Question: Network security standards
Hi,
I have recently been asked
Is there a way we can find out if there is any sort of guideline for net security for high risk sites so that we can defend our position?
in relation to if we send sensitive data such as building management traffic across our site and to the cloud.
Currently our institute does follow any industry standards (officially may i add :) ), but I know when you are dealing with medical data, card payments and leagel services there are accretions that must be meet. Can any one suggest some thing similar for a research institute that we may want to look at that would start as a good foundation for re-evaluating our IT security from a technical point of view to bring it all up to a level playing field?
Cheers
Answers
I believe (although I've not read it myself) that ISO 27033 contains guidance on network architecture with reference to a number of scenarios.
More generally though you want to be segregating the traffic at an appropriate layer so that different controls can be applied to different types of traffic. You also need to put some thought as to how the technology used to perform the segregation works under the attacks you are trying to defend against (for example what happens to the availability of other VLANs if one is carrying a DDoS attack?).
This will be complicated by the fact that different types of information may require different types of segregation in order to meet different compliance requirements. So your QSA may be happy with one type of segregation for your payment systems, whilst the NHS might have conflicting requirements for the handling of medical data.