Segment the organisation’s network in accordance with its risk profile. Segment (divide) the network into zones with different needs for communication, exposure, function and roles. For example, one could consider creating separate zones for system administration, application servers, organisation-operated clients, industrial production (e.g. SCADA and industrial control systems), internet access, wireless networks, guest clients and externally available services (e.g. web servers). In data centres servers can be segmented into security groups such as a data plane (data going through the network), control plane (data going to network devices) and management plane (management data going to network devices). One could also consider creating a network architecture with even more granular zone segmentation, e.g. by department or by group of devices. Please note that one can create zones in many different ways: VLAN zones, virtualised networks, micro segmentation etc. Zones should be managed centrally, not locally on each switch. Use the chosen segmentation model to manage data flow, see principle 2.5 – Control data flow.
The data processing environment is separated from public data networks and other environments with a lower security level in a sufficiently safe manner.
Separation of data systems is one of the most effective factors in protecting confidential information. The goal of separation is to delimit the processing environment of confidential information into a manageable entity, and in particular to be able to limit the processing of confidential information to sufficiently secure environments only. Separation of environments can be implemented, for example, with the help of a firewall solution.
Network segregation is used to divide networks into smaller parts (called subnetworks or segments). The main purpose is to achieve least privilege principles by limiting the access e.g. a user or any particular device can have.
When offering cloud services, the organisation should implement network access segregation to:
Organisation should be able to help the customer to verify the segregation implementation.
In environments that include virtual and physical layers, inconsistency of network policies can cause e.g. system outages or defective access control.
The organisation must ensure that the configuration of virtual networks is aligned with the policies for configuring physical networks. Network configuration should match the policy no matter what means are used to create the configuration.
Tietoliikenneverkon vyöhykkeistäminen ja suodatussäännöstöt on toteutettava monitasoisen suojaamisen periaatteen mukaisesti.
Tietoliikenneverkon jakaminen ko. turvallisuusluokan sisällä erillisille verkkoalueille (vyöhykkeet ja segmentit) voi tarkoittaa esimerkiksi tietojen suojaamisen näkökulmasta tarkoituksenmukaista työasema- ja palvelinerottelua, kattaen myös mahdolliset hankekohtaiset erottelutarpeet.
Vaatimus voidaan täyttää alla mainituilla toimenpiteillä:
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
