System and communications protection policy

The systems and communications protection policy establishes the rules necessary to properly establish network segmentation and boundary protection thought the organization, as well as establishing the necessary rules around how cryptography will be implemented. Additionally, this policy establishes rules around allowed communication methods and mechanisms to ensure that the authenticity of those methods is maintained.

What the system and communications policy should address:

• Monitoring, controlling, and protecting organizational communications (that is, information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
• Employing architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems
• Implementing subnetworks for publicly accessible system components that are physically or logically separated from internal networks
• Denying network communications traffic by default and allowing network communications traffic by exception (that is, deny all, permit by exception)
• Preventing remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks
• Implementing cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical safeguards
• Terminating network connections associated with communication sessions at the end of the sessions or after a defined period of inactivity
• Establishing and managing cryptographic keys for cryptography employed in the information system
• Employing cryptography to protect the confidentiality of system information
• Prohibiting remote activation of collaborative computing devices and provide an indication of devices in use to users present at the device
• Controlling and monitoring the use of mobile codes
• Controlling and monitoring the use of Voice over Internet Protocol (VoIP) technologies
• Protecting the authenticity of communication sessions
• Protecting the confidentiality of information at rest