Restrict Network Access to Database Servers
Database server communications are limited to necessary network resources only.
Plain language
This control is about making sure that your database servers only communicate with parts of the network that really need to. It matters because if you don't do this, hackers could more easily sneak into other sensitive parts of your network through the database, potentially leading to data theft or system disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Network access controls are implemented to restrict database server communications to strictly defined network resources that require access to the database server.
Why it matters
If database servers allow broad network access, attackers can reach exposed database ports, leading to unauthorised data access, breaches and server compromise.
Operational notes
Restrict database server ports to approved subnets/hosts only; regularly review firewall/ACL allow-lists and alert on failed or unexpected connections to database services.
Implementation tips
- The IT team should identify all parts of the network that need access to the database servers. Start by listing applications and services that connect to the database and verify with each department that these connections are still necessary.
- Managers should ensure that network access rules are up to date. Have a session with the IT team to go over existing network rules and remove or limit any that don't have a clear business need.
- The IT team should set up network firewalls or similar tools to block unwanted access. Configure firewalls by setting rules that only allow connections from verified systems and departments based on the credibility and necessity of their access.
- System owners should regularly review who has access to the database servers. Hold periodic reviews, both scheduled and in response to any changes, to make sure only essential users maintain access.
- IT security personnel should educate staff about the importance of restricting database access. Conduct training sessions explaining how network access control helps protect the company's data and emphasise individual responsibilities in maintaining security.
Audit / evidence tips
-
Askthe network access policy document: Secure a copy of the policy detailing access to the database servers
GoodPolicies with clear access rules and justification for each allowed connection
-
Aska network diagram showing database connections: Request a diagram illustrating how databases connect within the network
GoodDiagram showing restricted and necessary connections, visually confirming access rules
-
Asklogs from network firewalls or similar tools: Obtain logs that detail access attempts to the database servers
GoodLogs with no unauthorised or unexpected access attempts
-
Askthe most recent access review report: Request a report of the last review of who can access the databases
GoodRecent report showing changes acted on and approved with clear business rationale
-
Asktraining materials on access security: Request copies of the materials used in staff training sessions on restricting database access
GoodComprehensive materials detailing access importance and employee role in security
Cross-framework mappings
How ISM-1271 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1271 requires network access controls that restrict database server communications to strictly defined network resources that need ac... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.22 | ISM-1271 requires organisations to restrict database server communications to only the network resources that require access | |
| handshake Supports (1) expand_less | ||
| Annex A 8.21 | ISM-1271 requires restricting database server network communications to a strictly defined set of permitted network resources | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.