16) Is each of the approved network connections subject to regular review?
Answer yes if your organisation undertakes a regular review of network connections (e.g. annually) in which it removes any redundant connections and makes sure that all of the connections are relevant to its business operations.
What is the control?
Connections between your network and third parties explicitly permit trusted traffic. It is important that these are kept up to date to ensure that no unnecessary access is allowed and that any connections no longer needed have been removed.
Why should I have it?
Excess or excessively unmanaged network connections allow unneeded and potentially malicious traffic into your network. The presence of these connections can happen, for example, because of changes in the third parties involved in data processing. This can include third parties being removed or changed where the old connections are not removed as part of the decommissioning processes, or a move of the system the connection allowed access to. Reviews can also identify otherwise valid connections that can be improved to better restrict access to only necessary data scope or times of connection.
The presence of undocumented or deprecated connections can increase significantly over time if no reviews are performed. Doing so is therefore essential to clean up any backlog of superfluous connections, and to ensure that any connections that should have been removed as part of decommissioning processes or projects actually have (providing evidence of the effectiveness of that process).
Such a review process therefore provides reassurance to you and potential clients that connections to your corporate network are up to date and effectively controlled.
How to implement the control
A policy should be implemented stating that all network connections between your corporate network and external parties are reviewed at least annually to ensure that they are up to date and optimised to be as restrictive as possible. Note that doing so requires effective processes around asset management and discovery (which should include the assets’ configuration) in order to know which assets are present, what services they operate, for who, and how your connection configuration should reflect each asset’s purpose. Ideally this must be as real-time as possible and not rely on manual processes to ensure accuracy.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
