Security Gateways Clause Samples
The 'Security Gateways' clause establishes requirements for the use and management of security gateways, such as firewalls or intrusion prevention systems, to protect a network or system from unauthorized access and cyber threats. Typically, this clause outlines the types of gateways that must be implemented, the standards they should meet, and the responsibilities for monitoring and maintaining their effectiveness. By mandating these controls, the clause helps ensure that sensitive data and systems are safeguarded against external attacks, thereby reducing the risk of security breaches and maintaining compliance with relevant security standards.
Security Gateways. Require Strong Authentication for administrative and/or management access to Security Gateways, including, but not limited to, any access for the purpose of reviewing log files.
Security Gateways. For access to Security Gateways ensure that user authorization levels to administer and manage Security Gateways are appropriate, and that all rule sets either explicitly or implicitly “DENY ALL” inbound access except where there is a business need, and then with strong authentication. For access to In-Scope Information and for host devices that support it, assign unique credentials (eg. UserIDs, passwords) to authorized individual users, assign individual ownership to system service accounts, and ensure that system service accounts are not shared by administrators.
Security Gateways. The Supplier shall:
10.1 Require Strong Authentication for administrative and/or management access to Security Gateways, including any access for the purpose of reviewing log files.
10.2 Have and use documented controls, policies, processes and procedures to ensure that unauthorized users do not have administrative and/or management access to Security Gateways, and that user authorization levels to administer and manage Security Gateways are appropriate.
10.3 At least once every six (6) months, ensure that Security Gateway configurations are hardened by selecting a sample of Security Gateways and verifying that each default rule set and set of configuration parameters are implemented.
10.4 Use monitoring tools to validate that all aspects of Security Gateways (e.g., hardware, firmware, and software) are continuously operational.
10.5 Configure and implement all Security Gateways such that all non-operational Security Gateways shall deny all access.
10.6 Configure real-time alerting for changes to the Security Gateway configuration and/or rule base.
Security Gateways. The Supplier shall:
14.1 Require Strong Authentication for administrative and/or management access to Security Gateways, including any access for the purpose of reviewing log files.
14.2 Have and use documented controls, policies, processes and procedures to ensure that unauthorized users do not have administrative and/or management access to Security Gateways, and that user authorization levels to administer and manage Security Gateways are appropriate.
14.3 At least once every six (6) months, ensure that Security Gateway configurations are hardened by selecting a sample of Security Gateways and verifying that each default rule set and set of configuration parameters are implemented, including:
(a) Internet Protocol (IP) source routing is disabled;
(b) The loopback address is prohibited from entering the internal network;
(c) Anti-spoofing filters are implemented;
(d) Broadcast packets are disallowed from entering the network;
(e) Internet Control Message Protocol (ICMP) redirects are disabled;
(f) All rule sets end with a “DENY ALL” statement; and
(g) Each rule is traceable to a specific business request.
14.4 Use monitoring tools to validate that all aspects of Security Gateways (e.g., hardware, firmware, and software) are continuously operational.
14.5 Configure and implement all Security Gateways such that all non-operational Security Gateways shall deny all access.
14.6 Configure real-time alerting for changes to the Security Gateway configuration and/or rule base.