CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Rhand Leal

Requirements to implement network segregation according to ISO 27001 control A.13.1.3

Think about a house, or office, with only one big space where you can arrange all your loved and precious things the way you think most appropriate. Tempting, isn´t it? The flexibility to use the space and ease of seeing everything right away seems like a big deal. Now, imagine this house, or office, being broken into. Now, what about your loved and precious things?

This situation is very similar to many network implementations made worldwide. By searching for an easy and uncomplicated network management, or by lack of knowledge, many organizations end up with hundreds, or thousands, of pieces of equipment connected in a single and gigantic network. Beyond performance problems, this kind of situation can bring havoc in case of an attack or unintentional error.

Network security management, one of the main security categories of ISO 27001, states as its objective “to ensure the protection of information in networks and its supporting information processing facilities.” To achieve the stated objective, one of its proposed controls is A.13.1.3 – Segregation in networks, and in this article we will review its recommendations detailed in ISO 27002.

What is network segregation?

blogpost-banner-bia-en

Network segregation is the act of splitting a network into smaller parts called subnetworks or network segments. It is another good example of application of the strategy “Divide and Conquer” we saw in the article ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS).

Reviewing the house / office example, you can think of segregation as rooms like a living room, dining room, meeting room, archive room, etc. The most important thing here is thinking about spaces reserved for specific purposes.

Network segregation benefits and needs

When you segregate a network, you can achieve the following benefits:

Enhanced performance: with fewer hosts per subnetwork, there is less signaling traffic, and more bandwidth can be used for data communication.

Improved security: with less signaling traffic going through all network segments, it is more difficult for an attacker to figure out the network structure, failures in one segment are less likely to propagate, and better access control can be established considering visitors’ access or access to sensitive information / assets.

On the other hand, the segregation effort requires:

Specialized knowledge: networks may house hundreds of devices, with organizations defining complex policies with dozens of rules, so the network staff must be properly educated and trained to ensure the network segmentation keeps the business working securely and in compliance.

Administrative effort: changes in infrastructure, like new business applications and new technologies, can multiply the time required to make proper changes and ensure the integrity of network segments.

Investments in equipment / software: segregation may require more equipment, new equipment with advanced functionalities, or specific software to deal with multiple segments, and those requirements should be considered during budget planning.

ISO 27001 control A.13.1.3 and ISO 27002 implementation recommendations for network segregation

Control A.13.1.3 – Segregation in networks, states that groups of information services, users, and information systems should be segregated on networks. ISO 27002, which provides guidance on ISO 27001 controls implementation, make some recommendations:

  • Divide large networks into separate network domains (segments).
  • Consider physical and logical segregation.
  • Define domain perimeters.
  • Define traffic rules between domains.
  • Use authentication, encryption, and user-level network access control technologies.
  • Consider integration of the organization’s network and segments with those of business partners.

To fulfill these recommendations, you can consider the following:

Criteria-based segmentation: Pre-defined rules to establish perimeters and create new segments can reduce future administration efforts. Examples of criteria are trust level (e.g., external public segment, staff segment, server segment, database segment, suppliers segment, etc.), organizational unit (e.g., HR, Sales, Customer Service, etc.), and combinations (e.g., external public access to Sales and Customer Service).

Use of physical and logical segmentation: Depending upon the risk level indicated in the risk assessment, it may be necessary to use physically separated infrastructures to protect the organization’s information and assets (e.g., top-secret data flowing through a fiber dedicated to management staff), or you may use solutions based on logical segmentation like Virtual Private Network (VPN).

Access rules for traffic flowing: Traffic between segments, including those of allowed external parties, should be controlled according to the need to transmit/receive information. Gateways, like firewalls and routers, should be configured based on information classification and risk assessment. A specific case of access control applies to wireless networks, since they have poor perimeter definition. The recommendation is to treat wireless communication as an external connection until the traffic can reach a proper wired gateway before granting access to internal network segments.

One network to rule them all? Think again.

Single networks for startups or small businesses may seem like a good deal, and in most cases, they are. They are easy to manage and save money needed to keep the business going. However, you must think like a strategic manager, and differentiate yourself from ordinary managers by thinking ahead, by being ready to evolve your network when it begins to represent a drawback to business.

You do not need to implement network segregation at the beginning of your new business, but if you believe your business will be successful, you must be prepared.

To learn more about recommendations on what you need to consider while implementing or reviewing security controls, see this free  ISO 27001 Lead Implementer Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.