last sync: 2024-Feb-21 20:03:25 UTC

Employ restrictions on external system interconnections | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Employ restrictions on external system interconnections
Id 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1155 - Employ restrictions on external system interconnections
Additional metadata Name/Id: CMA_C1155 / CMA_C1155
Category: Documentation
Title: Employ restrictions on external system interconnections
Ownership: Customer
Description: The customer is responsible for employing restrictions on external system interconnections (e.g., allow-all, deny-by-exception; deny-all, permit-by-exception).
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 6 compliance controls are associated with this Policy definition 'Employ restrictions on external system interconnections' (80029bc5-834f-3a9c-a2d8-acbc1aab4e9f)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CA-3(5) FedRAMP_High_R4_CA-3(5) FedRAMP High CA-3 (5) Security Assessment And Authorization Restrictions On External System Connections Shared n/a The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. Supplemental Guidance: Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. link 1
FedRAMP_Moderate_R4 CA-3(5) FedRAMP_Moderate_R4_CA-3(5) FedRAMP Moderate CA-3 (5) Security Assessment And Authorization Restrictions On External System Connections Shared n/a The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. Supplemental Guidance: Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. link 1
hipaa 0865.09m2Organizational.13-09.m hipaa-0865.09m2Organizational.13-09.m 0865.09m2Organizational.13-09.m 08 Network Protection 0865.09m2Organizational.13-09.m 09.06 Network Security Management Shared n/a The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny-all, permit-by-exception policy for allowing connections from the information system to other information systems outside of the organization; and, (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. 5
hipaa 0886.09n2Organizational.4-09.n hipaa-0886.09n2Organizational.4-09.n 0886.09n2Organizational.4-09.n 08 Network Protection 0886.09n2Organizational.4-09.n 09.06 Network Security Management Shared n/a The organization employs and documents in a formal agreement or other document—either i) allow-all, deny-by-exception, or ii) deny-all, permit-by-exception (preferred)—policy for allowing specific information systems to connect to external information systems. 2
NIST_SP_800-53_R4 CA-3(5) NIST_SP_800-53_R4_CA-3(5) NIST SP 800-53 Rev. 4 CA-3 (5) Security Assessment And Authorization Restrictions On External System Connections Shared n/a The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. Supplemental Guidance: Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. link 1
SWIFT_CSCF_v2022 1.5A SWIFT_CSCF_v2022_1.5A SWIFT CSCF v2022 1.5A 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. Shared n/a A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. link 26
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC