Professional Documents
Culture Documents
Group
Information Management
Standard 10.6 Network Security Management
Change history
Next review date: 1.10.06
Objective
To ensure the safeguarding of information in networks and the protection of the
supporting infrastructure.
Standard
1. Network Controls
(a) Responsibility and Ownership
Networks must be managed to ensure the security of data and the protection of
connected services from unauthorised access. The overall responsibility for provision
of network services and ensuring their security, to meet the business need, resides
with the IM Service Operations Manager.
(b) Diagnostic Software Utilities
Software and hardware engineers often need to make use of powerful tools to
investigate problems or monitor performance, etc. In the wrong hands, these tools
could result in the disclosure or unauthorised amendment of sensitive data. Therefore,
appropriate controls must be implemented to ensure that these tools are used only by
authorised personnel.
Access to network monitoring tools needs to be subject to the same level of access
control as sensitive or critical business systems. The infrastructure data steward must
sanction access to these systems.
Levels of authority within network management systems must be tightly controlled,
making sure that users do not have more privilege than is required to perform their
job. These levels of authority must be authorised by the infrastructure data steward.
(c) Diagnostic Hardware and Network Analysers (e.g. Sniffers)
Static devices. Nonportable, or permanently attached diagnostic devices must be
physically located in secure areas. Access must be tightly controlled by network
management software.
Portable devices. Portable diagnostic devices must be kept secure, and their use
authorised and logged at each occasion.
(d) Change Control
Network Security Management Version: 1.0
ã 2005 BG Group page 1 Date: Sept 2005
BG Group
Information Management
Changes to the configuration of the network must be subject to documented change
control procedures.
(e) Network Access Control
Standards and procedures for access control, including firewalls, proxy servers,
remote access, VPNs, modems, etc., are specified in Standard 11.4 Network Access
Control.
2. Security of Networked Services
Parts of the BG network are provided and managed by third parties. It is essential that
the contracts between BG and these service providers specify the necessary security
requirements and service levels. Specifications should include the security technology
that will be employed, e.g. the authentication, encryption and connection controls.
Full details of the security attributes must be ascertained and a risk assessment
undertaken
BG should monitor the performance of service providers against agreed service levels,
and retain the right to audit.
Procedures
Network Accounts SetUp
Change Control Procedure
Control Evidence
Change control records
TACACS reports
Network Security Management Version: 1.0
ã 2005 BG Group page 2 Date: Sept 2005