Requirement:
The cybersecurity requirements for network security management must include at least the following:
Sub-Controls:
2-5-3-1:
Requirement:
Logical or physical segregation and segmentation of network segments using firewalls and defense-in-depth principles.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of network security management at the organization and must be approved by the representative
- Define network zones based on trust level e.g., trust in the internet zone is "low", trust level in an internet-isolated zone hosting databases is "high"
- Define necessary procedures to ensure the physical or logical isolation and segregation of network parts in the organization (for example but not limited to procedures for using the internal virtual network to isolate network parts)
- Activate appropriate and advanced technologies for the safe physical or logical isolation and segregation of network parts, including but not limited to:
- Firewall Isolation
- Isolation for systems accessed from outside the organization in a neutral zone (DMZ)
- Insulation of network parts via VLAN
- Implement the principle of multi-stage security defense (Defense-in-Depth), which includes the implementation of technical controls and administrative controls for protection
Expected Deliverables:
- Cybersecurity policy that covers the requirements of network security management in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on the policy (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of requirements related to the safe physical or logical isolation and segregation of network parts, including but not limited to:
- Evidence showing the implementation of requirements related to the safe physical or logical isolation and segregation of network parts and defense in depth strategy (e.g., a screenshot showing evidence of the subscription and use of modern and advanced technologies to implement the physical or logical isolation and segregation of network parts in a secure manner)
- Sample showing the implementation of the requirements of appropriate and advanced technologies for the safe physical or logical isolation and segregation of network parts and defense in depth (e.g., a screenshot showing evidence of the safe physical or logical isolation and segregation of network parts, as well as viewing and reviewing Network Diagram)
2-5-3-2:
Requirement:
Network segregation between production, test and development environments.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of network security management at the organization and must be approved by the representative
- Network domains must be logically separated to clarify production environment network addresses and development and testing environment networks (e.g., using VLANs)
- Network must be configured to ensure that production environment networks are isolated from development and testing environment networks through the use of firewall systems
- Network segregation and network diagram must be documented to illustrate the isolation of production environment networks from development and testing networks
Expected Deliverables:
- Cybersecurity policy that covers all the requirements of network security management in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- List of server addresses in production environment and development and testing environment
- An up-to-date network diagram document that shows logical segregation and clarifies the isolation between the production environment network from the development and testing networks
2-5-3-3:
Requirement:
Secure browsing and Internet connectivity including restrictions on the use of file storage/sharing and remote access websites, and protection against suspicious websites
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of network security management at the organization and must be approved by the representative
- Define necessary procedures to ensure navigation and internet connection security at the organization, including but not limited to:
- Procedures for restriction of suspicious websites, file sharing and storage sites, and remote access sites
- Configuration of firewall systems to connect by using Proxy to analyze and filter data transmitted to and from the organization
Expected Deliverables:
- Cybersecurity policy that covers all the requirements of network security management in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of requirements related to browsing and internet connection security, including but not limited to:
- Sample showing the implementation of browsing and internet connection security requirements (e.g., screenshot showing evidence of use of modern and advanced technologies for browsing and internet connection security)
- Sample showing the implementation of the requirements of appropriate and advanced technologies for browsing and internet connection security (e.g., a screenshot showing evidence that the network settings and firewall systems are conducted and configured to ensure security of browsing and internet connection, evidence of restriction of suspicious websites, file sharing and storage sites, remote access sites)
2-5-3-4:
Requirement:
Wireless network protection using strong authentication and encryption techniques. A comprehensive risk assessment and management exercise must be conducted to assess and manage the cyber risks prior to connecting any wireless networks to the organization's internal network.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of network security management at the organization and must be approved by the representative
- Implement security requirements of wireless networks in the organization, which may include the following:
- Appropriate and advanced technologies for wireless network security and protection
- Verification of username and connect the wireless network to the user's name before granting the user access to the wireless network
- Separation of the internal network (LAN) from the wireless network by isolating the two networks from each other, as well as isolating the wireless visitor network from the wireless network of the organization
- Encrypt wireless communication by configuring wireless network devices to support the highest cryptography standard controls and in line with the relevant laws and regulations
- Conduct of a thorough study of the risks arising from connecting wireless networks to the organization's internal network in case there is a need to link them, and deal with them in a way that ensures the protection of the organization's technical assets. There must be evidence of risk analysis and study, including but not limited to, providing a thorough report that includes identifying and classifying risks, notes, and remediation plan (e.g., through an advanced automation program or an Excel sheet)
Expected Deliverables:
- Wireless Security Standard approved by the organization (e.g., electronic copy or official hard copy)
- Sample showing the implementation of wireless network security and protection requirements, including but not limited to:
- Sample showing the implementation of wireless network security and protection requirements (e.g., a screenshot showing evidence of subscription and use of modern and advanced technologies to implement wireless network security and protection, including but not limited to wireless network connection cryptography, as well as configuration of network devices and firewall systems in line with the verification of the user's name before granting the access to connect to the organization's wireless network)
- Sample of conducting a thorough study of the risks arising from connecting wireless networks to the organization's internal network in case there is a need to link them, and deal with them in a way that ensures the protection of the organization's technical assets. There must be evidence of risk analysis and study, including but not limited to, providing a thorough report that includes identifying and classifying risks, notes, and remediation plan (e.g., through an advanced automation program or an Excel sheet)
- Sample of separating the internal network (LAN) from the wireless network by isolating the two networks from each other, as well as isolating the wireless visitor network from the wireless network of the organization
2-5-3-5:
Requirement:
Management and restrictions on network services, protocols and ports.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of network security management at the organization and must be approved by the representative
- Implement the requirements of restrictions and management of network ports, protocols and services at the organization, which may include the following:
- Appropriate and advanced technologies for restrictions and management of network ports, protocols and services
- Procedures for managing ports, protocols, network services and access authorities
- Restrict unused ports and protocols in the organization, including but not limited to:
- Restriction by firewall systems
- Physical closure of unused ports
- Regularly review and update of protection systems’ configuration, including but not limited to:
- Periodic review at least on an annual basis
- Development of all technical controls and standard controls that are reviewed and verified with relation to the configuration of protection systems within an advanced automation program or through Excel Sheet program, and monitor and update them, if necessary, after obtaining the prior approval of the representative
- Establishment of approval procedures to update the Firewall Rules to ensure that no update or change is made without the approval of the representative
Expected Deliverables:
- Cybersecurity policy that covers all the requirements of network security management in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of requirements related to network ports, protocols, and services restrictions and management, including but not limited to:
- Sample showing the implementation of network ports, protocols, and services restrictions and management requirements (e.g., screenshot showing evidence of subscription and use of modern and advanced technologies to apply restrictions and manage network ports, protocols, and services through firewall system)
- Sample showing the periodic review of the protection systems’ configuration and updates on an ongoing basis, including but not limited to periodic review at least on an annual basis, as well as the development of all technical controls and standard controls that are reviewed and verified with relation to the protection systems configuration within the advanced automation program or through Excel Sheet. This is in addition to supporting the review by obtaining prior approval for review and update of the configuration, if necessary
- Sample showing approval procedures form to update the Firewall Rules to ensure that no update or change is made without obtaining the approval of the representative. In addition, a sample showing what has been updated on the Firewall Rules
2-5-3-6:
Requirement:
Intrusion Prevention Systems (IPS).
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of network security management at the organization and must be approved by the representative
- Implement the requirements of advanced protection systems to detect and prevent intrusions in the organization, which may include the following:
- Intrusion Prevention System
- Appropriate and advanced technologies for Intrusion Prevention System
- Protect the organization by using (IPS/IDS) to cover all infrastructure of the organization, including:
- Internal Network
- DMZ
- Wireless network
- Periodically review (IPS/IDS) configurations, and all technical controls and standard controls that are reviewed and verified with relation to the configuration of (IPS/IDS) within an advanced automation program or through Excel Sheet, must be developed, followed-up and updated, if necessary, with the prior approval of the representative
Expected Deliverables:
- Cybersecurity policy that covers all the requirements of network security management in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of requirements related to (IPS/IDS), including but not limited to:
- Sample showing the implementation of (IPS/IDS) (e.g., a screenshot showing evidence of subscription and use of modern and advanced technologies to implement (IPS/IDS), as well as access to technical infrastructure, demonstrating the use of (IPS/IDS) and the comprehensiveness of all the organization's information and technology assets within (IPS/IDS)
- Periodic review report on IPS/IDS configuration and development of all technical controls and standard controls must be reviewed and verified in relation to the configuration of (IPS/IDS) within an advanced automation program or through Excel Sheet, as well as supporting the review by obtaining prior approval for review and update of the configuration if required
2-5-3-7:
Requirement:
Security of Domain Name Service (DNS) through Haseen platform
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of network security management at the organization and must be approved by the representative
- Use DNS Security or DNS Firewall to protect the organization's systems against DNS Poisoning attacks and use documented DNS
- Refrain from using public domain name services such as Google DNS or service provider domain names
Expected Deliverables:
- Cybersecurity policy that covers all the requirements of network security management in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Screenshot showing domain name configuration at the organization (DNS) indicating the use of a documented DNS address
- Screenshot of DNS Security that indicates IP range protection at the organization
2-5-3-8:
Requirement:
Secure management and protection of Internet browsing channel against Advanced Persistent Threats (APT), which normally utilize zero-day viruses and malware.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of network security management at the organization and must be approved by the representative
- Implement the requirements of internet browsing channel APT Protection in the organization, which may include the following:
- Internet browsing channel APT Protection
- Appropriate and advanced technologies Internet browsing channel APT Protection and ensure the effectiveness of these technologies
- Implement internet browsing channel APT Protection by using advanced systems and technologies to protect against the risk of Zero-Day Malware, including, but not limited to, subscribing to and securely managing an APT Protection provider
Expected Deliverables:
- Cybersecurity policy that covers all the requirements of network security management in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Sample showing the implementation of the requirements related to Internet browsing channel APT Protection, including but not limited to:
- Sample showing the implementation of the requirements of Internet browsing channel APT Protection (e.g., a screenshot showing evidence of subscription and use of modern and advanced technologies to implement Internet browsing channel APT Protection and evidence of the APT Protection against zero-day malware
2-5-3-9:
Requirement:
Protecting against Distributed Denial of Service (DDoS) attacks to limit risks arising from these attacks.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.