Back

Enforce information flow control.


CONTROL ID
11781
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain information flow control configuration standards., CC ID: 01924
  • Establish, implement, and maintain information flow control policies inside the system and between interconnected systems., CC ID: 01410


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Monitor and control the movement of sensitive information across enterprise networks (Critical components of information security 15) xi. ¶ 2 Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization must ensure all gateways contain a mechanism to filter data flows at the network layer. (Control: 0628 Bullet 2, Australian Government Information Security Manual: Controls)
  • Use network-based DLP solutions to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them. (Control 13.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. (A.13.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. (§ 13.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Data-in-transit is protected. (PR.DS-2, CRI Profile, v1.2)
  • The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. (AC-4(8) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Implements a layered control system using different controls at different points in a transaction process. (App A Objective 6.4.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Implements appropriate controls over the electronic transmission of information or, if appropriate safeguards are unavailable, restricts the type of information that can be transmitted. (App A Objective 6.18.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should control and protect access to and transmission of information to avoid loss or damage and do the following: - Establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices and cloud services. - Define and implement… (II.C.13 Control of Information, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. (AC-4(8) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforce information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should use security policy filters as a basis for flow control decisions. (App F § AC-4(8), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system enforces information flow control using {organizationally documented security policy filters} as a basis for flow control decisions for {organizationally documented information flows}. (AC-4(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system, when transferring information between different security domains, decomposes information into {organizationally documented policy-relevant subcomponents} for submission to policy enforcement mechanisms. (AC-4(13), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. (AC-4(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system enforces information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]. (AC-4(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. (AC-4(13) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. (AC-4(13) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce [Assignment: organization-defined information flow control policies]. (AC-4(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and (AC-4(8)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The information system enforces information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)