Skip to contentCYBERINFO
|

Control 8.21 : Security of Network Services

Summary

Security mechanisms, service levels and management requirements of all network services should be identified, implemented and monitored. This ensures that whether services are provided in-house or outsourced, they meet the organization's specific security mandates.

Applicability

In-Scope: Mandatory for managing relationships with Internet Service Providers (ISPs), managed security providers, and cloud networking teams. It ensures that the pipes providing your connectivity are as secure as the data flowing through them.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Service Requirements: Use the Microsoft Service Trust Portal to review the Service Level Agreements (SLAs) and security certifications for Microsoft's global networking infrastructure.

  • Secure Connectivity: Enforce the use of encrypted protocols (HTTPS, TLS 1.2+) for all network-based service management interfaces within the Azure and M365 portals.

  • Performance Monitoring: Utilize Azure Network Watcher to monitor the health and security of network links, ensuring that service levels are being met and that unauthorized traffic is not present.

Evidence Checklist

  • Network Service Agreements: Contracts or SLAs with providers that explicitly define security requirements (e.g., DDoS protection, uptime).

  • Service Review Records: Evidence of periodic reviews of service provider performance against the agreed security levels.

  • Network Security Logs: Audit trails showing the monitoring of external network services for security events.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How does the organization ensure that a third-party network provider is adhering to the security clauses in their contract?

  • What technical measures are in place to ensure that network management traffic is isolated from standard user data traffic?

  • In the event of a significant network service failure, what is the process for verifying the security integrity of the service once it is restored?

  • How are the security features of a new network service (e.g., a new SD-WAN or VPN) vetted before deployment?