SC-05-727 Denial of Service Protection

Denial of Service Protection

SC-05-727
Denial of Service Protection
System and Communications Protection
Protect
System Communications Protection
LOW, MOD, HIGH
P1
Yes
May 20, 2016

All Agency networks shall reside behind layers of network defense systems and utilize redundant Internet connections to minimize the risk to a denial of service attack. Network security systems (e.g., firewalls) shall block inbound traffic requests that exceed a reasonable threshold within a given amount of time, and provide alerting to network administration personnel of the incident.

Locally hosted mission critical information resources shall be designed such that they are accessible from within the Agency network during periods of degraded network connectivity. Cloud-based mission critical information resources shall be served by redundant datacenters that provide continued access during degraded network connectivity at one datacenter.

Inadequately managed and controlled networks and supporting infrastructure expose systems and applications.
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].
The organization has controls in place to decrease risk of denial of service attacks (internal and external) on critical information systems. Examples could include use of tools and configuration settings at the network layer to combat such attempts, and/or proactively monitoring for denial of service attempts so timely steps can be taken to address the risk.
Each state organization head or his/her designated representative and information security officer shall establish a security strategy that includes perimeter protection. The department will provide security information management services to include external network monitoring, scanning, and alerting for state organizations that utilize State information resources as specified in Chapters 2054 and 2059, Government Code. Perimeter security controls may include some or all of the following components: DMZ, firewall, intrusion detection or prevention system, or router.
Obtain system and communications protection policy; procedures addressing denial of service protection; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records and ascertain if : (I)the organization defines in the security plan, explicitly or by reference, the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system. (ii)the information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.