AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Control information flow | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Control information flow
Id 59bedbdc-0ba9-39b9-66bb-1d1c192384e6
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0079 - Control information flow
Additional metadata Name/Id: CMA_0079 / CMA_0079
Category: Operational
Title: Control information flow
Ownership: Customer
Description: Microsoft recommends that your organization enforce approved authorizations for controlling the flow of information within your information systems and between any interconnected systems, such as a cloud service, based on defined information flow control policies. This can allow your organization to regulate where information is permitted to travel between information systems and within an information system. Your organization should consider creating and maintaining Access Control policies and standard operating procedures that include details on the authorizations required to control the flow of information within your information systems and between any interconnected systems based on deny all, approve by exception information flow policies. As a best practice, only trusted sources should be able to export data from the security domain. It is recommended to create network and data flow diagrams that illustrate the flow of information within your information systems and between any interconnected systems. It is recommended to control information flows between security domains on connected systems; we recommend consulting with relevant authorities, performing a risk assessment, and conducting security clearance to identify trusted sources before implementing cross-domain solutions to control the inbound/outbound traffic flow from classified networks to non-classified networks. We also recommend reviewing exceptions to the traffic flow policy at least annually and removing exceptions that are no longer supported by a specific and explicit mission or business need. Information flow control can be enforced based on organization-defined metadata and/or by employing organization-defined solutions in approved configurations. Microsoft recommends that your cloud service provider validate the functionality of the authorization mechanism before new functions are made available to cloud users and perform security testing based on industry practices.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 67 compliance controls are associated with this Policy definition 'Control information flow' (59bedbdc-0ba9-39b9-66bb-1d1c192384e6)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 2.7 CIS_Azure_1.1.0_2.7 CIS Microsoft Azure Foundations Benchmark recommendation 2.7 2 Security Center Ensure ASC Default policy setting "Monitor Network Security Groups" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Network security group recommendations for virtual machines. link 2
CIS_Azure_1.1.0 2.8 CIS_Azure_1.1.0_2.8 CIS Microsoft Azure Foundations Benchmark recommendation 2.8 2 Security Center Ensure ASC Default policy setting "Monitor Web Application Firewall" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable Web application firewall recommendations for virtual machines. link 2
CIS_Azure_1.1.0 2.9 CIS_Azure_1.1.0_2.9 CIS Microsoft Azure Foundations Benchmark recommendation 2.9 2 Security Center Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" Shared The customer is responsible for implementing this recommendation. Enable next generation firewall recommendations for virtual machines. link 4
CIS_Azure_1.1.0 3.8 CIS_Azure_1.1.0_3.8 CIS Microsoft Azure Foundations Benchmark recommendation 3.8 3 Storage Accounts Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Shared The customer is responsible for implementing this recommendation. Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. link 6
CIS_Azure_1.1.0 6.3 CIS_Azure_1.1.0_6.3 CIS Microsoft Azure Foundations Benchmark recommendation 6.3 6 Networking Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Shared The customer is responsible for implementing this recommendation. Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). link 2
CIS_Azure_1.3.0 3.7 CIS_Azure_1.3.0_3.7 CIS Microsoft Azure Foundations Benchmark recommendation 3.7 3 Storage Accounts Ensure 'Trusted Microsoft Services' is enabled for Storage Account access Shared The customer is responsible for implementing this recommendation. Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. link 6
CIS_Azure_1.3.0 4.3.8 CIS_Azure_1.3.0_4.3.8 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 4 Database Services Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Shared The customer is responsible for implementing this recommendation. Disable access from Azure services to PostgreSQL Database Server link 5
CIS_Azure_1.3.0 6.3 CIS_Azure_1.3.0_6.3 CIS Microsoft Azure Foundations Benchmark recommendation 6.3 6 Networking Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Shared The customer is responsible for implementing this recommendation. Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). link 2
CIS_Azure_1.4.0 3.7 CIS_Azure_1.4.0_3.7 CIS Microsoft Azure Foundations Benchmark recommendation 3.7 3 Storage Accounts Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access Shared The customer is responsible for implementing this recommendation. Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. link 6
CIS_Azure_1.4.0 4.3.7 CIS_Azure_1.4.0_4.3.7 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 4 Database Services Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Shared The customer is responsible for implementing this recommendation. Disable access from Azure services to PostgreSQL Database Server link 5
CIS_Azure_1.4.0 6.3 CIS_Azure_1.4.0_6.3 CIS Microsoft Azure Foundations Benchmark recommendation 6.3 6 Networking Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) Shared The customer is responsible for implementing this recommendation. Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). link 2
CIS_Azure_2.0.0 3.9 CIS_Azure_2.0.0_3.9 CIS Microsoft Azure Foundations Benchmark recommendation 3.9 3 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access Shared This creates authentication credentials for services that need access to storage resources so that services will no longer need to communicate via network request. There may be a temporary loss of communication as you set each Storage Account. It is recommended to not do this on mission-critical resources during business hours. Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription). Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. We can re-enable this functionality by enabling `"Trusted Azure Services"` through networking exceptions. link 6
CIS_Azure_2.0.0 4.1.2 CIS_Azure_2.0.0_4.1.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.1.2 4.1 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) Shared Disabling `Allow Azure services and resources to access this server` will break all connections to SQL server and Hosted Databases unless custom IP specific rules are added in Firewall Policy. Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters. By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services. Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters. link 3
CIS_Azure_2.0.0 4.3.7 CIS_Azure_2.0.0_4.3.7 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 4.3 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled Shared n/a Disable access from Azure services to PostgreSQL Database Server. If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks. link 7
FedRAMP_High_R4 AC-4 FedRAMP_High_R4_AC-4 FedRAMP High AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 52
FedRAMP_High_R4 AC-4(21) FedRAMP_High_R4_AC-4(21) FedRAMP High AC-4 (21) Access Control Physical / Logical Separation Of Information Flows Shared n/a The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information]. Supplemental Guidance: Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. link 4
FedRAMP_Moderate_R4 AC-4 FedRAMP_Moderate_R4_AC-4 FedRAMP Moderate AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 52
FedRAMP_Moderate_R4 AC-4(21) FedRAMP_Moderate_R4_AC-4(21) FedRAMP Moderate AC-4 (21) Access Control Physical / Logical Separation Of Information Flows Shared n/a The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information]. Supplemental Guidance: Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. link 4
hipaa 0307.09q2Organizational.12-09.q hipaa-0307.09q2Organizational.12-09.q 0307.09q2Organizational.12-09.q 03 Portable Media Security 0307.09q2Organizational.12-09.q 09.07 Media Handling Shared n/a Data transfers outside of controlled areas are approved and records of the transfers are maintained. 2
hipaa 0811.01n2Organizational.6-01.n hipaa-0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 08 Network Protection 0811.01n2Organizational.6-01.n 01.04 Network Access Control Shared n/a Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. 23
hipaa 0817.01w2System.123-01.w hipaa-0817.01w2System.123-01.w 0817.01w2System.123-01.w 08 Network Protection 0817.01w2System.123-01.w 01.06 Application and Information Access Control Shared n/a Unless the risk is identified and accepted by the data owner, sensitive systems are isolated (physically or logically) from non-sensitive applications/systems. 13
hipaa 0822.09m2Organizational.4-09.m hipaa-0822.09m2Organizational.4-09.m 0822.09m2Organizational.4-09.m 08 Network Protection 0822.09m2Organizational.4-09.m 09.06 Network Security Management Shared n/a Firewalls restrict inbound and outbound traffic to the minimum necessary. 7
hipaa 0859.09m1Organizational.78-09.m hipaa-0859.09m1Organizational.78-09.m 0859.09m1Organizational.78-09.m 08 Network Protection 0859.09m1Organizational.78-09.m 09.06 Network Security Management Shared n/a The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. 13
hipaa 0928.09v1Organizational.45-09.v hipaa-0928.09v1Organizational.45-09.v 0928.09v1Organizational.45-09.v 09 Transmission Protection 0928.09v1Organizational.45-09.v 09.08 Exchange of Information Shared n/a Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path, using cryptographic mechanisms unless protected by alternative measures. 9
hipaa 0929.09v1Organizational.6-09.v hipaa-0929.09v1Organizational.6-09.v 0929.09v1Organizational.6-09.v 09 Transmission Protection 0929.09v1Organizational.6-09.v 09.08 Exchange of Information Shared n/a The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). 9
hipaa 0944.09y1Organizational.2-09.y hipaa-0944.09y1Organizational.2-09.y 0944.09y1Organizational.2-09.y 09 Transmission Protection 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services Shared n/a Security is maintained through all aspects of the transaction. 8
hipaa 1131.01v2System.2-01.v hipaa-1131.01v2System.2-01.v 1131.01v2System.2-01.v 11 Access Control 1131.01v2System.2-01.v 01.06 Application and Information Access Control Shared n/a Outputs from application systems handling covered information are limited to the minimum necessary and sent only to authorized terminals/locations. 6
hipaa 1150.01c2System.10-01.c hipaa-1150.01c2System.10-01.c 1150.01c2System.10-01.c 11 Access Control 1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems Shared n/a The access control system for the system components storing, processing or transmitting covered information is set with a default "deny-all" setting. 7
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.1.2 ISO27001-2013_A.13.1.2 ISO 27001:2013 A.13.1.2 Communications Security Security of network services Shared n/a Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. link 16
ISO27001-2013 A.13.1.3 ISO27001-2013_A.13.1.3 ISO 27001:2013 A.13.1.3 Communications Security Segregation of networks Shared n/a Groups of information services, users, and information systems shall be segregated on networks. link 17
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.13.2.3 ISO27001-2013_A.13.2.3 ISO 27001:2013 A.13.2.3 Communications Security Electronic messaging Shared n/a Information involved in electronic messaging shall be appropriately protected. link 10
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
mp.com.1 Secure perimeter mp.com.1 Secure perimeter 404 not found n/a n/a 49
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-171_R2_3 .1.3 NIST_SP_800-171_R2_3.1.3 NIST SP 800-171 R2 3.1.3 Access Control Control the flow of CUI in accordance with approved authorizations. Shared Microsoft and the customer share responsibilities for implementing this requirement. Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. link 56
NIST_SP_800-53_R4 AC-4 NIST_SP_800-53_R4_AC-4 NIST SP 800-53 Rev. 4 AC-4 Access Control Information Flow Enforcement Shared n/a The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. References: None. link 52
NIST_SP_800-53_R4 AC-4(21) NIST_SP_800-53_R4_AC-4(21) NIST SP 800-53 Rev. 4 AC-4 (21) Access Control Physical / Logical Separation Of Information Flows Shared n/a The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information]. Supplemental Guidance: Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. link 4
NIST_SP_800-53_R5 AC-4 NIST_SP_800-53_R5_AC-4 NIST SP 800-53 Rev. 5 AC-4 Access Control Information Flow Enforcement Shared n/a Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. link 52
NIST_SP_800-53_R5 AC-4(21) NIST_SP_800-53_R5_AC-4(21) NIST SP 800-53 Rev. 5 AC-4 (21) Access Control Physical or Logical Separation of Information Flows Shared n/a Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. link 4
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
PCI_DSS_v4.0 1.4.1 PCI_DSS_v4.0_1.4.1 PCI DSS v4.0 1.4.1 Requirement 01: Install and Maintain Network Security Controls Network connections between trusted and untrusted networks are controlled Shared n/a NSCs are implemented between trusted and untrusted networks. link 5
PCI_DSS_v4.0 1.4.2 PCI_DSS_v4.0_1.4.2 PCI DSS v4.0 1.4.2 Requirement 01: Install and Maintain Network Security Controls Network connections between trusted and untrusted networks are controlled Shared n/a Inbound traffic from untrusted networks to trusted networks is restricted to: • Communications with system components that are authorized to provide publicly accessible services, protocols, and ports. • Stateful responses to communications initiated by system components in a trusted network. • All other traffic is denied. link 7
PCI_DSS_v4.0 1.4.3 PCI_DSS_v4.0_1.4.3 PCI DSS v4.0 1.4.3 Requirement 01: Install and Maintain Network Security Controls Network connections between trusted and untrusted networks are controlled Shared n/a Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network. link 2
PCI_DSS_v4.0 1.4.4 PCI_DSS_v4.0_1.4.4 PCI DSS v4.0 1.4.4 Requirement 01: Install and Maintain Network Security Controls Network connections between trusted and untrusted networks are controlled Shared n/a System components that store cardholder data are not directly accessible from untrusted networks. link 2
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
SOC_2 CC6.6 SOC_2_CC6.6 SOC 2 Type 2 CC6.6 Logical and Physical Access Controls Security measures against threats outside system boundaries Shared The customer is responsible for implementing this recommendation. • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts 40
SOC_2 CC6.7 SOC_2_CC6.7 SOC 2 Type 2 CC6.7 Logical and Physical Access Controls Restrict the movement of information to authorized users Shared The customer is responsible for implementing this recommendation. • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets 29
SWIFT_CSCF_v2022 1.5A SWIFT_CSCF_v2022_1.5A SWIFT CSCF v2022 1.5A 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. Shared n/a A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. link 24
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
SWIFT_CSCF_v2022 2.9 SWIFT_CSCF_v2022_2.9 SWIFT CSCF v2022 2.9 2. Reduce Attack Surface and Vulnerabilities Ensure outbound transaction activity within the expected bounds of normal business. Shared n/a Implement transaction detection, prevention, and validation controls to ensure outbound transaction activity within the expected bounds of normal business. link 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 59bedbdc-0ba9-39b9-66bb-1d1c192384e6
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC