DS-02 Data Security & Protection

Network Security / Firewall

Zones are segmented; rules follow least privilege.

Domain: Data Security & Protection
Control type: Preventive/Detective
Automated / manual: Hybrid
Frequency: Per event + periodic
Framework reference: MAS TRM – Network; COBIT DSS05

What good looks like

Firewall rules enforce least-privilege segmentation; changes approved; rulesets periodically reviewed.

Risk if it fails

Lateral movement; unauthorised traffic.

How Tess tests it

4 tests — each concludes only on cited evidence.

Firewall change & periodic-review process defined

Design

Procedure: Inspect the process.
Expected: Change control and review cadence defined.
Sample: 1 (design inspection)
Evidence: Firewall ruleset, change tickets, review records.

Rule changes approved before implementation

Operating

Procedure: Sample firewall changes.
Expected: Each change pre-approved.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Firewall ruleset, change tickets, review records.

Periodic ruleset review performed

Operating

Procedure: Inspect the latest review.
Expected: Performed; redundant/permissive rules addressed.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Firewall ruleset, change tickets, review records.

Default-deny segmentation between zones

Operating

Procedure: Inspect the ruleset.
Expected: Least-privilege segmentation enforced.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Firewall ruleset, change tickets, review records.

Evidence Tess looks for

Firewall ruleset, change tickets, review records.

More in Data Security & Protection

DS-01 Data Classification & Handling DS-03 Encryption at Rest DS-04 Encryption in Transit DS-05 Cryptographic Key Management

Want Tess to test DS-02 against your evidence?