3.13.1 has a weight of -5 points
(System and Communication Protection Family) 1/16
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Example of Sysytem Security Plan (SSP):
Communications Monitoring and Protection
- Policy Statement: The organization monitors, controls, and protects communications transmitted or received by its systems at external and key internal boundaries.
- Boundary Components: Communications are monitored, controlled, and protected at boundary components, including gateways, routers, firewalls, guards, network-based malicious code analysis, and virtualization systems.
- Interfaces Restriction: Organizational systems restrict or prohibit interfaces, such as external web communications traffic directed only to designated web servers within managed interfaces and blocking external traffic that appears to spoof internal addresses.
- Consideration for Commercial Telecommunications Services: Organizations acknowledge the shared nature of commercial telecommunications services and implement security measures to address potential risks associated with using such services.
- Guidance for Firewalls and Virtualization: [SP 800-41] offers guidance on firewalls and firewall policy, while [SP 800-125B] provides guidance on security for virtualization technologies.
- System Security Plan: Organizations ensure that the required information related to communications monitoring and protection is conveyed in their system security plans, without prescribed format or specified level of detail.
- Monitoring, controlling, and protecting communications at system boundaries are crucial for ensuring the integrity and security of organizational information. By employing appropriate technologies and measures, the organization safeguards its systems from potential threats and unauthorized access, promoting a secure and resilient communication environment.
Example of Plan of Action and Milestones ( POA & M):
Milestone 1: Policy Statement Development
- Develop a comprehensive policy statement emphasizing the importance of monitoring, controlling, and protecting communications at external and key internal boundaries. Clearly outline the purpose of boundary components in ensuring the integrity and security of organizational information. [Target Date]
Milestone 2: Boundary Component Identification
- Identify all relevant boundary components, including gateways, routers, firewalls, guards, network-based malicious code analysis, and virtualization systems. Assess their current capabilities and determine if any upgrades or additional measures are required to meet security requirements. [Target Date]
Milestone 3: Interface Restriction Implementation
- Implement interface restrictions on organizational systems to ensure external web communications traffic is directed only to designated web servers within managed interfaces. Block external traffic that appears to spoof internal addresses to prevent unauthorized access and potential spoofing attacks. [Target Date]
Milestone 4: Commercial Telecommunications Services Assessment
- Assess the potential risks associated with using commercial telecommunications services and implement security measures to address and mitigate these risks. Develop guidelines and protocols for using such services securely. [Target Date]
Milestone 5: Guidance Familiarization
- Familiarize relevant personnel with the guidance provided in [SP 800-41] for firewalls and firewall policy and [SP 800-125B] for security in virtualization technologies. Train the personnel responsible for communications monitoring and protection on the proper implementation of these technologies. [Target Date]
Milestone 6: System Security Plan Updates
- Review and update system security plans to convey the required information related to communications monitoring and protection. Ensure that the plans align with the organization’s security requirements and provide adequate details on the implemented measures. [Target Date]
Milestone 7: Monitoring and Control Implementation
- Implement the necessary technologies and measures to enable continuous monitoring, control, and protection of communications at system boundaries. Ensure that all boundary components are functioning as intended and are effectively safeguarding communications. [Target Date]
Milestone 8: Periodic Assessments
- Conduct periodic assessments of communications monitoring and protection to validate the effectiveness of implemented measures. Use the results of these assessments to make improvements and adjustments as necessary. [Target Date]
Milestone 9: Communication and Awareness
- Communicate the importance of monitoring, controlling, and protecting communications at system boundaries to all relevant personnel. Raise awareness of potential security risks and the significance of compliance with the defined guidelines. [Target Date]
Milestone 10: Continuous Improvement
- Encourage continuous improvement by regularly reviewing and enhancing the organization’s communications monitoring and protection measures. Incorporate lessons learned, feedback from assessments, and emerging threats to enhance security practices. [Target Date]
RELEVANT INFORMATION:
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies.[28] There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in 3.12.4 is conveyed in those plans.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.