Back

Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.


CONTROL ID
01410
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Enforce information flow control., CC ID: 11781

This Control has the following implementation support Control(s):
  • Define risk tolerance to illicit data flow for each type of information classification., CC ID: 01923
  • Establish, implement, and maintain a document printing policy., CC ID: 14384
  • Establish, implement, and maintain information flow procedures., CC ID: 04542
  • Establish, implement, and maintain information exchange procedures., CC ID: 11782
  • Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services., CC ID: 13104
  • Establish, implement, and maintain whitelists and blacklists of software., CC ID: 11780
  • Implement information flow control policies when making decisions about information sharing or collaboration., CC ID: 10094


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • O96: The organization shall implement security measures for data transmission and network-related devices. O96.3: The organization should include the following types of data transmission security measures: leakage prevention measures and detection methods for unauthorized destruction or tampering. O… (O96, O96.3, O103, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Banks' networks should be designed to support effective monitoring. Design considerations include network traffic policies that address the allowed communications between computers or groups of computers, security domains that implement the policies, sensor placement to identify policy violations an… (Critical components of information security 17) iii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A process, and supporting procedures, is developed and implemented to prevent AUSTEO and AGAO data in both textual and non-textual formats from being exported to foreign systems. (Security Control: 1535; Revision: 1, Australian Government Information Security Manual, March 2021)
  • When connecting a highly classified network to any other network from a different security domain, a CDS is implemented. (Security Control: 0626; Revision: 4, Australian Government Information Security Manual, March 2021)
  • An evaluated diode is used for controlling the data flow of unidirectional gateways between official or classified networks and public network infrastructure. (Security Control: 0643; Revision: 5, Australian Government Information Security Manual, March 2021)
  • A high assurance diode is used for controlling the data flow of unidirectional gateways between classified networks and public network infrastructure. (Security Control: 0645; Revision: 5, Australian Government Information Security Manual, March 2021)
  • An evaluated diode is used for controlling the data flow of unidirectional gateways between official and classified networks. (Security Control: 1157; Revision: 3, Australian Government Information Security Manual, March 2021)
  • A high assurance diode is used for controlling the data flow of unidirectional gateways between official or classified networks where the highest system is SECRET or above. (Security Control: 1158; Revision: 4, Australian Government Information Security Manual, March 2021)
  • An evaluated diode is used between an AUSTEO or AGAO network and a foreign network at the same classification. (Security Control: 0646; Revision: 4, Australian Government Information Security Manual, March 2021)
  • An evaluated diode is used between an AUSTEO or AGAO network and another Australian controlled network at the same classification. (Security Control: 0647; Revision: 6, Australian Government Information Security Manual, March 2021)
  • Areas in which HACE is used are separated from other areas and designated as a cryptographic controlled area. (Security Control: 0506; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Where a high availability requirement exists, online services are architected to automatically transition between availability zones. (Security Control: 1580; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Data communicated between different systems is controlled and inspectable. (P8:, Australian Government Information Security Manual, June 2023)
  • Network access controls are implemented to limit network traffic within and between network segments to only those required for business purposes. (Control: ISM-1182; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Data communicated between different systems is controlled and inspectable. (P8:, Australian Government Information Security Manual, September 2023)
  • The organization should ensure information flow between the software development environments is strictly limited in accordance with policy and Access is only granted to users with a clear business requirement. (Control: 0400 Bullet 2, Australian Government Information Security Manual: Controls)
  • Network access controls should be implemented that restrict communications between the database servers and defined network resources, such as application servers, web servers, and Storage Area Networks. (Control: 1271, Australian Government Information Security Manual: Controls)
  • The organization should route all e-mail through a centralized e-mail gateway. (Control: 0569, Australian Government Information Security Manual: Controls)
  • The organization should ensure the Internet Protocol telephony functions and video conferencing functions can be established only by using secure signaling and data protocols. (Control: 0548, Australian Government Information Security Manual: Controls)
  • The organization must use a Common Criteria-evaluated diode to control the data flow of unidirectional gateways between the public network infrastructure and sensitive networks or classified networks. (Control: 0643, Australian Government Information Security Manual: Controls)
  • The organization must use a high assurance diode from the Defence Signals Directorate Evaluated Products List to control the data flow of unidirectional gateways between the public network infrastructure and classified networks. (Control: 0645, Australian Government Information Security Manual: Controls)
  • The organization must use a common criteria-evaluated diode to control the data flow of unidirectional gateways between sensitive networks and classified networks. (Control: 1157, Australian Government Information Security Manual: Controls)
  • The organization must use a high assurance diode from the Defence Signals Directorate Evaluated Products List to control the data flow of unidirectional gateways between sensitive networks or classified networks, where the highest system is confidential or above. (Control:1158, Australian Government Information Security Manual: Controls)
  • The organization must use a Common Criteria-evaluated diode between a foreign network and an Australian Eyes Only network or an Australian Government Access Only network of the same classification. (Control: 0646, Australian Government Information Security Manual: Controls)
  • The organization should use a Common Criteria-evaluated diode from the Defence Signals Directorate Evaluated Products List between another organizationally controlled network and an Australian Eyes Only network or an Australian Government Access Only network of the same classification. (Control: 0647, Australian Government Information Security Manual: Controls)
  • Protect system-to-system communication, including exchange of data, from unauthorised access and use (Attachment G Control Objective Row 5, APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Information flows over the network should be consistent with the network security policy. (§ 3.10.14, Australian Government ICT Security Manual (ACSI 33))
  • Implementers should secure the flow of information in the Information Security process by obtaining the decisions for the required corrective safeguards. (6.2 Bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • In addition to the approach, also the design of the information domain to be protected with it must be defined. This may include the whole organisation or just parts. For example, certain organisational units of an organisation can be considered to be an information domain. However, this can also be… (§ 3.3.4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Document basic specifications on information flow and on the reporting routes regarding the information security process in a corresponding policy and present them to the management level for passing. (§ 5.2.4 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Basic specifications on information flow and on the reporting routes regarding the information security process should be documented in a corresponding policy and should be passed by the management level. The Guideline on information flow and on the reporting routes should regulate particularly the … (§ 5.2.4 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • User data transiting networks should be adequately protected against tampering and eavesdropping. (1. ¶ 1, Cloud Security Guidance, 1.0)
  • User data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure. (2. ¶ 1, Cloud Security Guidance, 1.0)
  • Data transiting networks should be adequately protected against tampering and eavesdropping through a combination of network protection and encryption. (1: ¶ 1, Cloud Security Guidance, 1.0)
  • Your data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure. (2: ¶ 1, Cloud Security Guidance, 1.0)
  • User data transiting networks should be adequately protected against tampering and eavesdropping. (1. ¶ 1, Cloud Security Guidance, 2)
  • Your data (and the assets storing or processing it) should be adequately protected. (2. ¶ 1, Cloud Security Guidance, 2)
  • The entity restricts the transmission, movement and removal of information to authorized internal and external users and processes, and protects it during transmission, movement or removal to meet the entity's objectives. (S7.3, Privacy Management Framework, Updated March 1, 2020)
  • The gxp system ensures external access and inputs only come from authorized clients and in the correct format. (¶ 21.12 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments)
  • The control system shall provide the capability to prevent any communication through the control system boundary when there is an operational failure of the boundary protection mechanisms (also termed fail close). This 'fail close' functionality shall be designed such that it does not interfere with… (9.4.3.3 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The network component shall provide the capability to protect against any communication through the control system boundary when there is an operational failure of the boundary protection mechanisms (also termed fail close). (15.12.3 (3) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Establish and implement firewall configuration standards and router configuration standards that include a current data flow diagram showing cardholder data flows over the networks and systems. (PCI DSS Requirements § 1.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • During an audit, the auditors should trace the route data takes while in transit over private and public networks and when it is on media handled by a courier. They should also check on the status of stored data in the production, backup, and disaster recovery environments. The auditors should follo… (§ 5.4 (Infrastructure Risks) ¶ 4 thru ¶ 5, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization should implement the sender policy framework by enabling receiver-side verification in mail servers and deploying sender policy framework records in Domain Name Servers, to lower the chance of spoofed e-mail messages. (Critical Control 13.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data. (CIS Control 12: Boundary Defense, CIS Controls, V7)
  • Security Gateways. A suitable security gateway arrangement will protect the organization's internal systems and securely manage and control the traffic flowing across it, in accordance with a documented security gateway service access policy (see below). A security gateway should: • separate logic… (¶ 13.8, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The system should ensure that any operation that causes information to flow to or from a user is covered by an information flow control policy. Information flow controls should be required to implement strong protection against disclosure and modification by untrusted software. The system should be … (§ 11.5, § 11.6, § F.5, § F.6, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. (A.13.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • the organization shall ensure that there is consistency and traceability between the financial and technical data and other relevant non-financial data, to the extent required to meet its legal and regulatory requirements while considering its stakeholders' requirements and organizational objectives… (Section 7.5 ¶ 1(e), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • When the organization utilizes an IT infrastructure with mixed responsibilities between the organization and its personnel for IT assets or data or information, the organizations shall assess the associated risks. The organization shall ensure that processes and IT infrastructure involving such mixe… (Section 8.8 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. (§ 13.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. (§ 5.14 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. (CC6.7 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4)(b), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4)(b), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. (CC6.7, Trust Services Criteria)
  • The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. (CC6.7 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Are internal systems required to pass through a content filtering proxy prior to accessing the Internet? (§ G.11.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • The organization must include the use of identification or authentication of communications partners, adequate encryption, and the incorporation of an effective password/key management system in the Internet communications implementation. (§ 7 (Acceptable Approaches to Internet Usage) ¶ 4, HIPAA HCFA Internet Security Policy, November 1998, Deprecated)
  • CSR 1.11.4: The organization must monitor and control system interconnections on an on-going basis. CSR 10.10.1(2): The organization must implement communication software to control access through the connections between workstations and systems. (CSR 1.11.4, CSR 10.10.1(2), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • WWAN systems should not be used to process, transmit, or store classified information. Examine training material and/or user agreements to verify users know they should not use WWAN systems to process, transmit, or store classified information. Interview the Information Assurance Officer (IAO) to ve… (§ 4.2 (WIR0373), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • If text messaging (such as, Short Message Service [SMS], Multimedia Messaging Service [MMS], Pin-to-Pin messaging, and other text messaging services) is used, the security requirements from the appropriate wireless e-mail system checklist should be followed. If SMS is used, annual Information Assur… (§ 2.2 (WIR1220), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • Control the flow of CUI in accordance with approved authorizations. (AC.2.016, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Control the flow of CUI in accordance with approved authorizations. (AC.2.016, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Control the flow of CUI in accordance with approved authorizations. (AC.2.016, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Control information flows between security domains on connected systems. (AC.4.023, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Control the flow of CUI in accordance with approved authorizations. (AC.2.016, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Control information flows between security domains on connected systems. (AC.4.023, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Control the flow of CUI in accordance with approved authorizations. (AC.L2-3.1.3 Control CUI Flow, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Discretionary access controls are sufficient to connect Department of Defense Information Systems that operate at the same classification and have different need-to-know access rules. (ECIC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Mechanisms must be implemented to ensure the integrity of transmitted information, to include security parameters and labels. (ECTM-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Interconnections between Department of Defense systems operating at different classification levels or between Department of Defense and non-Department of Defense networks or systems must have a controlled interface. (ECIC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Technical security measures shall be implemented to guard transmitted electronic protected health information from unauthorized access. (§ 164.312(e)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (§ 164.312(e)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Delivery Notification in Direct. Able to send and receive health information in accordance with the standard specified in §170.202(e)(1). (§ 170.315 (h) (1) (ii), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Delivery Notification in Direct. Able to send and receive health information in accordance with the standard specified in §170.202(e)(1). (§ 170.315 (h) (2) (ii), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Delivery Notification in Direct. Able to send and receive health information in accordance with the standard specified in §170.202(e)(1). (§ 170.315 (h) (1) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Delivery Notification in Direct. Able to send and receive health information in accordance with the standard specified in §170.202(e)(1). (§ 170.315 (h) (2) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The information flow between interconnected systems shall be controlled by the network infrastructure. (§ 5.10.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The network infrastructure shall control the flow of information between interconnected systems. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without… (§ 5.10.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The requirement to use or not use AA is dependent upon the physical, personnel, and technical security controls associated with the user location and whether CJI is accessed directly or indirectly. AA shall not be required for users requesting access to CJI from within the perimeter of a physically … (§ 5.6.2.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The NCIC hosts restricted files and non-restricted files. NCIC restricted files are distinguished from NCIC non-restricted files by the policies governing their access and use. Proper access to, use, and dissemination of data from restricted files shall be consistent with the access, use, and dissem… (§ 4.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The network infrastructure shall control the flow of information between interconnected systems. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without… (§ 5.10.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Definition of appropriate policies, standards, and procedures for file exchange activities. (App A Objective 11:1e Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management incorporates AIO considerations into the design, implementation, and use of file exchange. (III.I, "File Exchange") (App A Objective 11, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management maintains policies and effectively controls and protects access to and transmission of information to avoid loss or damage. Review whether management does the following: (App A Objective 6.18, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Identifies connections between and access across low-risk and high-risk systems. (App A Objective 6.7.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Implements and assesses the adequacy of appropriate controls to ensure the security of connections. (App A Objective 6.7.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management comprehensively and effectively identifies, measures, mitigates, monitors, and reports interconnectivity risk. Review whether management does the following: (App A Objective 6.7, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine the extent of network connectivity internally and externally and the boundaries and functions of security domains. (App A Objective 1.4.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should control and protect access to and transmission of information to avoid loss or damage and do the following: - Establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices and cloud services. - Define and implement… (II.C.13 Control of Information, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Implementing a governance process to establish, monitor, maintain, and test controls to mitigate interconnectivity risk. (App A Objective 12:8 h., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Distributed computing. (App A Objective 12:12 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization should develop data flow diagrams to identify data shared between or within systems, applications that share data, and the classification of the data that is being transmitted between or within systems. (Pg 10, Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4)(b) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4)(b) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Establish a traffic flow policy for each managed interface; (SC-7(4)(b), FedRAMP Security Controls High Baseline, Version 5)
  • Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (SC-7(4)(g), FedRAMP Security Controls High Baseline, Version 5)
  • Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; (CA-9b., FedRAMP Security Controls High Baseline, Version 5)
  • Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; (CA-9b., FedRAMP Security Controls Low Baseline, Version 5)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establish a traffic flow policy for each managed interface; (SC-7(4)(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (SC-7(4)(g), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; (CA-9b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must ensure the information system enforces the assigned authorizations to control the flow of information within the system and between interconnected systems. (§ 5.6.1, § 5.6.15, Exhibit 4 AC-4, Exhibit 4 AC-13, Exhibit 4 SC-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is any data communicated to other companies by unsecured modems? (IT - Remote Access Q 3, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; (CA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish a traffic flow policy for each managed interface; (SC-7(4)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (SC-7(4)(g), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; (CA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; (CA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish a traffic flow policy for each managed interface; (SC-7(4)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (SC-7(4)(g), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems. (3.1.3e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • § 3 Access Control (AC) Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. § 3 Certi… (§ 3 Access Control (AC), § 3 Certification, Accreditation, and Security Assessments (CA), FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Effectiveness of protection technologies is shared with appropriate parties. (PR.IP-8, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The flow of information between interconnected systems and within the system should be in accordance with organizational policy. The configuration settings of the system should be examined to ensure controls are implemented to restrict the information flow. Organizational records and documents shoul… (AC-4, CA-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4) ¶ 1(b) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4) ¶ 1(b) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The smart grid Information System should enforce assigned authorizations to control information flow inside the system and between interconnected systems. (SG.AC-5 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should use explicit labels on information, destination objects, and source objects to base the flow control decisions and to enforce information flow control. (SG.AC-5 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should allow or disallow information flow based on operational considerations or changing conditions to enforce dynamic information flow. (SG.AC-5 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System must monitor and control the communications at key internal boundaries and at the system's external boundary. (SG.SC-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The communications from and to the smart grid Information System components shall be restricted to specific components in the system. (SG.SC-7 Requirement Enhancements 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Control the flow of CUI in accordance with approved authorizations. (3.1.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Control the flow of CUI in accordance with approved authorizations. (3.1.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Control the flow of CUI in accordance with approved authorizations. (3.1.3, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must establish and maintain information flow enforcement policies and procedures to control the authorized flow of information inside the system and between interconnected systems. (App F § AC-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should enforce security policies regarding information on interconnected systems. (App F § AC-4(16), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should uniquely identify and authenticate source and destination domains for information transfer. (App F § AC-4(17)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should establish traffic flow policies for the managed interfaces. (App F § SC-7(4)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should remove traffic flow policy exceptions when they are not supported by explicit business needs or mission needs. (App F § SC-7(4)(f), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on {organizationally documented information flow control policies}. (AC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. (AC-4(22), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization establishes a traffic flow policy for each managed interface. (SC-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on {organizationally documented information flow control policies}. (AC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes a traffic flow policy for each managed interface. (SC-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on {organizationally documented information flow control policies}. (AC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization establishes a traffic flow policy for each managed interface. (SC-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains. (AC-4(22) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system transmits [Assignment: organization-defined access authorization information] using [Assignment: organization-defined security safeguards] to [Assignment: organization-defined information systems] that enforce access control decisions. (AC-24(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. (AC-4(22) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish a traffic flow policy for each managed interface; (SC-7(4)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (SC-7(4)(g), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; (CA-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions. (AC-24(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. (AC-4(22) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establish a traffic flow policy for each managed interface; (SC-7(4)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (SC-7(4)(g), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; (CA-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions. (AC-24(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The auditor should evaluate the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported. (¶ 74, PCAOB Auditing Standard No. 2)
  • The auditor should understand how information flows, including how transactions are "initiated, authorized, processed, and recorded. " (¶ 34, PCAOB Auditing Standard No. 5)
  • § A.3.a.2.a: System rules shall include limits on interconnections to other systems. § A.3.b.2.f: Information that is shared from an application shall be protected comparably to the protection provided to the information when it is in the application. (§ A.3.a.2.a, § A.3.b.2.f, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., TX-RAMP Security Controls Baseline Level 1)
  • The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. (AC-4 Control, TX-RAMP Security Controls Baseline Level 2)
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. (CA-9b., TX-RAMP Security Controls Baseline Level 2)
  • Establishes a traffic flow policy for each managed interface; (SC-7(4)(b), TX-RAMP Security Controls Baseline Level 2)