A.13.1 Network Security Management
This area addresses issues with network security management and involves matters concerning data transfers, to ensure that conditions that preserve data confidentiality, integrity and availability are in place.
A.13.1.1 Network controls
Data stored and transferred through company networks needs protection against access, interception, corruption and other possible threats. You should understand all the business needs, risks and assets associated with networking
Permitting outsiders to access your networks will increase the number of threats to the company. Your plan should account for both internal and external access risks.
Relevant controls include but are not limited to
- Firewalls and prevention systems
- Access control lists
- Connection controls
- End point verifications
- Network segregation
A.13.1.2 Security of network services
Based on the risk assessment, you should implement security measures to safeguard the data transmitted using network service. Network service agreements must consider business requirements, security requirement and possible threats to have controls to reduce your vulnerabilities.
A.13.1.3 Segregation in networks
Different users and information networks should be segregated across the system. Having separate domains for public access, departmental use, critical systems and management use. This is a much safer method than having all services share the same operations.
A.13.2 Information Transfer
A.13.2.1 Information transfer policies and procedures
Policies are required to support the safe transfer of data between parties across your network. Your standards should support the different types and ensure that there are transfer policies and procedures in place to manage these risks. .
A.13.2.2 Agreements on information transfer
Agreements between your company and third-party representatives must clearly communicate the need to maintain the confidentiality and integrity of all data sent or received on either end.
Both physical and digital copies of information should be protected against loss or viability and align to the requirements included in the agreements based on their classification.
A.13.2.3 Electronic messaging
Any data transferred via digital messaging systems needs to be safeguarded against online threats and aligned to the policy requirements around acceptable forms of e-messaging for different types of information.
High risk or confidential financial information should never be transferred through electronic communication channels unless strong protection is applied as they are at risk of identity theft or fraud.
This protection includes end to end encryption, masking and monitoring of the transmission.
A.13.2.4 Confidentiality or non-disclosure agreements
Non-disclosure agreements are must haves for any institution serious about data protection. Be sure to explain the needs and rights of your company to preserve all forms of data confidentiality. Your contract should be drafted and approved by management and the terms regularly reviewed, amended and updated
Standard forms of nondisclosure agreements may fall under the following categories:
- general or mutual non-disclosure
- terms and conditions of customer use
- associate supplier or partner agreements
- employment contracts
- privacy policies.