The company must apply security controls that protect information in the network path from the sender to the recipient and design the corporate information system based on functional requirements and security requirements. We develop procedures
To structure the procedure aimed at applying control 13 of Annex A of ISO 27001, begin to describe the IT network used by the company and clearly define what and how to protect. The list of assets belonging to the \ “Network and Communications \” class is your starting point.
Describe the corporate computer network
The computer network of a company consists of the server, which is the computer that provides the services to the network, the personal computers on which the authorized users use the operating system and its applications. Then there are all the devices that allow the network to function in connections, in the transmission of information packets, in the sorting and distribution of services made available by top management and documented within the Asset Inventory
security aimed at averting the risks related to the loss of confidentiality, integrity and availability of information.
The assets of the company belonging to the “Network and communications” class are used both in the operational processes that deal with critical level A information and in the support processes whose information handled is at level B.
These assets are as follows and function as indicated:
- PROVIDER (Internet service supply apparatus)
- CLOUD (Remote server where information is duplicated and stored)
- LAN (Local network within the organization)
- E-MAIL SERVER (Computer that provides e-mail services to the organization)
- CENTRAL SERVER (Computer that provides network services to the organization)
- ROUTER (Device that allows you to interface sub-networks which are: Primary, Support and Security)
- SWITCH (Device for connecting other devices to the LAN)
- ACCESS POINT (Device for wireless access to the network)
- CLIENT (Computers inside the organization connected to the network)
- WIRING (Ethernet and optical fiber cables)
- PHONE
The security of each asset, as documented in the inventory indicated above, must be attributed to an asset manager who chairs and checks the implementation of the security controls listed in Annex A of the ISO 27001: 2017 standard relating to:
The computing devices
In computing devices, taking apart the server and cloud computing services, the company must include:
- Computer
- Smartphone
Computers must be protected by biometric authentication from the risks deriving from unauthorized access attempts. Their hard drives must be encrypted and this prevents unauthorized persons from understanding the information contained.
Furthermore, all computers must be made immune from viruses through the centralized installation of an anti-malware platform based on a multiscanning technique controlled by the system administrator. Antivirus software prevents information from being compromised by malicious code and losing its integrity.
The computers used by those authorized to carry out their work must not contain critical information that can be stolen and made unavailable. This information, thanks to the connection of the web interfaces made available to users by the information system, is present in the system database that resides on the server. Thanks to the database backup, the risk of information unavailability is kept under control.
The server, with its disks, must be protected like computers. The company must install, at the server, a firewall thanks to which the traffic entering and leaving the entire network is managed by the “permissions” granted through its configuration.
The firewall chosen by the company can be a software solution that filters traffic on the basis of a set of rules, usually called policies that the organization applies according to the default-deny criterion for which only what is explicitly declared is allowed (all inside the firewall configuration panel) and the rest is prohibited. The system administrator configures and manages the firewall.
Network devices and cabling
The following devices must also be tested to prevent the same averted risks for computing devices:
- Router
- Switch
- Access point
- Cabling system
The information relating to their configuration, ie the \ “configuration specifications \” that the system administrator has defined so that these assets are protected, are also protected by access control and encryption.
If a malicious person had access to network configuration data and network devices, in fact, he could compromise their operation by making the information no longer available to users. External users including such as: customers, suppliers, consultants and people who work from outside in a teleworking regime.
For these physical devices, regarding the risk of theft (or simply unauthorized removal), the company can arrange for the use of RFID technology, thanks to which each device is identified thanks to a radio frequency sensor. The radiofrequency signal emitted by the tag applied to the device makes it possible to detect take-away attempts made at the doors of the company offices and the central passage constituted by the entrance door.
The devices can also be under the control of video surveillance (the cameras frame the entire surface and the entire volume of the server room) and under the control of the night surveillance service.
Additional checks for the physical security of the network
The company may specify to apply other controls for the physical security of network devices and therefore to protect the integrity of the information. These controls can be documented in the Asset Inventory corresponding to the locations / physical areas that host them. They can be for example:
- The alarmed area
- The constitution of the reserved area
- The alarm and the fire-fighting system
- The alarm and the anti-flooding system
- Air conditioning
- The alternative power supply system
- The maintenance
Entrust the responsibilities of controls
The system administrator and the IT manager must ensure the operation of the network in safety according to certain levels of service as a whole. Instead, each asset manager must ensure the application of the security controls provided for the assets attributed to his / her responsibility.
Network communications through the information system
The company manages information thanks to the use of its information system. This system, which must be governed in the Acquisition, development and maintenance of systems procedure, allows information to be processed through the web pages.
The web pages are the graphical interfaces through which the user can read, enter and modify information: to collect customer requirements, to write a project and to produce services. Authorized users interact with web pages to work and produce.
The web pages of the company information system make the information present on the information system database visible. The protocol used for communication through web pages is HTTPS. Thanks to this protocol that uses encryption, the information that employees, collaborators or users send cannot be intercepted – during communication – by an unauthorized third party.
Communications via email and confidential chat
To ensure the confidentiality of email communications that users send and receive between themselves and with interested parties (suppliers, customers, consultants, etc.), all emails containing critical A-level information must be subjected to digital signature control. . Messages and documents must be encrypted and authenticated thanks to the use of this “signature”.
The sender who communicates through the company’s email, with the application of the digital signature, affixes a “label” to the message ensuring that it was produced by a specific person. The digital signature also allows the company to ensure that the message cannot be changed during its journey on the network.
The digital signature, as a control that must be applied by the company, is able to guarante:
- The sender’s identity, providing certainty as to who sent it (authentication)
- The impossibility for the sender to deny having sent this message (non repudiation)
- That the message is received exactly as it was sent (integrity)
The procedure that manages security in the company information system
requires the company to determine the functional and security requirements of the company information system.
To facilitate the development of the procedure we have prepared some examples that report some requirements that can be documented in the information security management system.
