compliance controls are associated with this Policy definition 'Secure the interface to external systems' (ff1efad2-6b09-54cc-01bf-d386c4d558a8)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SC-7(4) |
FedRAMP_High_R4_SC-7(4) |
FedRAMP High SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| FedRAMP_Moderate_R4 |
SC-7(4) |
FedRAMP_Moderate_R4_SC-7(4) |
FedRAMP Moderate SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
18 |
| hipaa |
08101.09m2Organizational.14-09.m |
hipaa-08101.09m2Organizational.14-09.m |
08101.09m2Organizational.14-09.m |
08 Network Protection |
08101.09m2Organizational.14-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. |
|
8 |
| hipaa |
08102.09nCSPOrganizational.1-09.n |
hipaa-08102.09nCSPOrganizational.1-09.n |
08102.09nCSPOrganizational.1-09.n |
08 Network Protection |
08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management |
Shared |
n/a |
Business-critical or customer (tenant) impacting (physical and virtual) application and interface designs (API), configurations, network infrastructure, and systems components, are designed, developed, and deployed in accordance with mutually agreed-upon service and capacity-level expectations, as well as IT governance and service management policies and procedures. |
|
2 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
24 |
| hipaa |
0826.09m3Organizational.45-09.m |
hipaa-0826.09m3Organizational.45-09.m |
0826.09m3Organizational.45-09.m |
08 Network Protection |
0826.09m3Organizational.45-09.m 09.06 Network Security Management |
Shared |
n/a |
Firewall and router configuration standards are defined and implemented, and are reviewed every six months. |
|
3 |
| hipaa |
0830.09m3Organizational.1012-09.m |
hipaa-0830.09m3Organizational.1012-09.m |
0830.09m3Organizational.1012-09.m |
08 Network Protection |
0830.09m3Organizational.1012-09.m 09.06 Network Security Management |
Shared |
n/a |
A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. |
|
8 |
| hipaa |
0835.09n1Organizational.1-09.n |
hipaa-0835.09n1Organizational.1-09.n |
0835.09n1Organizational.1-09.n |
08 Network Protection |
0835.09n1Organizational.1-09.n 09.06 Network Security Management |
Shared |
n/a |
Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. |
|
7 |
| hipaa |
0859.09m1Organizational.78-09.m |
hipaa-0859.09m1Organizational.78-09.m |
0859.09m1Organizational.78-09.m |
08 Network Protection |
0859.09m1Organizational.78-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. |
|
14 |
| hipaa |
0860.09m1Organizational.9-09.m |
hipaa-0860.09m1Organizational.9-09.m |
0860.09m1Organizational.9-09.m |
08 Network Protection |
0860.09m1Organizational.9-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization formally manages equipment on the network, including equipment in user areas. |
|
5 |
| hipaa |
0864.09m2Organizational.12-09.m |
hipaa-0864.09m2Organizational.12-09.m |
0864.09m2Organizational.12-09.m |
08 Network Protection |
0864.09m2Organizational.12-09.m 09.06 Network Security Management |
Shared |
n/a |
Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service. |
|
4 |
| hipaa |
0866.09m3Organizational.1516-09.m |
hipaa-0866.09m3Organizational.1516-09.m |
0866.09m3Organizational.1516-09.m |
08 Network Protection |
0866.09m3Organizational.1516-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization describes the groups, roles, and responsibilities for the logical management of network components, and ensures coordination of and consistency in the elements of the network infrastructure. |
|
11 |
| hipaa |
0868.09m3Organizational.18-09.m |
hipaa-0868.09m3Organizational.18-09.m |
0868.09m3Organizational.18-09.m |
08 Network Protection |
0868.09m3Organizational.18-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. |
|
5 |
| hipaa |
0887.09n2Organizational.5-09.n |
hipaa-0887.09n2Organizational.5-09.n |
0887.09n2Organizational.5-09.n |
08 Network Protection |
0887.09n2Organizational.5-09.n 09.06 Network Security Management |
Shared |
n/a |
The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. |
|
3 |
| hipaa |
0928.09v1Organizational.45-09.v |
hipaa-0928.09v1Organizational.45-09.v |
0928.09v1Organizational.45-09.v |
09 Transmission Protection |
0928.09v1Organizational.45-09.v 09.08 Exchange of Information |
Shared |
n/a |
Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path, using cryptographic mechanisms unless protected by alternative measures. |
|
9 |
| hipaa |
1119.01j2Organizational.3-01.j |
hipaa-1119.01j2Organizational.3-01.j |
1119.01j2Organizational.3-01.j |
11 Access Control |
1119.01j2Organizational.3-01.j 01.04 Network Access Control |
Shared |
n/a |
Network equipment is checked for unanticipated dial-up capabilities. |
|
5 |
| ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
| ISO27001-2013 |
A.13.1.2 |
ISO27001-2013_A.13.1.2 |
ISO 27001:2013 A.13.1.2 |
Communications Security |
Security of network services |
Shared |
n/a |
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
link |
16 |
| ISO27001-2013 |
A.13.1.3 |
ISO27001-2013_A.13.1.3 |
ISO 27001:2013 A.13.1.3 |
Communications Security |
Segregation of networks |
Shared |
n/a |
Groups of information services, users, and information systems shall be segregated on networks. |
link |
17 |
| ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
| ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
| ISO27001-2013 |
C.8.3 |
ISO27001-2013_C.8.3 |
ISO 27001:2013 C.8.3 |
Operation |
Information security risk treatment |
Shared |
n/a |
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security
risk treatment. |
link |
4 |
|
mp.com.1 Secure perimeter |
mp.com.1 Secure perimeter |
404 not found |
|
|
|
n/a |
n/a |
|
49 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-53_R4 |
SC-7(4) |
NIST_SP_800-53_R4_SC-7(4) |
NIST SP 800-53 Rev. 4 SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| NIST_SP_800-53_R5 |
SC-7(4) |
NIST_SP_800-53_R5_SC-7(4) |
NIST SP 800-53 Rev. 5 SC-7 (4) |
System and Communications Protection |
External Telecommunications Services |
Shared |
n/a |
(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
(h) Filter unauthorized control plane traffic from external networks. |
link |
3 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.pl.1 Risk analysis |
op.pl.1 Risk analysis |
404 not found |
|
|
|
n/a |
n/a |
|
70 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
| PCI_DSS_v4.0 |
1.4.1 |
PCI_DSS_v4.0_1.4.1 |
PCI DSS v4.0 1.4.1 |
Requirement 01: Install and Maintain Network Security Controls |
Network connections between trusted and untrusted networks are controlled |
Shared |
n/a |
NSCs are implemented between trusted and untrusted networks. |
link |
5 |
| PCI_DSS_v4.0 |
1.4.2 |
PCI_DSS_v4.0_1.4.2 |
PCI DSS v4.0 1.4.2 |
Requirement 01: Install and Maintain Network Security Controls |
Network connections between trusted and untrusted networks are controlled |
Shared |
n/a |
Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied. |
link |
7 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |