A.8.20 Network Security would include:
-
Network Security Policy: Documentation of a network security policy that outlines the organization's overall approach to securing its network infrastructure, including the goals, objectives, and responsibilities related to network security.
-
Network Architecture Diagrams: Detailed diagrams and documentation of the organization's network architecture, including network boundaries, zones, subnets, and the placement of security devices such as firewalls and intrusion detection systems.
-
Access Control Lists (ACLs): Configuration details of access control lists implemented on network devices to control traffic flow and restrict unauthorized access to network resources.
-
Network Segmentation: Evidence of network segmentation practices to isolate critical systems and sensitive data from less secure areas of the network, reducing the impact of potential breaches.
-
Firewalls and Intrusion Detection/Prevention Systems: Documentation of firewall configurations and rules, as well as reports from intrusion detection/prevention systems showing detection and response to potential security incidents.
-
Virtual Private Network (VPN) Configuration: Details of VPN configurations used to secure remote access to the organization's network, ensuring confidentiality and integrity of data in transit.
-
Network Monitoring and Logging: Records of network monitoring and logging practices, including logs from network devices, to detect suspicious activities and enable timely incident response.
-
Network Vulnerability Assessment Reports: Reports from network vulnerability assessments or penetration tests, identifying potential weaknesses in network security and their remediation status.
-
Wireless Network Security: Documentation of the organization's wireless network security measures, including encryption protocols, authentication mechanisms, and procedures for monitoring and securing wireless access points.
-
Network Device Patching and Updates: Evidence of a process to apply regular patches and updates to network devices, such as routers, switches, and firewalls, to address known vulnerabilities.
-
Incident Response Plan: Documentation of an incident response plan specific to network security incidents, including roles, responsibilities, and procedures to address and mitigate network-related incidents.
-
Network Security Training: Records of training sessions and awareness programs provided to network administrators and users to educate them about network security best practices and potential threats.
By reviewing these pieces of evidence, an auditor can assess the organization's network security posture, identify potential weaknesses, and determine if the implemented network security controls align with industry best practices and standards. The goal is to ensure the confidentiality, integrity, and availability of the organization's network resources and data, and to protect against network-based attacks and unauthorized access to critical systems
