Network Security & Vulnerability Mgmt
Plain English Translation
Computer networks processing personal data must be protected against unauthorized access, interference, and disruption using firewalls, network segmentation, and other appropriate controls. Organizations are required to conduct regular vulnerability assessments to identify and remediate weaknesses before they can be exploited. These network security measures directly support the confidentiality and availability of personal data.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Enable basic cloud provider firewalls, restrict SSH/RDP access to internal IPs only, and run open-source vulnerability scanners quarterly.
Required Actions (scaleup)
- Implement dedicated network segmentation separating staging and production environments, and execute monthly automated vulnerability scans.
Required Actions (enterprise)
- Deploy a Web Application Firewall (WAF), enforce zero-trust network access (ZTNA), and conduct annual third-party gray-box penetration tests on all critical infrastructure.
Under IRR Section 28(b), organizations must protect their computer networks against accidental, unlawful, or unauthorized usage, and any interference that could affect data integrity or system availability.
Organizations must deploy technical and logical security measures, such as firewalls and access controls, to safeguard the confidentiality, integrity, and availability of personal data transmitted over electronic networks.
Required technical measures include encryption, robust authentication processes, strict network access limitations, and the execution of regular vulnerability assessments.
Yes, IRR Section 28(b) explicitly mandates that regular assessments for vulnerabilities in computer systems processing personal data must be conducted.
While the IRR mandates 'regular' assessments, industry best practice and typical NPC compliance expectations dictate running automated vulnerability scans monthly and comprehensive penetration tests annually.
The NPC expects the implementation of reasonable and appropriate technical safeguards that align with current industry standards, commensurate with the size of the organization and the sensitivity of the data processed.
Although the law is technology-neutral, deploying firewalls and network segmentation represents the standard, reasonable, and appropriate technical measures necessary to prevent unauthorized access and comply with the DPA.
CISOs can demonstrate compliance by maintaining updated network architecture diagrams, documenting firewall rulesets, and presenting a historical log of vulnerability scan reports alongside proof of timely remediation.
Required evidence includes formal network security policies, recent vulnerability and penetration testing reports, patch management logs, and configuration records for perimeter defense systems.
Vulnerability management proactively identifies and resolves software flaws and misconfigurations before malicious actors can exploit them, drastically reducing the risk of unauthorized network intrusion and data exfiltration.
Vulnerability assessments create recurring evidence that must be tracked over time, not just stored once. WatchDog Security's Vulnerability Management can help ingest findings from multiple sources, support triage workflows, and show remediation progress and MTTR analytics for audit and management review.
Network security controls are easier to defend when they are mapped to specific legal requirements, evidence artifacts, and remediation owners. WatchDog Security's Compliance Center can help link vulnerability scans, patch records, and network security evidence to RA 10173 control requirements while highlighting gaps that still need attention.
"Personal data in a computer network should be protected against risks such as accidental, unlawful or unauthorized usage, any interference which will affect data integrity or hinder functioning or availability of system, and unauthorized access transmitted over an electronic network. Regular assessment for vulnerabilities in its computer systems should be conducted."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

