3.13.5 has a weight of -5 points
(System and Communication Protection Family) 5/16
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Example of Sysytem Security Plan (SSP):
Implementing Subnetworks for Publicly Accessible System Components
- Policy Statement: The organization establishes subnetworks (DMZs) for publicly accessible system components, physically or logically separated from internal networks, to enhance network security.
- Subnetworks (DMZs): These are separate networks that act as a buffer between internal networks and the public internet, providing an additional layer of security.
- Purpose: DMZs allow organizations to host publicly accessible services (e.g., web servers) while reducing the risk of direct access to internal systems.
- Techniques: Implement DMZs using boundary control devices such as routers, gateways, firewalls, virtualization, or cloud-based technologies.
- Guidance: [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] offers guidance on security for virtualization technologies.
- Benefits: DMZs enhance the security posture by limiting direct exposure of internal systems to potential external threats.
- Implementation: Organizations should configure DMZs according to best practices, and ensure proper access controls and monitoring are in place.
- Scope: This policy applies to publicly accessible system components and services hosted by the organization.
- Considerations: Proper design and maintenance of DMZs are critical to maintaining a secure network architecture.
- Continuous Monitoring: Regularly assess and monitor DMZs to ensure they are effectively mitigating potential threats and vulnerabilities.
- Compliance: Compliance with this policy reduces the risk of unauthorized access to internal networks and sensitive data.
Example of Plan of Action and Milestones ( POA & M):
Milestone 1: Policy Development and Communication
Develop a comprehensive policy statement that emphasizes the establishment of subnetworks (DMZs) for publicly accessible system components. Clearly outline the purpose and benefits of DMZs in enhancing network security. Communicate the policy to all relevant personnel and stakeholders. [Target Date]
Milestone 2: Identification of Publicly Accessible System Components
Identify all publicly accessible system components within the organization that require hosting services accessible from the public internet. Determine the specific requirements and characteristics of these components to inform the design of DMZs. [Target Date]
Milestone 3: Design and Configuration of DMZs
Design and configure DMZs using appropriate boundary control devices such as routers, gateways, firewalls, virtualization, or cloud-based technologies. Ensure that DMZs are physically or logically separated from internal networks to provide an additional layer of security. Refer to [SP 800-41] and [SP 800-125B] for guidance on firewalls and virtualization technologies. [Target Date]
Milestone 4: Access Controls and Monitoring
Implement proper access controls within DMZs to limit direct exposure of internal systems. Ensure that only authorized services and traffic are allowed within the DMZ. Implement monitoring mechanisms to regularly assess the effectiveness of DMZs in mitigating potential threats and vulnerabilities. [Target Date]
Milestone 5: Testing and Validation
Conduct thorough testing and validation of the implemented DMZs to verify their effectiveness in enhancing network security. Perform vulnerability assessments and penetration testing to identify any weaknesses and address them promptly. [Target Date]
Milestone 6: Compliance and Reporting
Ensure compliance with the policy statement and the established DMZ configurations. Regularly monitor and assess the compliance of DMZs with best practices and industry standards. Provide periodic reports on the security posture and the successful implementation of DMZs to relevant stakeholders and management. [Target Date]
Milestone 7: Training and Awareness
Conduct training and awareness programs for all personnel involved in managing and maintaining DMZs. Educate employees about the importance of DMZs in limiting the exposure of internal systems to potential external threats. [Target Date]
Milestone 8: Continuous Improvement
Foster a culture of continuous improvement by soliciting feedback from personnel, conducting regular assessments, and staying informed about emerging best practices and technologies. Regularly review and update the policy and DMZ configurations to adapt to evolving security threats and requirements. [Target Date]
RELEVANT INFORMATION:
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.