compliance controls are associated with this Policy definition 'Authorize, monitor, and control voip' (e4e1f896-8a93-1151-43c7-0ad23b081ee2)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SC-19 |
FedRAMP_High_R4_SC-19 |
FedRAMP High SC-19 |
System And Communications Protection |
Voice Over Internet Protocol |
Shared |
n/a |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system.
Supplemental Guidance: Related controls: CM-6, SC-7, SC-15.
References: NIST Special Publication 800-58. |
link |
2 |
| FedRAMP_High_R4 |
SI-4(4) |
FedRAMP_High_R4_SI-4(4) |
FedRAMP High SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| FedRAMP_Moderate_R4 |
SC-19 |
FedRAMP_Moderate_R4_SC-19 |
FedRAMP Moderate SC-19 |
System And Communications Protection |
Voice Over Internet Protocol |
Shared |
n/a |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system.
Supplemental Guidance: Related controls: CM-6, SC-7, SC-15.
References: NIST Special Publication 800-58. |
link |
2 |
| FedRAMP_Moderate_R4 |
SI-4(4) |
FedRAMP_Moderate_R4_SI-4(4) |
FedRAMP Moderate SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
| hipaa |
0815.01o2Organizational.123-01.o |
hipaa-0815.01o2Organizational.123-01.o |
0815.01o2Organizational.123-01.o |
08 Network Protection |
0815.01o2Organizational.123-01.o 01.04 Network Access Control |
Shared |
n/a |
Requirements for network routing control are based on the access control policy, including positive source and destination checking mechanisms, such as firewall validation of source/destination addresses, and the hiding of internal directory services and IP addresses. The organization designed and implemented network perimeters so that all outgoing network traffic to the Internet passes through at least one application layer filtering proxy server. The proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a blacklist, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. The organization forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. |
|
4 |
| hipaa |
0822.09m2Organizational.4-09.m |
hipaa-0822.09m2Organizational.4-09.m |
0822.09m2Organizational.4-09.m |
08 Network Protection |
0822.09m2Organizational.4-09.m 09.06 Network Security Management |
Shared |
n/a |
Firewalls restrict inbound and outbound traffic to the minimum necessary. |
|
7 |
| hipaa |
0825.09m3Organizational.23-09.m |
hipaa-0825.09m3Organizational.23-09.m |
0825.09m3Organizational.23-09.m |
08 Network Protection |
0825.09m3Organizational.23-09.m 09.06 Network Security Management |
Shared |
n/a |
Technical tools such as an IDS/IPS are implemented and operating on the network perimeter and other key points to identify vulnerabilities, monitor traffic, detect attack attempts and successful compromises, and mitigate threats; and these tools are updated on a regular basis. |
|
7 |
| hipaa |
0830.09m3Organizational.1012-09.m |
hipaa-0830.09m3Organizational.1012-09.m |
0830.09m3Organizational.1012-09.m |
08 Network Protection |
0830.09m3Organizational.1012-09.m 09.06 Network Security Management |
Shared |
n/a |
A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. |
|
8 |
| hipaa |
0864.09m2Organizational.12-09.m |
hipaa-0864.09m2Organizational.12-09.m |
0864.09m2Organizational.12-09.m |
08 Network Protection |
0864.09m2Organizational.12-09.m 09.06 Network Security Management |
Shared |
n/a |
Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service. |
|
4 |
| hipaa |
0866.09m3Organizational.1516-09.m |
hipaa-0866.09m3Organizational.1516-09.m |
0866.09m3Organizational.1516-09.m |
08 Network Protection |
0866.09m3Organizational.1516-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization describes the groups, roles, and responsibilities for the logical management of network components, and ensures coordination of and consistency in the elements of the network infrastructure. |
|
11 |
| hipaa |
0868.09m3Organizational.18-09.m |
hipaa-0868.09m3Organizational.18-09.m |
0868.09m3Organizational.18-09.m |
08 Network Protection |
0868.09m3Organizational.18-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. |
|
5 |
| hipaa |
1213.09ab2System.128-09.ab |
hipaa-1213.09ab2System.128-09.ab |
1213.09ab2System.128-09.ab |
12 Audit Logging & Monitoring |
1213.09ab2System.128-09.ab 09.10 Monitoring |
Shared |
n/a |
Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. |
|
2 |
| hipaa |
1218.09ab3System.47-09.ab |
hipaa-1218.09ab3System.47-09.ab |
1218.09ab3System.47-09.ab |
12 Audit Logging & Monitoring |
1218.09ab3System.47-09.ab 09.10 Monitoring |
Shared |
n/a |
Automated systems support near real-time analysis and alerting of events (e.g., malicious code, potential intrusions) and integrate intrusion detection into access and flow control mechanisms. |
|
7 |
| hipaa |
1220.09ab3System.56-09.ab |
hipaa-1220.09ab3System.56-09.ab |
1220.09ab3System.56-09.ab |
12 Audit Logging & Monitoring |
1220.09ab3System.56-09.ab 09.10 Monitoring |
Shared |
n/a |
Monitoring includes inbound and outbound communications and file integrity monitoring. |
|
4 |
| hipaa |
1411.09f1System.1-09.f |
hipaa-1411.09f1System.1-09.f |
1411.09f1System.1-09.f |
14 Third Party Assurance |
1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The results of monitoring activities of third-party services are compared against the Service Level Agreements or contracts at least annually. |
|
9 |
| ISO27001-2013 |
A.12.4.1 |
ISO27001-2013_A.12.4.1 |
ISO 27001:2013 A.12.4.1 |
Operations Security |
Event Logging |
Shared |
n/a |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
link |
53 |
| ISO27001-2013 |
A.12.4.3 |
ISO27001-2013_A.12.4.3 |
ISO 27001:2013 A.12.4.3 |
Operations Security |
Administrator and operator logs |
Shared |
n/a |
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. |
link |
29 |
| NIST_SP_800-171_R2_3 |
.13.14 |
NIST_SP_800-171_R2_3.13.14 |
NIST SP 800-171 R2 3.13.14 |
System and Communications Protection |
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS) (i.e., the standard telephone service). In contrast, other telephone services are based on high-speed, digital communications lines, such as Integrated Services Digital Network (ISDN) and Fiber Distributed Data Interface (FDDI). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those inherent with any Internet-based application. [SP 800-58] provides guidance on Voice Over IP Systems. |
link |
2 |
| NIST_SP_800-53_R4 |
SC-19 |
NIST_SP_800-53_R4_SC-19 |
NIST SP 800-53 Rev. 4 SC-19 |
System And Communications Protection |
Voice Over Internet Protocol |
Shared |
n/a |
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system.
Supplemental Guidance: Related controls: CM-6, SC-7, SC-15.
References: NIST Special Publication 800-58. |
link |
2 |
| NIST_SP_800-53_R4 |
SI-4(4) |
NIST_SP_800-53_R4_SI-4(4) |
NIST SP 800-53 Rev. 4 SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| NIST_SP_800-53_R5 |
SI-4(4) |
NIST_SP_800-53_R5_SI-4(4) |
NIST SP 800-53 Rev. 5 SI-4 (4) |
System and Information Integrity |
Inbound and Outbound Communications Traffic |
Shared |
n/a |
(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. |
link |
4 |
|
op.exp.8 Recording of the activity |
op.exp.8 Recording of the activity |
404 not found |
|
|
|
n/a |
n/a |
|
67 |
| SWIFT_CSCF_v2022 |
2.9 |
SWIFT_CSCF_v2022_2.9 |
SWIFT CSCF v2022 2.9 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure outbound transaction activity within the expected bounds of normal business. |
Shared |
n/a |
Implement transaction detection, prevention, and validation controls to ensure outbound transaction activity within the expected bounds of normal business. |
link |
7 |
| SWIFT_CSCF_v2022 |
6.5A |
SWIFT_CSCF_v2022_6.5A |
SWIFT CSCF v2022 6.5A |
6. Detect Anomalous Activity to Systems or Transaction Records |
Detect and contain anomalous network activity into and within the local or remote SWIFT environment. |
Shared |
n/a |
Intrusion detection is implemented to detect unauthorised network access and anomalous activity. |
link |
17 |
| SWIFT_CSCF_v2022 |
9.4 |
SWIFT_CSCF_v2022_9.4 |
SWIFT CSCF v2022 9.4 |
9. Ensure Availability through Resilience |
Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth |
Shared |
n/a |
Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth |
link |
5 |