This is intended as guidance for organisations creating policies that describe the protection of data when In Motion, At Rest and In Use against corruption, loss or breach using mechanisms such as encryption, access control and storage solutions.
CIS has provided cyber security advice to a number of organistations pursuant to applications to the FCA for providing authorised services.
It is our experience that Cybersecurity is reactive (not begin a revenue source) - it won't be actively managed operationally, but management by exception is acceptable. Any Cyber security framework should bear this in mind, automating things like log analysis and interupting with exceptions were appropriate.
CIS recommends a layered approach to Network Security, in accordance with best practice. The outline below is our starting point for network security.
Data and systems should be covered by ISO 27001:2013 A.11.1, where this is not possible a suitable substitute should be in place.
802.11 is widely used for access control on wireless networks, 802.1X is similarly available for Ethernet ports.
Use of 802.1Q (VLANs) is relevant for segregation.
Null routing IP addresses from FireHOL Cybercrime IP Feeds mitigates against known bad network access. Null routing is more efficient than using a packet inspection firewall.
(Automated) log analysis should done to dynamically block abusive traffic targeting your network specifically. Once blocked any further access from these addreses is out of scope. This is mitigattion against brute force and escallation attacks.
Protecting ports that are opened out of necessity, but need not be available publically, with a packet inspection firewall is essential. CIS completes a daily (nmap) audit from a public internet IP and compares against a "known good" / gold standard scan an reports any exceptions. These should be handled by an Incident Response mechanism for investigation.
Some ports (like filesharing) could be dynamically opened for users who have completed 2FA for defined time period.
CIS feeds log analysis of SIP, SSH and SMTP, POP and IMAP traffic data to our Layer 3 firewall to dynamically block abusive traffic.
Protocols at this layer are mostly capable of specific use authentication with at least a username and password. See AAA below.
All resources require access controls and reporting for proper management.
According to PSD2 Strong Customer Authentication (SCA) requires multi-factor, or more specifically two-factor authentication (2FA), using at least 2 of a knowledge factor (something known), a posession factor (something had) or an inherent factor (something you are) for authentication.
Password / Knowledge Factor : Any initial password assigned should be confirmed to be changed after a fixed onboarding period is over. Accounts should be considered at risk during this period and suitable mitigations made. A site like https://howsecureismypassword.net/ will demonstate to users whether their password complexity and length is suitable.
Dynamic Password / Posession Factor : TOTP apps are ubiquitous. The secret generated should to be treated as sensitive personal data similar to a password. Exchanging the secret (possibly via QRcode) is a high / at risk activity and should be suitably managed.
Assigning authenticated users roles (role-based authorisation) provides for the easiest way to meet periodic auditability requirements but allowing roles permissions and role membership to be audited independantly.
Log files should be fed back into security mechanisms or exception reported as appropriate. For example failed remote connection attempts, logins to telephony and email reasources as well as connections from disallowed geographies should be noted and further attempts blocks where possible. How we feed Windows log entries to a central syslog server
From Cybercriminals to Nation-State actors, GDPR legislation and PSD2 - properly considered and implemented ICT / Cyber security is essential to every organisation.
Encryption likely considers TLS using a limited subset of AES ciphers along with appropriate key lengths.
Storage likely considers use of redundancy (RAID 1, 5 or 10) and a backup and recovery strategy.
Along with these Network Security mechanisms should be in place to limit beaches and to notify when they do occur [Art. 33 GDPR].
The OSI model can be used to independantly evaluate Network Security. Not all aspects considered are relevant to every circumstance.
The AAA framework [Authentication, Authorization and Accounting] can be used to independantly evaulate resource access control.