.4: Definition of responsibilities with service providers
TISAX
5.3.2: Network device requirements
TISAX
See all related requirements and other information from tasks own page.
Go to >
Defining standard templates for secure configurations
1. Task description

Organization must be able to monitor that devices, data systems and networks are maintained in accordance with the defined configurations (including security features) both during the implementation phase and throughout their entire life cycle.

For this, the organization has defined standard templates for secure configurations of devices, data systems and networks. When specifying standard templates, the following are taken into account:

  • publicly available guidelines (e.g. templates from suppliers and independent security organizations)
  • the level of protection required for different assets
  • fulfilling related information security requirements
  • feasibility and applicability of the configurations to the organization's operations

Standard templates should be checked regularly and updated when significant new threats or vulnerabilities need to be responded to or new software or hardware versions are released.

The following points should be taken into account when defining standard templates:

  • the number of root-level rights is minimized
  • unnecessary access rights are disabled
  • unnecessary functions and services are deactivated
  • access to powerful utilities and important settings is strictly controlled
  • the clocks are synchronized
  • the supplier's default passwords are changed immediately and the security-related settings are checked
  • timeout functions are used if necessary (e.g. automatic logout)
  • license requirements are met
Etäkäyttö turvallisuuden lisävaatimkset (TL III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

TEK-18.7: Etäkäyttö - TL III
Julkri
I-18: TURVALLISUUSLUOKITELTUJEN TIETOJEN VÄLITYS JA KÄSITTELY FYYSISESTI SUOJATTUJEN ALUEIDEN VÄLILLÄ - ETÄKÄYTTÖ JA ETÄHALLINTA
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Etäkäyttö turvallisuuden lisävaatimkset (TL III)
1. Task description

Kansallisten turvallisuusluokan III sähköisten tietojen etäkäyttö (käsittely) ja säilytys on mahdollista kyseisen turvallisuusluokan mukaisessa päätelaitteessa turva-alueiden ulkopuolella edellyttäen, että

  • tiedot on suojattu ko. turvallisuusluokalle riittävän turvallisella salausratkaisulla, ja että
  • päätelaitteen tietoturvallisuudesta, erityisesti ko. turvallisuusluokalle edellytettävästä luottamuksellisuudesta ja eheydestä on huolehdittu riittävin menettelyin.
Laitetunnistus etäkäytön yhteydessä (TL III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

TEK-18.6: Etäkäyttö - laitetunnistus - TL III
Julkri
I-18: TURVALLISUUSLUOKITELTUJEN TIETOJEN VÄLITYS JA KÄSITTELY FYYSISESTI SUOJATTUJEN ALUEIDEN VÄLILLÄ - ETÄKÄYTTÖ JA ETÄHALLINTA
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Laitetunnistus etäkäytön yhteydessä (TL III)
1. Task description

Turvallisuusluokkien III ja II käsittely-ympäristöissä sekä muissa kriittisissä käsittely-ympäristöissä edellytetään käytön teknistä sitomista hyväksyttyyn etäkäyttölaitteistoon (esim. laitetunnistus).

Järjestelmäkovennus turvallisuusluokitelluissa ympäristöissä (TL III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

TEK-10.3: Järjestelmäkovennus - turvallisuusluokitellut ympäristöt - TL III
Julkri
I-08: VÄHIMMÄISTOIMINTOJEN JA VÄHIMPIEN OIKEUKSIEN PERIAATE – JÄRJESTELMÄKOVENNUS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Järjestelmäkovennus turvallisuusluokitelluissa ympäristöissä (TL III)
1. Task description

Erityisesti korkeimpien turvallisuusluokkien ympäristöissä tarpeettomien komponenttien käytönesto on usein perusteltua toteuttaa fyysisesti kyseiset komponentit (esimerkiksi langattomat verkkokortit, kamerat, mikrofonit) laitteesta irrottaen. Tilanteissa, joissa kyseistä komponenttia ei voida fyysisesti irrottaa, korvaavana suojauksena voi joissain tapauksissa hyödyntää esimerkiksi kameroiden teippaamista sekä laitteiston ohjelmallista käytöstäpoistoa sekä käyttäjäasetus-, käyttöjärjestelmä- ja laiteohjelmistotasoilla. Joissain käyttöjärjestelmissä suojausta voidaan täydentää myös poistamalla kyseisen laitteen käyttöön liittyvät ohjelmisto-osiot (kernel module).

Turvallisuusluokkien III-II käsittely-ympäristöissä vaatimus tulee huomioida kovennusohjeiden mahdollisesti sisältämät tasot sekä useiden eri kovennusohjeiden, kuten esimerkiksi valmistajakohtaiset ohjeet, CIS Benchmark ja DISA STIG, hyödyntäminen kovennusten kattavuuden varmistamisessa

Verkon rakenteellinen turvallisuus TL I -luokan ympäristöissä (TL I)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

TEK-01.7: Verkon rakenteellinen turvallisuus - käsittely - TL I
Julkri
I-01: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – VERKON RAKENTEELLINEN TURVALLISUUS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Verkon rakenteellinen turvallisuus TL I -luokan ympäristöissä (TL I)
1. Task description

Lähtökohtaisesti turvallisuusluokan I tietojenkäsittely-ympäristöt suositellaan pidettäväksi fyysisesti eriytettyinä kaikista muista ympäristöistä. Tyypillisenä toteutustapana on fyysisellä turva-alueella, hajasäteilysuojatussa tilassa tapahtuva kaikista muista ympäristöistä fyysisesti eriytetty tietojenkäsittely tähän tarkoitukseen varatulla päätelaitteella. Toteutustapana voi olla myös vastaavasti turva-alueella hajasäteilysuojattuun tilaan fyysisesti sijoitettu ja muista ympäristöistä fyysisesti eriytetty päätelaitteista, niitä yhdistävästä paikallisesta verkosta ja tähän tarkoitukseen varatusta erillistulostimesta koostuva tietojenkäsittely-ympäristö.

Tiedonsiirto fyysisesti eriytettyihin ympäristöihin tulee toteuttaa siten, että riski turvallisuusluokan I tiedon kulkeutumiseen matalamman turvallisuusluokan ympäristöön saatetaan mahdollisimman pieneksi.

Verkon rakenteellinen turvallisuus TL II -luokan ympäristöissä (TL II)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

TEK-01.6: Verkon rakenteellinen turvallisuus - käsittely - TL II
Julkri
I-01: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – VERKON RAKENTEELLINEN TURVALLISUUS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Verkon rakenteellinen turvallisuus TL II -luokan ympäristöissä (TL II)
1. Task description

Turvallisuusluokan II käsittely-ympäristöt ovat lähtökohtaisesti fyysisesti eristettyjä kokonaisuuksia.

Turvallisuusluokan ylittävä liikennöinti voidaan sallia vain datadiodien tai v astaavien OSI-mallin fyysisellä kerroksella toimivien yksisuuntaisten yhdyskäytäväratkaisujen kautta.

Tietojenkäsittely-ympäristöjen yhdistäminen yhdyskäytäväratkaisulla (TL III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

TEK-01.5: Verkon rakenteellinen turvallisuus - yhdyskäytäväratkaisun käyttö - TL III
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tietojenkäsittely-ympäristöjen yhdistäminen yhdyskäytäväratkaisulla (TL III)
1. Task description

Tietojenkäsittely-ympäristön kytkeminen muiden turvallisuusluokkien ympäristöihin edellyttää riittävän turvallisen yhdyskäytäväratkaisun käyttöä.

Tietojenkäsittely-ympäristöjen oletetaan lähtökohtaisesti olevan toisilleen ei-luotettuja myös tilanteissa, joissa yhdistetään eri organisaatioiden hallinnoimia tietojenkäsittely-ympäristöjä toisiinsa. Saman turvallisuusluokan käsittely-ympäristöjä voidaan liittää toisiinsa ko. turvallisuusluokalle riittävän turvallisen salausratkaisun avulla (esimerkiksi organisaation eri toimipisteiden ko. turvallisuusluokan käsittely-ympäristöjen yhteenliittäminen julkisen verkon ylitse).

Kasautumisvaikutuksen huomiointi tietojenkäsittely-ympäristön suojauksessa
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

TEK-06: Kasautumisvaikutus
Julkri
See all related requirements and other information from tasks own page.
Go to >
Kasautumisvaikutuksen huomiointi tietojenkäsittely-ympäristön suojauksessa
1. Task description

When, due to the accumulation effect, the security class of the target's central data store is interpreted as higher than the level of individual data, the security methods defined for the data store must be implemented in accordance with the requirements of the higher level.

Vähimpien oikeuksien periaate verkkojen vyöhykkeistämisessä
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

TEK-02.1: Tietoliikenne-verkon vyöhykkeistäminen - vähimpien oikeuksien periaate
Julkri
I-02: VÄHIMPIEN OIKEUKSIEN PERIAATE - TIETOLIIKENNE-VERKON VYÖHYKKEISTÄMINEN JA SUODATUSSÄÄNNÖSTÖT KO. TURVALLISUUSLUOKAN SISÄLLÄ
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Vähimpien oikeuksien periaate verkkojen vyöhykkeistämisessä
1. Task description

Tietoliikenneverkon vyöhykkeistäminen ja suodatussäännöstöt on toteutettava vähimpien oikeuksien periaatteen mukaisesti ko. turvaluokan sisällä.

Turvallisuusluokkien IV-II käsittely-ympäristöissä vaatimus voidaan täyttää siten, että toteutetaan aiemmin mainittujen toimenpiteiden lisäksi:

4) Verkko-alueiden välistä liikennettä valvotaan ja rajoitetaan siten, että vain erikseen hyväksytty, toiminnalle välttämätön liikennöinti sallitaan (default-deny).

Tietojenkäsittely-ympäristöjen erottelu
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

TEK-01.3: Verkon rakenteellinen turvallisuus - käsittely-ympäristöjen erottaminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tietojenkäsittely-ympäristöjen erottelu
1. Task description

Turvallisuusluokittelemattoman salassa pidettävän tiedon sekä myös turvallisuusluokan IV tietojenkäsittely-ympäristön yhdistäminen eri turvallisuusluokan ympäristöihin voidaan toteuttaa palomuuriratkaisuilla ja rajaamalla riskialttiiden alemman turvallisuusluokan ympäristöä käyttävien palvelujen (web-selailu, Internetin kautta reitittyvä sähköposti, ja vastaavat) liikenne kulkemaan erillisten sisältöä suodattavien välityspalvelinten kautta.

Turvallisuusluokittelemattoman salassa pidettävän sekä myös turvallisuusluokan IV käsittely-ympäristöjä on mahdollista kytkeä Internetiin ja muihin ei-luotettuihin verkkoihin, edellyttäen että kytkennän tuomia riskejä pystytään muilla suojauksilla pienentämään riittävästi. Internet-kytkentäisyyden tuomien riskien pienentäminen turvallisuusluokittelemattomalle salassa pidettävälle tiedolle sekä turvallisuusluokalle IV edellyttää erityisesti ohjelmistopäivityksistä huolehtimista, vähimpien oikeuksien periaatteen mukaisia käyttöoikeuksia, järjestelmäkovennuksia sekä kykyä poikkeamien havainnointiin ja korjaaviin toimiin.

Tyypillinen käyttötapa turvallisuusluokittelemattoman salassa pidettävän tai/ja turvallisuusluokan IV käsittely-ympäristölle on organisaation rajattu tietojenkäsittely-ympäristön osa, joka voi muodostua esimerkiksi päätelaitepalveluista, sovelluspalveluista, tietoliikennepalveluista sekä niiden suojaamiseen liittyvistä järjestelyistä.

Tietojenkäsittely-ympäristöjen erottelu palomuurilla
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

TEK-01.2: Verkon rakenteellinen turvallisuus - palomuuri
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tietojenkäsittely-ympäristöjen erottelu palomuurilla
1. Task description

Tietojenkäsittely-ympäristön kytkeminen muiden turvallisuustasojen ympäristöihin edellyttää vähintään palomuuriratkaisun käyttöä.

Structural security of the network
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
6
requirements

Examples of other requirements this task affects

TEK-01: Verkon rakenteellinen turvallisuus
Julkri
ARCHITECTURE-2: Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
PR.AC-5: Network integrity (network segregation, network segmentation… ) is protected.
CyberFundamentals
2.2.3: Segment the organisation’s network in accordance with its risk profile
NSM ICT-SP
2.3.10: Reduce the risk posed by IoT devices
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Structural security of the network
1. Task description

The data processing environment is separated from public data networks and other environments with a lower security level in a sufficiently safe manner.

Separation of data systems is one of the most effective factors in protecting confidential information. The goal of separation is to delimit the processing environment of confidential information into a manageable entity, and in particular to be able to limit the processing of confidential information to sufficiently secure environments only. Separation of environments can be implemented, for example, with the help of a firewall solution.

Remote maintenance of assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

PR.MA-2: Asset remote management and repair
NIST
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Remote maintenance of assets
1. Task description

Remote maintenance and repair of an organization's assets must be performed so that it is approved, logged, and performed in a manner that prevents unauthorized access. The person conducting the remote maintenance and repair must be required to perform multi-step authentication.

Baseline for normal network traffic
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

DE.AE-1: Baseline of network operations
NIST
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Baseline for normal network traffic
1. Task description

Normal network traffic is described and the description maintained to detect anomalies. The description should be updated:

  • At intervals specified by the organization
  • When necessary according to the situations defined by the organization
  • When there are changes to the systems
Remote connection management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
9
requirements

Examples of other requirements this task affects

PR.AC-3: Remote access management
NIST
I-18: TURVALLISUUSLUOKITELTUJEN TIETOJEN VÄLITYS JA KÄSITTELY FYYSISESTI SUOJATTUJEN ALUEIDEN VÄLILLÄ - ETÄKÄYTTÖ JA ETÄHALLINTA
Katakri 2020
5.1.2: Information transfer
TISAX
PR.AC-3: Remote access is managed.
CyberFundamentals
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Remote connection management
1. Task description

The organization shall ensure that the monitoring and management of remote connections is automated, that remote connections are encrypted to ensure their integrity and reliability, and that remote connections pass only through approved and managed Network Access Control (NAC).

The organization must also make possible for the remote connections to be closed within a specified time.

Segregation of network access related to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
3
requirements

Examples of other requirements this task affects

PR.AC-5: Network integrity
NIST
13.1.3: Segregation in networks
ISO 27017
2.2.3: Segment the organisation’s network in accordance with its risk profile
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Segregation of network access related to offered cloud services
1. Task description

Network segregation is used to divide networks into smaller parts (called subnetworks or segments). The main purpose is to achieve least privilege principles by limiting the access e.g. a user or any particular device can have.

When offering cloud services, the organisation should implement network access segregation to:

  • Strongly separate tenants in multi-tenant environments
  • Strongly separate provider’s own internal administration environment and customers cloud computing environment

Organisation should be able to help the customer to verify the segregation implementation.

Documenting and managing the firewall administration policies
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
9
requirements

Examples of other requirements this task affects

FWL-02: Documenting and managing the firewall administration policies
Cyber Essentials
PR.AC-5: Network integrity (network segregation, network segmentation… ) is protected.
CyberFundamentals
2.4.1: Establish access control on as many network ports as possible
NSM ICT-SP
2.4.4: Activate firewall on all clients and servers
NSM ICT-SP
2.5.1: Control data flow between network zones
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Documenting and managing the firewall administration policies
1. Task description

The organisation must have the following firewall rules configured and documented:

  • Firewall will by default block inbound connections
  • Firewall rules are accepted and documented by appropriate and authorized individual; the business need must be included in the documentation
  • Permissive firewall rules must be removed or disabled quickly when no longer needed
Firewall administration policies
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

FWL-01: Firewall administration policies
Cyber Essentials
DE.CM-1: The network is monitored to detect potential cybersecurity events.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Firewall administration policies
1. Task description

The organisation must change the default password, which is used to login into firewall management interface, to something not easily guessed. Alternatively, organisation can block remote access to the management interface.

The organisation must not allow remote access if it is not properly and clearly documented and needed for business operations. In this case the system must be protected with multi factor authentication or with whitelisting only the necessary IP-addresses.

Palomuurisuojaus
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

6.6.3: Tekniset vaatimukset
Omavalvontasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Palomuurisuojaus
1. Task description

Palomuuri on ohjelmisto, joka hallinnoi yhteyksiä verkkojen (sisäiten tai ulkoisten) tai verkkosovellusten välillä. Palomuuri voidaan asettaa hyväksymään, estämään tai suodattamaan yhteksiä tiettyjen kriteerien perusteella.

Organisaation käyttämät tietojärjestelmät, niiden käyttöympäristöt sekä ulkoiset liityntäpisteet on suojattu joko tilallisella palomuurilla tai sovelluspalomuurilla.

Hallintayhteyksien turvallisuus
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
3
requirements

Examples of other requirements this task affects

I04: Hallintayhteydet
Katakri
TEK-04: Hallintayhteydet
Julkri
I-04: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – HALLINTAYHTEYDET
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Hallintayhteyksien turvallisuus
1. Task description

Hallintapääsy tapahtuu rajattujen, hallittujen ja valvottujen pisteiden kautta.

Hallintayhteyksien suojauksessa huomioidaan, miltä osin hallintayhteyden kautta pystytään vaarantamaan salassa pidettävät tiedot. Useimmat hallintayhteystavat mahdollistavat pääsyn salassa pidettävään tietoon joko suoraan (esim. tietokantaylläpito pääsee yleensä tarvittaessa tietokannan sisältöön) tai epäsuoraan (esim. verkkolaiteylläpito pystyy yleensä muuttamaan tietojärjestelmää suojaavia palomuurisääntöjä), mikä tekee näistä erityisen houkuttelevan kohteen myös pahantahtoisille toimijoille.

Kun hallintayhteys mahdollistaa suoran tai epäsuoran pääsyn salassa pidettävään tietoon, tulisi hallintayhteys ja siihen käytettävät päätelaitteet rajata lähtökohtaisesti samalle suojaustasolle kuin tietojenkäsittely-ympäristökin. Laitteilla tarkoitetaan tässä järjestelmiä, joihin pitäisi olla hallintaoikeudet vain ylläpitäjillä tai vastaavilla. Tällaisia ovat tyypillisesti esimerkiksi palomuurit, reitittimet, kytkimet, langattomat tukiasemat, palvelimet, työasemat, ILO-hallintaliittymät ja Blade-runkojen hallintaliittymät.

Management of filtering and monitoring systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
18
requirements

Examples of other requirements this task affects

I03: Suodatus- ja valvontajärjestelmien hallinnointi
Katakri
TEK-03: Suodatus- ja valvontajärjestelmien hallinnointi
Julkri
TEK-03.1: Suodatus- ja valvontajärjestelmien hallinnointi - vastuutus ja organisointi
Julkri
TEK-03.2: Suodatus- ja valvontajärjestelmien hallinnointi - dokumentointi
Julkri
TEK-03.3: Suodatus- ja valvontajärjestelmien hallinnointi - tarkastukset
Julkri
See all related requirements and other information from tasks own page.
Go to >
Management of filtering and monitoring systems
1. Task description

Examples of traffic filtering and monitoring systems are firewalls, routers, intrusion detection or prevention systems (IDS / IPS) and network devices / servers / applications with similar functionalities.

To ensure the functionality of filtering and monitoring:

  • An owner has been appointed for the systems, who takes care of the proper operation of the system throughout the life cycle of the data processing environment
  • It is the responsibility of the system owner to add, change, and delete settings for systems that filter or control traffic
  • Documentation of the network and associated filtering and control systems is maintained throughout its lifecycle as an integral part of the change and settings management process
  • The settings and desired operation of the systems are checked periodically during the operation and maintenance of the data processing environment and in the event of exceptional situations
Network segmentation and filtering practices within the classification level
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
11
requirements

Examples of other requirements this task affects

I02: Verkon vyöhykkeistäminen ja suodatussäännöstöt
Katakri
TEK-02: Tietoliikenne-verkon vyöhykkeistäminen
Julkri
ARCHITECTURE-2: Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
I-02: VÄHIMPIEN OIKEUKSIEN PERIAATE - TIETOLIIKENNE-VERKON VYÖHYKKEISTÄMINEN JA SUODATUSSÄÄNNÖSTÖT KO. TURVALLISUUSLUOKAN SISÄLLÄ
Katakri 2020
PR.AC-5: Network integrity (network segregation, network segmentation… ) is protected.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Network segmentation and filtering practices within the classification level
1. Task description

Tietoliikenneverkon vyöhykkeistäminen ja suodatussäännöstöt on toteutettava monitasoisen suojaamisen periaatteen mukaisesti.

Tietoliikenneverkon jakaminen ko. turvallisuusluokan sisällä erillisille verkkoalueille (vyöhykkeet ja segmentit) voi tarkoittaa esimerkiksi tietojen suojaamisen näkökulmasta tarkoituksenmukaista työasema- ja palvelinerottelua, kattaen myös mahdolliset hankekohtaiset erottelutarpeet.

Vaatimus voidaan täyttää alla mainituilla toimenpiteillä:

  • Tietoliikenneverkko on jaettu ko. turvallisuusluokan sisällä erillisiin verkko-alueisiin (vyöhykkeet, segmentit).
  • Verkkoalueiden välistä liikennettä rajoitetaan ja ympäristöön sisäänpäin tulevaan liikenteeseen noudatetaan default-deny sääntöä.
  • Tietojenkäsittely-ympäristössä on varauduttu yleisiin verkkohyökkäyksiin.
Verkon rakenteellinen turvallisuus (TL III-II)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

I01: Verkon rakenteellinen turvallisuus
Katakri
I-01: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – VERKON RAKENTEELLINEN TURVALLISUUS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Verkon rakenteellinen turvallisuus (TL III-II)
1. Task description

Käsiteltäessä viranomaisen suojaustason III tai II salassapidettävää tietoa, toteutetaan tietojenkäsittely-ympäristön verkolle seuraavat toimenpiteet:

  • Tietojenkäsittely-ympäristö on erotettu muista ympäristöistä
  • Hallitun fyysisen turva-alueen ulkopuolelle menevä liikenne salataan viranomaisen ko. suojaustasolle hyväksymällä salausratkaisulla
  • Tietojenkäsittely-ympäristön kytkeminen muiden suojaustasojen ympäristöihin edellyttää viranomaisen ko. suojaustasolle hyväksymän yhdyskäytäväratkaisun käyttöä
Verkon rakenteellinen turvallisuus (TL IV)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

I01: Verkon rakenteellinen turvallisuus
Katakri
I-01: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – VERKON RAKENTEELLINEN TURVALLISUUS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Verkon rakenteellinen turvallisuus (TL IV)
1. Task description

Käsiteltäessä viranomaisen suojaustason IV salassapidettävää tietoa, toteutetaan tietojenkäsittely-ympäristön verkolle seuraavat toimenpiteet:

  • Tietojenkäsittely-ympäristö erotetaan muista ympäristöistä
  • Kytkettäessä tietojenkäsittely-ympäristö muiden suojaustasojen ympäristöihin käytetään vähintään palomuuriratkaisua
  • Hallitun fyysisen turva-alueen ulkopuolelle menevä liikenne salataan viranomaisen ko. suojaustasolle hyväksymällä salausratkaisulla
Ensuring system hardening
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
10
requirements

Examples of other requirements this task affects

I08: Järjestelmäkovennus
Katakri
TEK-10: Järjestelmäkovennus
Julkri
TEK-10.2: Järjestelmäkovennus - kovennusten varmistaminen koko elinkaaren ajan
Julkri
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.
CyberFundamentals
2.2.1: Establish and maintain a comprehensive security architecture
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Ensuring system hardening
1. Task description

Systems here mean servers, workstations, active network devices (firewalls, routers, switches, wireless base stations, etc.) and the like. Hardening, on the other hand, means changing the system's settings in such a way that the system's vulnerability area can be reduced.

Organization has defined operating processes through which:

  • Only essential features, devices and services (in terms of usage and data processing requirements) are put into use. Redundancies are also removed at the BIOS level.
  • There is a procedure in which systems are systematically installed so that the end result is a hardened installation.
  • A hardened installation contains only such components and services, and users and processes rights that are necessary to meet operational requirements and ensure security.
  • Software such as operating systems, applications, and firmware are set to collect the necessary log information to detect abuse.
  • Starting the data system from an unknown (other than defined as primary) is blocked from the device.
  • Software (e.g. firmware, applications) is kept up-to-date.
  • Connections to the target, including management connections, are limited, hardened, user-identified and time-limited (session timeout).< /li>
Päätelaitteiden tekninen tunnistaminen ennen verkkoon pääsyä (ST III-II)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
See all related requirements and other information from tasks own page.
Go to >
Päätelaitteiden tekninen tunnistaminen ennen verkkoon pääsyä (ST III-II)
1. Task description

Päätelaitteet tunnistetaan teknisesti (laitetunnistus, 802.1X, tai vastaava menettely) ennen pääsyn sallimista verkkoon tai palveluun, ellei verkkoon kytkeytymistä ole fyysisen turvallisuuden menetelmin rajattu suppeaksi (esim. palvelimen sijoittaminen lukittuun laitekaappiin teknisesti suojatun viranomaisen ko. suojaustasolle hyväksymän turva-alueen sisällä).

Determining the responsibility of network devices
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
6
requirements

Examples of other requirements this task affects

13.1.1: Network controls
ISO 27001
PR.AC-5: Network integrity
NIST
DE.CM-1: The network monitoring
NIST
8.20: Networks security
ISO 27001
DE.CM-1: The network is monitored to detect potential cybersecurity events.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Determining the responsibility of network devices
1. Task description

Owners have been assigned to various network devices, who are responsible for ensuring that the information processed on the networks and related services are protected from unauthorized access. Where appropriate, liability for network equipment must be separated from other related responsibilities.

Protection of wireless connections
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
13
requirements

Examples of other requirements this task affects

13.1.2: Security of network services
ISO 27001
I05: Langattomat verkot
Katakri
PR.PT-4: Communications and control networks
NIST
TEK-05: Langaton tiedonsiirto
Julkri
8.21: Security of network services
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Protection of wireless connections
1. Task description

The use of the wireless network is secured with sufficient keys and the connection traffic to the network router is encrypted. The wireless network for guest use is isolated from the company's own internal network.

Network usage log and process for detecting inappropriate network traffic
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
26
requirements

Examples of other requirements this task affects

12.4.1: Event logging
ISO 27001
13.1.1: Network controls
ISO 27001
I11: Poikkeamien havainnointikyky ja toipuminen
Katakri
PR.AC-3: Remote access management
NIST
PR.AC-5: Network integrity
NIST
See all related requirements and other information from tasks own page.
Go to >
Network usage log and process for detecting inappropriate network traffic
1. Task description

An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.

The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).

Network areas and structurally secure network design
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
21
requirements

Examples of other requirements this task affects

13.1.3: Segregation in networks
ISO 27001
PR.AC-5: Network integrity
NIST
8.22: Segregation of networks
ISO 27001
ARCHITECTURE-2: Implement Network Protections as an Element of the Cybersecurity Architecture
C2M2
CC6.6: Logical access security measures against threats from sources outside system boundries
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Network areas and structurally secure network design
1. Task description

An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.

Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:

  • trust level (eg public, workstations, server)
  • organizational units (eg HR, financial management)
  • or by some combination (for example, a server domain that is connected to multiple organizational units)

Separation can be implemented either with physically separate networks or with logically separate networks.

Authenticated proxy servers for critical systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

PR.AC-5: Network integrity (network segregation, network segmentation… ) is protected.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Authenticated proxy servers for critical systems
1. Task description

The organization deploys authenticated proxy servers to manage and secure communication traffic between the organization’s critical systems and external networks. Review existing network architecture, identify communication channels that connect critical systems to external entities, and implement proxy servers where feasible. Secure authentication protocols should be used to secure the traffic.

Protection of critical systems from Denial-of-Service (DoS) attacks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

PR.DS-4: Adequate capacity to ensure availability is maintained.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Protection of critical systems from Denial-of-Service (DoS) attacks
1. Task description

The organization should Implement measures to secure the organization’s critical systems from Denial-of-Service (DoS) attacks, or at least limit their impact. These could include:

  • Reviewing current system vulnerabilities
  • Deploying DoS mitigation solutions such as firewalls, intrusion detection systems, and traffic filtering
  • Using cloud-based DoS protection services
  • Configuring rate limiting and monitoring traffic patterns for anomalies
  • Developing a response plan to quickly react to and mitigate the effects of DoS attacks.
Secure deployment of IoT devices
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

2.3.10: Reduce the risk posed by IoT devices
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Secure deployment of IoT devices
1. Task description

Create a plan for deploying IoT devices to include security aspects with risk assesments. This includes, for example, assessment of the cloud the device connects to.

Isolate the IoT devices in separate network zones and consider their location with regard to unauthorised physical access to the devices.

Deciding which parts of the ICT system to monitor
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

3.2.3: Decide which parts of the ICT system to monitor
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Deciding which parts of the ICT system to monitor
1. Task description

The organization must decide which parts of the ICT system it needs to monitor. These could include, for example:

  • The most critical parts of the system or the parts which contain the most confidential information
  • Operating systems on devices
  • Internal gateways where data flows through
  • Gateways between internal and external systems, e.g. to the internet
  • Security products (e.g., AVS, IDS, IPS, FW etc.) in the information systems
  • Systems for backup and restore

Ideally, organizations security-related monitoring should cover as much of the ICT system as possible. That makes it easier to identify unauthorized actions, security breaches and security threats as early as possible.

Protect critical services with their own data flow
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

2.5.6: Protect particularly critical services with their own data flow
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Protect critical services with their own data flow
1. Task description

Protect particularly critical services with their own data flow. Consider which services are particularly critical, e.g., backup services and those critical services should have their own rules for data flow.

Control the data flow of exposed services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

2.5.5: Control the data flow of especially exposed services
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Control the data flow of exposed services
1. Task description

Control the data flow of especially exposed services. Exposed services, e.g., web and email with external content for users should be subject to strict controls.

Block all direct traffic between clients
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

2.5.3: Block all direct traffic between clients
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Block all direct traffic between clients
1. Task description

Block all direct traffic between clients. Applications requiring peer-to-peer should instead use a server service. Alternatively, reduce direct traffic between clients to an absolute minimum based on what is needed for work purposes.

Ensure that maintenance of configurations, installations and operations are done securely
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

2.3.6: Ensure that maintenance of all configurations, installations and operations are done securely
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Ensure that maintenance of configurations, installations and operations are done securely
1. Task description

Ensure that maintenance of configurations, installations and operations are done securely. This includes the following:

  • Perform management operations in trusted channels
  • Consider installing trusted TLS (ideally issued internally) in as many administrator interfaces as possible and avoid exposing administrator interfaces to internet.
  • Reduce interactive log-ins directly on servers


Physically isolate the most critical subnets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

2.2.4: Physically isolate the most critical subnets
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Physically isolate the most critical subnets
1. Task description

The most critical subnets must be physically isolated. Also, it should be considered whether to physically isolate particularly sensitive subnets.

Secure hosting of systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Secure hosting of systems
1. Task description

The organization must ensure that the hosting systems it uses are secure, maintained and comply with the required security standards. The organization should either self-host systems or use certified data centers/hosting services to ensure that security can be effectively verified and monitored.

The security requirements for used data centers and hosting services must be equivalent to those for the organization's own infrastructure. For example, server configurations must be hardened, connections must be encrypted, traffic should be monitored and the hardware used must be up to date.

Process for using a passive asset discovery tool
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Process for using a passive asset discovery tool
1. Task description

The organization employs a passive discovery tool that continuously monitors network traffic and logs real-time data on connected devices, with weekly reviews of the data to update the asset inventory, integration with the asset management system for seamless updates, and alerting mechanisms to notify of new or unauthorized devices for prompt security action.

Process for secure configuration of network infrastructure
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Process for secure configuration of network infrastructure
1. Task description

To secure network infrastructure, the organization implements a process involving:

  • documented secure configuration guidelines for network devices
  • baseline configuration templates to standardize security
  • regular reviews and updates to keep configurations current with emerging threats and changes
Procedure for implementing and managing a firewall on servers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Procedure for implementing and managing a firewall on servers
1. Task description

To implement and manage server firewalls, the organization deploys virtual firewalls in virtualized and cloud environments with centralized management consoles for consistent security.

Organization enables operating system-based firewalls for network traffic filtering and audits rules regularly.

Configuring trusted DNS servers on enterprise assets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Configuring trusted DNS servers on enterprise assets
1. Task description

The organization implements several measures:

  • configuring network devices to use enterprise-controlled DNS servers subject to strict security policies
  • opting for reputable external DNS providers like Google's Public DNS or Cloudflare's DNS when needed
  • leveraging security features such as DNS over HTTPS or TLS
  • establishing redundancy with primary and secondary DNS setups for uninterrupted service
Maintaining and enforcing URL filters based on network
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Maintaining and enforcing URL filters based on network
1. Task description

The organization utilizes category-based and reputation-based filtering to identify and block access to undesirable websites, leveraging both known malicious sites and content categories to enforce browsing policies.

Block lists, derived from deny lists in malware protection software, are employed to actively prevent connections to specific harmful domains.

Regular updates and management of filtering and monitoring systems are conducted to ensure that URL filters remain current.

Blocking unnecessary types of files
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Blocking unnecessary types of files
1. Task description

Email and download scanning protocols are configured to employ malware detection software, scanning all email attachments and downloads for threats while also blocking specific file types deemed unnecessary or risky.

Filtering and monitoring systems, such as firewalls and intrusion detection systems, are utilized to filter specific file types at the email gateway, preventing their transmission.

Measures aimed at blocking the download of confidential information on external networks can be adapted to stop certain file types from being received via email.

Establishing and maintaining diagram(s) of architecture
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Establishing and maintaining diagram(s) of architecture
1. Task description

To establish and maintain architecture diagrams and network system documentation, the organization undertakes tasks such as maintaining a comprehensive listing of data systems.

The organization assigns owners who are responsible for completing associated documentation and security measures, ensuring it is regularly reviewed and updated.

Documentation of interfaces and connections between data systems is meticulously maintained and reviewed to integrate any changes.

Centralizing network authentication, authorization, and auditing (AAA)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Centralizing network authentication, authorization, and auditing (AAA)
1. Task description

To centralize network Authentication, Authorization, and Accounting (AAA), the organization implements centralized authentication accounts using platforms like Google or Microsoft 365 to streamline access management and enhance security.

A centralized record of user access rights for data systems and services is maintained to facilitate efficient management and auditing processes.

The organization defines procedures for managing identification and access methods throughout their lifecycle, ensuring consistent, secure handling of authentication credentials to support centralized AAA management.

Using of secure communication protocols and network management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Using of secure communication protocols and network management
1. Task description

The organization protects wireless connections by securing the network with strong encryption keys and using protocols like WPA2 Enterprise to ensure encrypted traffic to network routers.

For secure access control, technical identification of end devices using 802.1X is required before network access, preventing unauthorized connections unless physically restricted.

Standard templates for secure configurations are defined, maintaining security features such as access controls throughout the device and network lifecycle, thereby supporting the implementation of secure protocols like 802.1X and WPA2 Enterprise.

Deploying a network intrusion detection solution
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Deploying a network intrusion detection solution
1. Task description

The organization enhances network security by evaluating and selecting a suitable Network Intrusion Detection System (NIDS) or equivalent cloud solutions, strategically placing sensors, configuring monitoring and alerting systems, and ensuring regular updates and maintenance. For cloud environments, the organization leverages CSP-provided security services with NIDS functionality.

Performing traffic filtering between network segments
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Performing traffic filtering between network segments
1. Task description

The organization strengthens network security by deploying firewalls between segments, configuring access control lists (ACLs) to regulate traffic, and adopting segmentation best practices to isolate sensitive systems. Intrusion prevention systems (IPS) are used to block malicious traffic in real time.

Deploying port-level access control
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Deploying port-level access control
1. Task description

The organization enhances network security by implementing 802.1X network access control to authenticate devices via a RADIUS server, using certificates for robust authentication and integrating with user directories for consistent access policies. It provides network segmentation for guests and IoT devices, monitors access attempts to detect unauthorized access.

Performing application layer filtering
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Performing application layer filtering
1. Task description

The organization enhances network security by implementing 802.1X network access control to authenticate devices via a RADIUS server, using certificates for robust authentication and integrating with user directories for consistent access policies. It provides network segmentation for guests and IoT devices, and ensures NAC policies and software are regularly updated.

Monitoring configurations
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
10
requirements

Examples of other requirements this task affects

8.9: Configuration management
ISO 27001
1.2.4: Definition of responsibilities with service providers
TISAX
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed.
CyberFundamentals
2.3.4: Establish and maintain standard security configurations
NSM ICT-SP
2.3.5: Verify that activated security configurations comply with the organisation’s approved security configurations
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Monitoring configurations
1. Task description

Configurations should be monitored with comprehensive system management tools (e.g. maintenance utilities, remote support, enterprise management tools, backup and recovery software) and reviewed regularly to assess settings, password strengths, and operations performed. Actual configurations can be compared to defined target models. Any discrepancies must be dealt with either automatically or by manual processing.

Any unauthorized changes must be corrected and cause investigated and reported.

Järjestelmien koventaminen käytössä olevien palveluiden minimoinnilla
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

TEK-10.1: Järjestelmäkovennus - käytössä olevien palveluiden minimointi
Julkri
I-08: VÄHIMMÄISTOIMINTOJEN JA VÄHIMPIEN OIKEUKSIEN PERIAATE – JÄRJESTELMÄKOVENNUS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Järjestelmien koventaminen käytössä olevien palveluiden minimoinnilla
1. Task description

Järjestelmissä otetaan käyttöön vain toimintavaatimusten täyttämiseksi ja turvallisuuden varmistamiseksi välttämättömät komponentit, palvelut sekä käyttäjien ja prosessien oikeudet.

Detailed procedures for the management, control and segmentation of networks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
3
requirements

Examples of other requirements this task affects

5.2.7: Network management
TISAX
See all related requirements and other information from tasks own page.
Go to >
Detailed procedures for the management, control and segmentation of networks
1. Task description

The organisation should develop and document clear procedures for the management and control of networks, ensuring consistency across all network operations.

Organisation should consider the following aspects during network segmentation:

  • Establish limitations for connecting IT systems to the network based on risk assessments
  • Implement security technologies that meet the specific security requirements of the organization
  • Ensure performance, trust, availability, security, and safety are prioritized in all network management decisions
  • Define strategies for limiting the impact in case of compromised IT systems, focusing on rapid containment
  • Integrate mechanisms for the detection of potential attacks and the lateral movement of attackers across network segments
  • Enforce separation of networks with different operational purposes (e.g., test/development, office, manufacturing) to prevent cross-network risks
  • Address the increased risk due to network services accessible via the internet, especially for external-facing services
  • Use technology-specific separation options when engaging with external IT services to mitigate risks
  • Ensure adequate separation between own networks and customer networks, aligning with customer requirements.
  • Establish measures for the detection and prevention of data loss or leakage, ensuring the protection of sensitive information
Redundancy solutions for networks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
2
requirements

Examples of other requirements this task affects

5.3.2: Network device requirements
TISAX
See all related requirements and other information from tasks own page.
Go to >
Redundancy solutions for networks
1. Task description

The organisation should ensure its networds has sufficient redundancy. The following aspects should be considered:

  • Multiple Internet Service Providers (ISP)
  • Redundant network links
  • Redundant network devices (multiple switchers, routers and other devices and use of network load balancers)
  • Power redundancy (UPS)
Isolate vulnerable and low-trust equipment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Network security
1
requirements

Examples of other requirements this task affects

2.5.4: Isolate vulnerable and low-trust equipment
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Isolate vulnerable and low-trust equipment
1. Task description

Isolate vulnerable and low-trust equipment, e.g., outdated applications, old servers with unsupported OS and printers with poor security configuration and a lack of security updates.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.