Back

Establish, implement, and maintain information flow procedures.


CONTROL ID
04542
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain information flow control policies inside the system and between interconnected systems., CC ID: 01410

This Control has the following implementation support Control(s):
  • Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case., CC ID: 06242
  • Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity., CC ID: 06243


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number IV.4(6): The transfer of data must comply with the data control rules to prevent the use of wrong data, the falsification of data, and the abuse of data. This is a control item that constitutes a greater risk to financial information. This is an IT general control and an IT appli… (App 2-1 Item Number IV.4(6), App 2-1 Item Number IV.4(7), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O55: The organization shall define contract conditions for external connections, including connection methods and data format and content, before concluding a contract for data transmission via line connections. O55.1: To conclude contracts for data transmission via line connections, the organizatio… (O55, O55.1, O55.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • When exporting data, protective marking checks are undertaken. (Security Control: 1187; Revision: 1, Australian Government Information Security Manual, March 2021)
  • A data transfer process, and supporting data transfer procedures, is developed and implemented. (Security Control: 0663; Revision: 5, Australian Government Information Security Manual, March 2021)
  • data format checks and logging (Security Control: 0669; Revision: 3; Bullet 2, Australian Government Information Security Manual, March 2021)
  • Data transfer processes, and supporting data transfer procedures, are developed, implemented and maintained. (Control: ISM-0663; Revision: 7, Australian Government Information Security Manual, June 2023)
  • Data transfer processes, and supporting data transfer procedures, are developed, implemented and maintained. (Control: ISM-0663; Revision: 7, Australian Government Information Security Manual, September 2023)
  • The types of files that may be transferred across the network should be defined and limited based on business requirements and the results of a risk assessment. Data identified as suspicious by a data filter should be dropped or blocked until reviewed by a trusted source. The export of data to a low… (§ 3.11.9, § 3.11.11, § 3.11.28, Australian Government ICT Security Manual (ACSI 33))
  • The organization should use a whitelist for the allowed types of web content. (Mitigation Strategy Effectiveness Ranking 9, Strategies to Mitigate Targeted Cyber Intrusions)
  • ensure the security of the means of transfer of data; (Art. 9.3.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • protection of information during processing, transmission, and storage (e.g. through the use of cryptography), (§ 8.1 Subsection 5 ¶ 2 Bullet 8, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The basic specifications for the flow of information and the reporting routes which are related to the information security process should be documented in a corresponding policy and submitted to management for approval. (6.2 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • It is recommended to also consider data carriers and documents during acquisition and to handle them like applications. As far as they are not tightly linked to an application or an IT system, data carriers and documents must be integrated separately into the structure analysis. Certainly, it will n… (§ 8.1.3 ¶ 9, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The PRA expects firms to implement robust controls for data-in-transit, data-in-memory, and data-at-rest. Depending on the materiality and risk of the arrangement, these controls may include a range of preventative and detective measures, including but not necessarily limited to: (§ 7.11, SS2/21 Outsourcing and third party risk management, March 2021)
  • The control system shall provide the capability to prevent any communication through the control system boundary when there is an operational failure of the boundary protection mechanisms (also termed fail close). This 'fail close' functionality shall be designed such that it does not interfere with… (9.4.3.3 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The organization should limit data flow to or deny communications with known malicious Internet Protocol addresses or limit access to trusted sites. (Critical Control 13.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure protection of confidentiality, integrity, and availability of data exchanged between one or more system interfaces, jurisdictions, or external business relationships to preve… (AIS-04, Cloud Controls Matrix, v3.0)
  • ¶ 8.2.5(1-4) Cryptography. An organization should implement safeguards to assure cryptography procedures are in place. Cryptography is a mathematical means of transforming data to provide security. It can be used for many different purposes in IT security, for example, cryptography can help to prov… (¶ 8.2.5(1-4), ¶ 9.2 Table Row "Data Confidentiality Protection", ¶ 9.2 Table Row "Data Integrity Protection", ¶ 9.2 Table Row "Non-Repudiation", ¶ 9.2 Table Row "Data Authenticity", ¶ 10.3.6, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 13.10 Data Integrity Over Networks. In circumstances where preservation of integrity is important, digital signature and/or message integrity safeguards should be considered to protect information passing over network connections. Message integrity safeguards (for example using message authentica… (¶ 13.10, ¶ 13.11, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. (A.13.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. (§ 9.1.1 Health-specific control ¶ 4, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. (§ 13.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. (§ 5.14 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Documented information should be distributed and made available to authorized interested parties. For this, the organization should establish who are the relevant interested parties for each documented information (or groups of documented information), and the means to use for distribution, access, … (§ 7.5.3 Guidance ¶ 4, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • A baseline of network operations and expected data flows for users and systems is established and managed. (DE.AE-1, CRI Profile, v1.2)
  • Verify and control/limit connections to and use of external information systems. (§ 52.204-21(b)(1)(iii), Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information Systems)
  • Control information posted or processed on publicly accessible information systems. (§ 52.204-21(b)(1)(iv), Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information Systems)
  • Information Systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (Section 4.C ¶ 1(4)(b), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • An inpatient rehabilitation facility must encode and transmit data for a Medicare Part A fee-for-service and a Medicare Part C inpatient using a computerized patient assessment instrument from the Centers for Medicare & Medicaid Services (CMS) or a computer program that conforms to CMS' standard ele… (§ 412.614(a), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • The organization must verify that management has authorized system interconnections and that controls have been established and distributed to the interconnected system owners. Each interconnected system must have a signed interconnection security agreement (ISA). All remote locations must follow th… (CSR 1.11.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Control information posted or processed on publicly accessible information systems. (AC.1.004, Cybersecurity Maturity Model Certification, Version 1.0, Level 1)
  • Verify and control/limit connections to and use of external information systems. (AC.1.003, Cybersecurity Maturity Model Certification, Version 1.0, Level 1)
  • Control information posted or processed on publicly accessible information systems. (AC.1.004, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Verify and control/limit connections to and use of external information systems. (AC.1.003, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Control information posted or processed on publicly accessible information systems. (AC.1.004, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Verify and control/limit connections to and use of external information systems. (AC.1.003, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter). (SC.3.193, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Control information posted or processed on publicly accessible information systems. (AC.1.004, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Verify and control/limit connections to and use of external information systems. (AC.1.003, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter). (SC.3.193, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Verify and control/limit connections to and use of external information systems. (AC.1.003, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Control information posted or processed on publicly accessible information systems. (AC.1.004, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter). (SC.3.193, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Security measures shall be implemented to ensure electronically transmitted electronic protected health information is not improperly modified without being detected. The covered entity shall assess these security measures to determine if it is a reasonable and appropriate safeguard in the environme… (§ 164.312(e)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The organization shall transmit the law enforcement access field (LEAF) and the initialization vector (IV) with the ciphertext and shall register the protocol specifics that are used for creating and transmitting the LEAF, IV, and encrypted data and assign a cryptographic protocol field (CPF). The a… (§ 5 ¶ 2, FIPS Pub 185, Escrowed Encryption Standard (EES))
  • A baseline of network operations and expected data flows for users and systems is established and managed (DE.AE-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • A baseline of network operations and expected data flows for users and systems is established and managed (DE.AE-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • A baseline of network operations and expected data flows for users and systems is established and managed. (DE.AE-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • System interconnection agreements should be examined to ensure the agreements state the types of permissible and impermissible information flows, state the level of authorization required for the information flows, and comply with NIST Special Publication 800-47. Organizational records and documents… (AC-4.1, CA-3.2, SC-16, SC-16.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Provide a managed flow of relevant information (via web-based portals or other means) based on mission requirements. (T0195, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish processing, exploitation and dissemination management activity using approved guidance and/or procedures. (T0683, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The smart grid information system's security policy filters should be reviewed by human reviewers when the system is not able to make an information flow control decision. (SG.AC-5 Additional Considerations A4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Control information posted or processed on publicly accessible information systems. (3.1.22, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Verify and control/limit connections to and use of external information systems. (3.1.20, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Control CUI posted or processed on publicly accessible systems. (3.1.22, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Verify and control/limit connections to and use of external systems. (3.1.20, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Control CUI posted or processed on publicly accessible systems. (3.1.22, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Verify and control/limit connections to and use of external systems. (3.1.20, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must establish and maintain policies and procedures for publicly accessible content that designate authorized individuals to post information onto a publicly accessible system; trains authorized individuals to ensure publicly accessible information does not contain nonpublic informa… (App F § AC-22, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use information flow control on metadata. (App F § AC-4(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should track problems associated with the security attribute binding and information transfer. (App F § AC-4(17)(c), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Provide a managed flow of relevant information (via web-based portals or other means) based on mission requirements. (T0195, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish processing, exploitation and dissemination management activity using approved guidance and/or procedures. (T0683, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The information system enforces information flow control based on {organizationally documented metadata}. (AC-4(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system binds security attributes to information using {organizationally documented binding techniques} to facilitate information flow policy enforcement. (AC-4(18), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented solutions in approved configurations} to control the flow of {organizationally documented information} across security domains. (AC-4(20), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. (AC-4(20) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. (AC-4(20) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Refresh [Assignment: organization-defined information] at [Assignment: organization-defined frequencies] or generate the information on demand and delete the information when no longer needed. (SI-21 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Does not filter message content; (AC-4(32) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. (AC-4(20) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Refresh [Assignment: organization-defined information] at [Assignment: organization-defined frequencies] or generate the information on demand and delete the information when no longer needed. (SI-21 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Does not filter message content; (AC-4(32) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (Section 27-62-4(c)(4) b., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Development of employee security policies and procedures for the storage of, access to, transport of and transmittal of personal information off-premises; (§ 38a-999b(b)(2)(E), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Information systems, including, but not limited to, network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (Part VI(c)(3)(D)(ii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • An information system, including network and software design and information classification, governance, processing, storage, transmission, and disposal. (§ 8604.(c)(4) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§431:3B-202(b)(4)(B), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal. (Sec. 17.(4)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Information systems, including network and software design; and information classification, governance, processing, storage, transmission, and disposal. (507F.4 3.d.(2), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (§2504.C.(4)(b), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (§2264 3.D.(2), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (Sec. 555.(3)(d)(ii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 60A.9851 Subdivision 3(4)(ii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (§ 83-5-807 (3)(d)(ii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 420-P:4 III.(d)(2), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (26.1-02.2-03. 3.d.(2), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; (Section 3965.02 (C)(4)(b), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal; and (SECTION 38-99-20. (C)(4)(b), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 56-2-1004 (3)(D)(ii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Information systems, including the classification, governance, processing, storage, transmission, and disposal of information. (§ 601.952(2)(c)2., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)