compliance controls are associated with this Policy definition 'Internet-facing virtual machines should be protected with network security groups' (f6de0be7-9a8a-4b8a-b349-43cf02d22f7c)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
AU_ISM |
1182 |
AU_ISM_1182 |
AU ISM 1182 |
Guidelines for Networking - Network design and configuration |
Network access controls - 1182 |
|
n/a |
Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes. |
link |
2 |
Azure_Security_Benchmark_v1.0 |
1.1 |
Azure_Security_Benchmark_v1.0_1.1 |
Azure Security Benchmark 1.1 |
Network Security |
Protect resources using Network Security Groups or Azure Firewall on your Virtual Network |
Customer |
Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service.
Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall.
General Information on Private Link:
https://docs.microsoft.com/azure/private-link/private-link-overview
How to create a Virtual Network:
https://docs.microsoft.com/azure/virtual-network/quick-create-portal
How to create an NSG with a security configuration:
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
How to deploy and configure Azure Firewall:
https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal |
n/a |
link |
20 |
Azure_Security_Benchmark_v2.0 |
NS-1 |
Azure_Security_Benchmark_v2.0_NS-1 |
Azure Security Benchmark NS-1 |
Network Security |
Implement security for internal traffic |
Customer |
Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns to the business risks. Any system that could incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with either a network security group (NSG) and/or Azure Firewall.
Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on network security group rules. For specific well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach. This might not scale well if you have many applications and endpoints interacting with each other. You can also use Azure Firewall in circumstances where central management is required over a large number of enterprise segments or spokes (in a hub/spoke topology).
Use Azure Security Center Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules.
Use Azure Sentinel to discover the use of legacy insecure protocols such as SSL/TLSv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos.
How to create a network security group with security rules: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
How to deploy and configure Azure Firewall: https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal
Adaptive Network Hardening in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening
Azure Sentinel insecure protocols workbook:https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks |
n/a |
link |
18 |
Azure_Security_Benchmark_v2.0 |
NS-4 |
Azure_Security_Benchmark_v2.0_NS-4 |
Azure Security Benchmark NS-4 |
Network Security |
Protect applications and services from external network attacks |
Customer |
Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this:
- Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations.
- Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks.
- Protect your assets against DDoS attacks by enabling DDoS protection on your Azure virtual networks.
- Use Azure Security Center to detect misconfiguration risks related to the above.
Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/
How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview
Manage Azure DDoS Protection using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection |
n/a |
link |
14 |
Azure_Security_Benchmark_v3.0 |
NS-1 |
Azure_Security_Benchmark_v3.0_NS-1 |
Microsoft cloud security benchmark NS-1 |
Network Security |
Establish network segmentation boundaries |
Shared |
**Security Principle:**
Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks.
Examples of high-risk workload include:
- An application storing or processing highly sensitive data.
- An external network-facing application accessible by the public or users outside of your organization.
- An application using insecure architecture or containing vulnerabilities that cannot be easily remediated.
To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic.
**Azure Guidance:**
Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks.
Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address.
You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups.
**Implementation and additional context:**
Azure Virtual Network concepts and best practices:
https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices
Add, change, or delete a virtual network subnet:
https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet
How to create a network security group with security rules:
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
Understand and use application security groups:
https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups |
n/a |
link |
4 |
CIS_Azure_1.1.0 |
2.9 |
CIS_Azure_1.1.0_2.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.9 |
2 Security Center |
Ensure ASC Default policy setting "Enable Next Generation Firewall(NGFW) Monitoring" is not "Disabled" |
Shared |
The customer is responsible for implementing this recommendation. |
Enable next generation firewall recommendations for virtual machines. |
link |
4 |
CMMC_2.0_L2 |
AC.L2-3.1.3 |
CMMC_2.0_L2_AC.L2-3.1.3 |
404 not found |
|
|
|
n/a |
n/a |
|
52 |
CMMC_2.0_L2 |
SC.L1-3.13.1 |
CMMC_2.0_L2_SC.L1-3.13.1 |
404 not found |
|
|
|
n/a |
n/a |
|
56 |
CMMC_2.0_L2 |
SC.L1-3.13.5 |
CMMC_2.0_L2_SC.L1-3.13.5 |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
CMMC_2.0_L2 |
SC.L2-3.13.2 |
CMMC_2.0_L2_SC.L2-3.13.2 |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
CMMC_2.0_L2 |
SC.L2-3.13.6 |
CMMC_2.0_L2_SC.L2-3.13.6 |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
CMMC_L3 |
AC.1.003 |
CMMC_L3_AC.1.003 |
CMMC L3 AC.1.003 |
Access Control |
Verify and control/limit connections to and use of external information systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.
Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.
This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.
Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system. |
link |
2 |
CMMC_L3 |
AC.2.016 |
CMMC_L3_AC.2.016 |
CMMC L3 AC.2.016 |
Access Control |
Control the flow of CUI in accordance with approved authorizations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content.
Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.
Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
link |
16 |
CMMC_L3 |
CM.3.068 |
CMMC_L3_CM.3.068 |
CMMC L3 CM.3.068 |
Configuration Management |
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. |
link |
21 |
CMMC_L3 |
SC.1.175 |
CMMC_L3_SC.1.175 |
CMMC L3 SC.1.175 |
System and Communications Protection |
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. |
link |
30 |
CMMC_L3 |
SC.1.176 |
CMMC_L3_SC.1.176 |
CMMC L3 SC.1.176 |
System and Communications Protection |
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. |
link |
4 |
CMMC_L3 |
SC.3.183 |
CMMC_L3_SC.3.183 |
CMMC L3 SC.3.183 |
System and Communications Protection |
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. |
link |
30 |
FedRAMP_High_R4 |
AC-4 |
FedRAMP_High_R4_AC-4 |
FedRAMP High AC-4 |
Access Control |
Information Flow Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18.
References: None. |
link |
52 |
FedRAMP_High_R4 |
SC-7 |
FedRAMP_High_R4_SC-7 |
FedRAMP High SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
FedRAMP_High_R4 |
SC-7(3) |
FedRAMP_High_R4_SC-7(3) |
FedRAMP High SC-7 (3) |
System And Communications Protection |
Access Points |
Shared |
n/a |
The organization limits the number of external network connections to the information system.
Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. |
link |
51 |
FedRAMP_Moderate_R4 |
AC-4 |
FedRAMP_Moderate_R4_AC-4 |
FedRAMP Moderate AC-4 |
Access Control |
Information Flow Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18.
References: None. |
link |
52 |
FedRAMP_Moderate_R4 |
SC-7 |
FedRAMP_Moderate_R4_SC-7 |
FedRAMP Moderate SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
FedRAMP_Moderate_R4 |
SC-7(3) |
FedRAMP_Moderate_R4_SC-7(3) |
FedRAMP Moderate SC-7 (3) |
System And Communications Protection |
Access Points |
Shared |
n/a |
The organization limits the number of external network connections to the information system.
Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. |
link |
51 |
hipaa |
0805.01m1Organizational.12-01.m |
hipaa-0805.01m1Organizational.12-01.m |
0805.01m1Organizational.12-01.m |
08 Network Protection |
0805.01m1Organizational.12-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains. |
|
12 |
hipaa |
0806.01m2Organizational.12356-01.m |
hipaa-0806.01m2Organizational.12356-01.m |
0806.01m2Organizational.12356-01.m |
08 Network Protection |
0806.01m2Organizational.12356-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. |
|
13 |
hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
16 |
hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
hipaa |
0812.01n2Organizational.8-01.n |
hipaa-0812.01n2Organizational.8-01.n |
0812.01n2Organizational.8-01.n |
08 Network Protection |
0812.01n2Organizational.8-01.n 01.04 Network Access Control |
Shared |
n/a |
Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. |
|
12 |
hipaa |
0814.01n1Organizational.12-01.n |
hipaa-0814.01n1Organizational.12-01.n |
0814.01n1Organizational.12-01.n |
08 Network Protection |
0814.01n1Organizational.12-01.n 01.04 Network Access Control |
Shared |
n/a |
The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. |
|
11 |
hipaa |
0894.01m2Organizational.7-01.m |
hipaa-0894.01m2Organizational.7-01.m |
0894.01m2Organizational.7-01.m |
08 Network Protection |
0894.01m2Organizational.7-01.m 01.04 Network Access Control |
Shared |
n/a |
Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. |
|
19 |
New_Zealand_ISM |
18.1.13.C.02 |
New_Zealand_ISM_18.1.13.C.02 |
New_Zealand_ISM_18.1.13.C.02 |
18. Network security |
18.1.13.C.02 Limiting network access |
|
n/a |
Agencies SHOULD implement network access controls on all networks. |
|
19 |
NIST_SP_800-171_R2_3 |
.1.3 |
NIST_SP_800-171_R2_3.1.3 |
NIST SP 800-171 R2 3.1.3 |
Access Control |
Control the flow of CUI in accordance with approved authorizations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
link |
56 |
NIST_SP_800-171_R2_3 |
.13.1 |
NIST_SP_800-171_R2_3.13.1 |
NIST SP 800-171 R2 3.13.1 |
System and Communications Protection |
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies.
[28] There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in 3.12.4 is conveyed in those plans. |
link |
51 |
NIST_SP_800-171_R2_3 |
.13.2 |
NIST_SP_800-171_R2_3.13.2 |
NIST SP 800-171 R2 3.13.2 |
System and Communications Protection |
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering. |
link |
51 |
NIST_SP_800-171_R2_3 |
.13.5 |
NIST_SP_800-171_R2_3.13.5 |
NIST SP 800-171 R2 3.13.5 |
System and Communications Protection |
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies |
link |
51 |
NIST_SP_800-171_R2_3 |
.13.6 |
NIST_SP_800-171_R2_3.13.6 |
NIST SP 800-171 R2 3.13.6 |
System and Communications Protection |
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. |
link |
22 |
NIST_SP_800-53_R4 |
AC-4 |
NIST_SP_800-53_R4_AC-4 |
NIST SP 800-53 Rev. 4 AC-4 |
Access Control |
Information Flow Enforcement |
Shared |
n/a |
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18.
References: None. |
link |
52 |
NIST_SP_800-53_R4 |
SC-7 |
NIST_SP_800-53_R4_SC-7 |
NIST SP 800-53 Rev. 4 SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
NIST_SP_800-53_R4 |
SC-7(3) |
NIST_SP_800-53_R4_SC-7(3) |
NIST SP 800-53 Rev. 4 SC-7 (3) |
System And Communications Protection |
Access Points |
Shared |
n/a |
The organization limits the number of external network connections to the information system.
Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. |
link |
51 |
NIST_SP_800-53_R5 |
AC-4 |
NIST_SP_800-53_R5_AC-4 |
NIST SP 800-53 Rev. 5 AC-4 |
Access Control |
Information Flow Enforcement |
Shared |
n/a |
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
link |
52 |
NIST_SP_800-53_R5 |
SC-7 |
NIST_SP_800-53_R5_SC-7 |
NIST SP 800-53 Rev. 5 SC-7 |
System and Communications Protection |
Boundary Protection |
Shared |
n/a |
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and
c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. |
link |
52 |
NIST_SP_800-53_R5 |
SC-7(3) |
NIST_SP_800-53_R5_SC-7(3) |
NIST SP 800-53 Rev. 5 SC-7 (3) |
System and Communications Protection |
Access Points |
Shared |
n/a |
Limit the number of external network connections to the system. |
link |
51 |
NL_BIO_Cloud_Theme |
U.07.1(2) |
NL_BIO_Cloud_Theme_U.07.1(2) |
NL_BIO_Cloud_Theme_U.07.1(2) |
U.07 Data separation |
Isolated |
|
n/a |
Permanent isolation of data is realized within a multi-tenant architecture. Patches and adjustments of applications and infrastructure are realized in a controlled manner for all cloud services that the CSC purchases. |
|
57 |
NZ_ISM_v3.5 |
GS-2 |
NZ_ISM_v3.5_GS-2 |
NZISM Security Benchmark GS-2 |
Gateway security |
19.1.11 Using Gateways |
Customer |
n/a |
Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s).
The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies.
Gateway components may also reside in a virtual environment ??? refer to Section 22.2 ??? Virtualisation and Section 22.3 ??? Virtual Local Area Networks |
link |
10 |
NZISM_Security_Benchmark_v1.1 |
GS-2 |
NZISM_Security_Benchmark_v1.1_GS-2 |
NZISM Security Benchmark GS-2 |
Gateway security |
19.1.11 Using Gateways |
Customer |
Agencies MUST ensure that:
all agency networks are protected from networks in other security domains by one or more gateways;
all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s).
The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies.
Gateway components may also reside in a virtual environment – refer to Section 22.2 – Virtualisation and Section 22.3 – Virtual Local Area Networks |
link |
8 |
RBI_CSF_Banks_v2016 |
10.1 |
RBI_CSF_Banks_v2016_10.1 |
|
Secure Mail And Messaging Systems |
Secure Mail And Messaging Systems-10.1 |
|
n/a |
Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc |
|
15 |
RBI_CSF_Banks_v2016 |
10.2 |
RBI_CSF_Banks_v2016_10.2 |
|
Secure Mail And Messaging Systems |
Secure Mail And Messaging Systems-10.2 |
|
n/a |
Document and implement emailserver specific controls |
|
15 |
RBI_CSF_Banks_v2016 |
13.3 |
RBI_CSF_Banks_v2016_13.3 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.3 |
|
n/a |
Consider implementing whitelisting of internet websites/systems. |
|
12 |
RBI_CSF_Banks_v2016 |
13.4 |
RBI_CSF_Banks_v2016_13.4 |
|
Advanced Real-Timethreat Defenceand Management |
Advanced Real-Timethreat Defenceand Management-13.4 |
|
n/a |
Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway |
|
41 |
RBI_CSF_Banks_v2016 |
4.10 |
RBI_CSF_Banks_v2016_4.10 |
|
Network Management And Security |
Perimeter Protection And Detection-4.10 |
|
n/a |
Boundary defences should be multi-layered with properly configured firewalls, proxies, DMZ perimeter networks, and network--???based IPS and IDS. Mechanism to filter both inbound and outbound traffic to be put in place. |
|
11 |
RBI_CSF_Banks_v2016 |
4.3 |
RBI_CSF_Banks_v2016_4.3 |
|
Network Management And Security |
Network Device Configuration Management-4.3 |
|
n/a |
Ensure that all the network devices are configured appropriately and periodically assess whether the configurations are appropriate to the desired level of network security. |
|
14 |
RBI_CSF_Banks_v2016 |
4.7 |
RBI_CSF_Banks_v2016_4.7 |
|
Network Management And Security |
Anomaly Detection-4.7 |
|
n/a |
Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints. |
|
13 |
RBI_ITF_NBFC_v2017 |
5 |
RBI_ITF_NBFC_v2017_5 |
RBI IT Framework 5 |
IS Audit |
Policy for Information System Audit (IS Audit)-5 |
|
n/a |
The objective of the IS Audit is to provide an insight on the effectiveness of controls that are in place to ensure confidentiality, integrity and availability of the organization???s IT infrastructure. IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc. |
link |
14 |
RMiT_v1.0 |
10.33 |
RMiT_v1.0_10.33 |
RMiT 10.33 |
Network Resilience |
Network Resilience - 10.33 |
Shared |
n/a |
A financial institution must design a reliable, scalable and secure enterprise network that is able to support its business activities, including future growth plans. |
link |
27 |
RMiT_v1.0 |
Appendix_5.7 |
RMiT_v1.0_Appendix_5.7 |
RMiT Appendix 5.7 |
Control Measures on Cybersecurity |
Control Measures on Cybersecurity - Appendix 5.7 |
Customer |
n/a |
Ensure overall network security controls are implemented including the following:
(a) dedicated firewalls at all segments. All external-facing firewalls must be deployed on High Availability (HA) configuration and “fail-close” mode activated. Deploy different brand name/model for two firewalls located in sequence within the same network path;
(b) IPS at all critical network segments with the capability to inspect and monitor encrypted network traffic;
(c) web and email filtering systems such as web-proxy, spam filter and anti-spoofing controls;
(d) endpoint protection solution to detect and remove security threats including viruses and malicious software;
(e) solution to mitigate advanced persistent threats including zero-day and signatureless malware; and
(f) capture the full network packets to rebuild relevant network sessions to aid forensics in the event of incidents. |
link |
21 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
40 |
SOC_2 |
CC6.7 |
SOC_2_CC6.7 |
SOC 2 Type 2 CC6.7 |
Logical and Physical Access Controls |
Restrict the movement of information to authorized users |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections
are used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Mobile Devices — Processes are in place to protect mobile devices (such
as laptops, smart phones, and tablets) that serve as information assets |
|
29 |
SWIFT_CSCF_v2021 |
1.1 |
SWIFT_CSCF_v2021_1.1 |
SWIFT CSCF v2021 1.1 |
SWIFT Environment Protection |
SWIFT Environment Protection |
|
n/a |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
link |
28 |
SWIFT_CSCF_v2022 |
1.1 |
SWIFT_CSCF_v2022_1.1 |
SWIFT CSCF v2022 1.1 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
Shared |
n/a |
A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. |
link |
19 |
SWIFT_CSCF_v2022 |
1.4 |
SWIFT_CSCF_v2022_1.4 |
SWIFT CSCF v2022 1.4 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Control/Protect Internet access from operator PCs and systems within the secure zone. |
Shared |
n/a |
All general-purpose and dedicated operator PCs, as well as systems within the secure zone, have controlled direct internet access in line with business. |
link |
11 |
SWIFT_CSCF_v2022 |
1.5A |
SWIFT_CSCF_v2022_1.5A |
SWIFT CSCF v2022 1.5A |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
Shared |
n/a |
A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. |
link |
24 |
|
U.07.1 - Isolated |
U.07.1 - Isolated |
404 not found |
|
|
|
n/a |
n/a |
|
56 |