Network security and information sharing shall be addressed to ensure protection of information in transit
T4.1 COMMUNICATIONS POLICY
OBJECTIVE
To maintain a communications policy covering the security of information shared internally and externally
PERFORMANCE INDICATOR
Extent of communications policy deployment and adoption across the entity
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Unsuitable communications policy
- Unawareness of communications policy among IT staff
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
T4.1.1 - P3 - COMMMUNICATIONS POLICY
T4.2 INFORMATION TRANSFER
OBJECTIVE
To maintain the security of information and software exchanged within an entity and with any external entity
PERFORMANCE INDICATOR
Percentage of people not complying with the information transfer policy
AUTOMATION GUIDANCE
Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. Entities deploying such tools should carefully inspect their logs and follow up on any discovered attempts, even those that are successfully blocked, to transmit sensitive information out of the entity without authorization.
RELEVANT THREATS AND VULNERABILITIES
- Unprotected information in transit
- Tempering with information systems
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
- T4.2.1 - P2 - INFORMATION TRANSFER PROCEDURES
- T4.2.2 - P3 - AGREEMENTS ON INFORMATION TRANSFER
- T4.2.3 - P3 - PHYSICAL MEDIA IN TRANSIT
- T4.2.4 - P3 - ELETRONIC MESSAGING
- T4.2.5 - P4 - BUSINESS INFORMATION SYSTEMS
T4.3 ELECTRONIC COMMERCE SERVICES
OBJECTIVE
To ensure the security of electronic commerce services
PERFORMANCE INDICATOR
Percentage of e-commerce volume subject to information security incidents
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Embezzlement, skimming, and related fraud
- Eavesdropping / Packet Sniffing
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
- T4.3.1 - P2 - ELETRONIC COMMERCE
- T4.3.2 - P3 - ON-LINE TRANSACTIONS
- T4.3.3 - P4 - PUBLICLY AVAILABLE INFORMATION
T4.4 INFORMATION SHARING PROTECTION
OBJECTIVE
To ensure adequate protection of information shared within an information sharing community
PERFORMANCE INDICATOR
Frequency of information security incidents occurring within each information sharing community in which information is intentionally or unintentionally disclosed
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Misappropriation of private knowledge
- Abuse of system access/privileges
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
- T4.4.1 - P4 - CONNECTIVITY TO INFORMATION SHARPING PLATFORMS
- T4.4.2 - P4 - INFORMATION RELEASED INTO INFORMATION SHARING COMMUNITIES
T4.5 NETWORK CONTROLS
OBJECTIVE
To ensure the protection of information in networks and the protection of the supporting infrastructure
PERFORMANCE INDICATOR
Percentage of information systems that meet all network security management requirements
AUTOMATION GUIDANCE
Port scanning tools are used on a range of target systems to determine which services are listening on the network. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each discovered open port. This list of services and their versions are compared against an inventory of services required by the entity for each server and workstation in an asset management system. Recently added features in these port scanners are being used to determine the changes in services offered by scanned machines on the network since the previous scan, helping security personnel identify differences over time.
RELEVANT THREATS AND VULNERABILITIES
- Abuse of system access/privileges
- Eavesdropping / Packet Sniffing
- Denial of Service (DOS) or DDOS
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
