How to manage the security of network services according to ISO 27001 A.13.1.2
Everybody knows that information is stored in information systems (workstations, laptops, smartphones, etc.), but to exchange the information via a network is necessary.
Most of the information systems in this world are connected to the same main network – Internet – and, without this network, our society would look pretty different; in fact, the current society as we know it would not be possible.
Anyway, the Internet is not the only network relevant for information security. Other, commonly used networks are, for example, local area networks (LAN), mobile communication networks, Internet of Things (IoT) networks, etc. They are hosts to many services that need to be protected as well.
The A.13.1.2 control of Annex A of ISO/IEC 27001:2013 basically was developed for the security of network services, and the basic principle of this control is to identify security mechanisms, service levels, and management requirements related to all network services.
So, the important thing here is to manage the security of the network services, including those cases where the service is outsourced.
Security features of network services
Well, but what is a network service? According to ISO/IEC 27002:2013, network services are basically the provision of connections, private network services, firewalls, and Intrusion Detection Systems. ISO/IEC 27002:2013 also defines security features of the network services, which could be:
- Network security technology – This can be implemented through the segregation of networks, for example configuring VLANs with routers/switches, or also if remote access is used, secure channels (encrypted) are necessary for the access, etc.
- Configuring of technical parameters – This can be implemented through Virtual Private Networks (VPN), using strong encryption algorithms, and establishing a secure procedure for the authentication (for example, with electronic certificates).
- Mechanisms to restrict access – This can be implemented with firewalls, which can filter internal/external connections, and also can filter access to applications. Intrusion Detection Systems can also be used here, referenced specifically by the ISO 27002:2013 standard. Basically, Intrusion Detection Systems (IDS) are devices that can be based on hardware or software, and they constantly monitor connections to detect possible intrusions to the network of the organization. They can also help firewalls to accept or reject connections, depending on the defined rules. Here it is important to note that an IDS is a passive system, because it can only detect; but, there are also Intrusion Prevention Systems, known as IPS, which can prevent intrusions. The IPS are not specified by the standard, but are very useful and can also help firewalls.
So, basically, if you want to manage the security of network services, you can use these types of hardware/software:
- Routers/switches (for example, for the implementation of VLANs)
- Firewalls or similar perimeter security devices (for example, for the establishment of VPNs, secure channels, etc.)
- IDS/IPS (for intrusion detection/intrusion prevention)
By the way, this article about firewalls might be interesting for you: How to use firewalls in ISO 27001 and ISO 27002 implementation.
Network services agreements in ISO 27001
At this point, we have identified the network services, but if we want to align with ISO 27001, we need to go one step further. This means that these network services should be included in network services agreements (or SLA, Service Level Agreements), being applicable to internal services provided in-house, and also to services provided from outside, by which I mean those that are outsourced.
So, for the development of a network service agreement, basically you need to consider what network services are established, how they are offered (from inside, or outside, resources, etc.), service levels (24×7, response and treatment of incidents, etc.), and other key components. If the network service is outsourced, it is also important to consider periodic meetings with the external company, and in these meetings it is important to review the SLAs (following the A.15.2 Supplier service delivery management control).
This article might also be interesting for you: 6-step process for handling supplier security according to ISO 27001.
For the security mechanisms included in the SLA, the selection could be based on the results of the risk assessment (basically, for the highest risks, the strongest security mechanism will be necessary), using the security controls from Annex A of ISO 27001), or even using the organization’s contacts with special interest groups for specific environments like government, military, etc., where the implementation of specific regulations could be needed (following the A.6.1.4 Contact with special interest groups).
This article can provide you with more information: Special interest groups: A useful resource to support your ISMS.
Feel secure in your organization’s protection of network services
Remember that all your information is stored in information systems, and they are connected by networks, and the exchange of information is possible through network services (firewalls, IDS, IPS, VPNs, VLANs, etc.). So, if you want to feel secure in your organization, you need to be careful with the network, controlling the network services, identifying firewalls, IDS, IPS, VPNs, etc., and including them in network services agreements.
ISO 27001 control A.13.1.2 is a good resource on the increasing requirements for the security of networks. It is case-specific, and that could be exploited to the maximum – meaning you can tailor security mechanisms to your own requirements using the technology already in place. Your organization will gain results; but, even more importantly – so will your customers and users. And they know how to appreciate having a partner in business who sees security as a highly important topic.
See this eBook: ISO 27001 Annex A Controls in Plain English to learn more about security controls.