Network management

The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.

A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.

Examples of traffic filtering and monitoring systems are firewalls, routers, intrusion detection or prevention systems (IDS / IPS) and network devices / servers / applications with similar functionalities.

To ensure the functionality of filtering and monitoring:

• An owner has been appointed for the systems, who takes care of the proper operation of the system throughout the life cycle of the data processing environment
• It is the responsibility of the system owner to add, change, and delete settings for systems that filter or control traffic
• Documentation of the network and associated filtering and control systems is maintained throughout its lifecycle as an integral part of the change and settings management process
• The settings and desired operation of the systems are checked periodically during the operation and maintenance of the data processing environment and in the event of exceptional situations

An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.

Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:

• trust level (eg public, workstations, server)
• organizational units (eg HR, financial management)
• or by some combination (for example, a server domain that is connected to multiple organizational units)

Separation can be implemented either with physically separate networks or with logically separate networks.

The organisation should develop and document clear procedures for the management and control of networks, ensuring consistency across all network operations.

Organisation should consider the following aspects during network segmentation:

• Establish limitations for connecting IT systems to the network based on risk assessments
• Implement security technologies that meet the specific security requirements of the organization
• Ensure performance, trust, availability, security, and safety are prioritized in all network management decisions
• Define strategies for limiting the impact in case of compromised IT systems, focusing on rapid containment
• Integrate mechanisms for the detection of potential attacks and the lateral movement of attackers across network segments
• Enforce separation of networks with different operational purposes (e.g., test/development, office, manufacturing) to prevent cross-network risks
• Address the increased risk due to network services accessible via the internet, especially for external-facing services
• Use technology-specific separation options when engaging with external IT services to mitigate risks
• Ensure adequate separation between own networks and customer networks, aligning with customer requirements.
• Establish measures for the detection and prevention of data loss or leakage, ensuring the protection of sensitive information