Communication Controls (Networks & Firewalls) Policy

Communication Controls (Networks and Firewalls)

Network & Firewall Policy Scope

This policy applies to all firewalls, routers, switches, and network devices in the KX development, staging and production environments.

Background

Controls must be implemented to protect network devices, supporting environments and the information flowing through the network from unauthorized access.

This document specifies the policies and procedures required in KX to comply with the Security Policy.  Where necessary, it contains additional controls required for improved security or to comply with external compliance standards, for example, ISO 27001.

Network Policies

KX network traffic must be controlled, managed and periodically evaluated to identify vulnerabilities.  Network diagrams must be maintained to reflect changes in underlying architecture and production environments.

Network Controls

Refer to the Network Control Standard maintained by the KX IT team for detailed network controls and security of Network Services
All firewalls and network components are monitored to ensure no malicious traffic is on the KX network.

Segregation in Networks

• Development and test environments must be on a different physical network than the production environments
• Inbound internet traffic must be protected by a next gen firewall and denied by default
• Periodic reviews must be carried out to ensure there is a valid business reason for all services and ports open on that firewall per the Firewall Review Policy

Firewall Review Policy

KX needs to maintain a comprehensive IPAM / DCIM (IP Asset Management / Data Center Inventory Management) platform for all cloud-based, on prem and corporate assets.  A change process should be in place to control any changes made to those firewalls, production, Internet facing assets and the rules should be reviewed on a regular basis to ensure they are still accurate.

• Firewalls must be present at any touchpoint to a shared environment and / or third-party network
• Firewalls must be configured to explicitly deny inbound and outbound connections
• Firewall rules are set to reflect the principle of least privilege
• Firewall traffic is logged, including all administrative access
• Firewall remote administration is only permitted via VPN protected access
• Firewall events are monitored for security event detection

Firewall Change Requirements

All changes to Firewalls should be formally controlled:

• All changes need a formal change control ticket
• All changes need formal approval

Firewall Review Process

Roles and responsibilities:

• Reviewer: Review to be scheduled and carried out by a person who is independent of the team that has access to, and manages any of the firewalls
• Firewall owner: Team that manages and has access to the firewalls

The Firewall Review Process will use a combination of daily automated checks and quarterly manual reviews.

The following processes must be adhered to:

• Reviews will catch any changes to the firewall not authorized correctly via the Change Request Process
• Automation processes and alerting must be in place to enforce the following:
  • The Network Operations Team must validate that the change is tied to a valid change request.  If not, promptly raise a critical defect and investigate.