|
Article 5
|
(Network Segmentation)
- Work areas shall be divided and isolated by network segmentation to ensure network infrastructure security.
- For the purpose of maintaining business operation, the network shall be segmented into, for example, Delimitarised Zone (DMZ), Production (Prod.), Unit Test (UT) or User Acceptance Test (UAT), and others.
- An organization shall define the extranet and intranet. The extranet is connected to the Internet, while the intranet is a server-equipped area between personnel and internal services of the organization. Traffic from the extranet to the intranet is subject to access control and is restricted to official use by organizational personnel or approved use by information service providers. This is to prevent unauthorized services from entering..
- Segregation by a virtual local area network, or VLAN, is advised for intranet segments of an organization. The intranet may be segmented according to the internal units, departments, business natures, etc. of the organization, with restrictions imposed on access among different VLANs.
- An organization shall isolate services whose access is restricted and specific services by appropriate means. Information personnel shall, depending on the way of segregation, review the firewall rules or access control list (ACL) periodically.
|