SC-05-727 Denial of Service Protection

Denial of Service Protection

Control ID

SC-05-727

Control Name

Denial of Service Protection

Control Category

System and Communications Protection

Functional Areas

Protect

Sub-Areas

System Communications Protection

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

All Agency networks shall reside behind layers of network defense systems and utilize redundant Internet connections to minimize the risk to a denial of service attack. Network security systems (e.g., firewalls) shall block inbound traffic requests that exceed a reasonable threshold within a given amount of time, and provide alerting to network administration personnel of the incident.

Locally hosted mission critical information resources shall be designed such that they are accessible from within the Agency network during periods of degraded network connectivity. Cloud-based mission critical information resources shall be served by redundant datacenters that provide continued access during degraded network connectivity at one datacenter.

Risk Statement

Inadequately managed and controlled networks and supporting infrastructure expose systems and applications.

Control Description

The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].

Control Example

The organization has controls in place to decrease risk of denial of service attacks (internal and external) on critical information systems. Examples could include use of tools and configuration settings at the network layer to combat such attempts, and/or proactively monitoring for denial of service attempts so timely steps can be taken to address the risk.

State Implementation

Each state organization head or his/her designated representative and information security officer shall establish a security strategy that includes perimeter protection. The department will provide security information management services to include external network monitoring, scanning, and alerting for state organizations that utilize State information resources as specified in Chapters 2054 and 2059, Government Code. Perimeter security controls may include some or all of the following components: DMZ, firewall, intrusion detection or prevention system, or router.

Testing Procedures

Obtain system and communications protection policy; procedures addressing denial of service protection; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records and ascertain if : (I)the organization defines in the security plan, explicitly or by reference, the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system. (ii)the information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.