Back

Enforce information flow control.


CONTROL ID
11781
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Monitor information flows for anomalies., CC ID: 16365
  • Establish, implement, and maintain information flow control configuration standards., CC ID: 01924
  • Establish, implement, and maintain information flow control policies inside the system and between interconnected systems., CC ID: 01410


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Monitor and control the movement of sensitive information across enterprise networks (Critical components of information security 15) xi. ¶ 2 Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Gateways only allow explicitly authorised data flows. (Control: ISM-0631; Revision: 7, Australian Government Information Security Manual, June 2023)
  • Gateways only allow explicitly authorised data flows. (Control: ISM-0631; Revision: 7, Australian Government Information Security Manual, September 2023)
  • The organization must ensure all gateways contain a mechanism to filter data flows at the network layer. (Control: 0628 Bullet 2, Australian Government Information Security Manual: Controls)
  • For the purpose of the first subparagraph, financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authori… (Art. 19.1. ¶ 4, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Basic specifications on information flow and on the reporting routes regarding the information security process should be documented in a corresponding policy and should be passed by the management level. The Guideline on information flow and on the reporting routes should regulate particularly the … (§ 5.2.4 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • With regard to using the network plan for the structure analysis, the next step entails comparing the existing network plan (or partial plans, if the overall plan has been divided into smaller sections to make it easier to read) with the actual existing IT structure and if necessary updating it to r… (§ 8.1.4 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In order to define the protection needs of an IT system, the applications that directly relate to the IT system must be considered first. A summary of the applications that are relevant for the various IT systems have been determined within the scope of the structure analysis (see Section 8.1). The … (§ 8.2.4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Use network-based DLP solutions to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them. (Control 13.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. (A.13.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. (§ 13.2.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Data-in-transit is protected. (PR.DS-2, CRI Profile, v1.2)
  • The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. (AC-4(8) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (§ 52.204-21 (b)(1)(x), 48 CFR Part 52.204-21, Basic Safeguarding of Covered Contractor Information Systems)
  • Implements a layered control system using different controls at different points in a transaction process. (App A Objective 6.4.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Implements appropriate controls over the electronic transmission of information or, if appropriate safeguards are unavailable, restricts the type of information that can be transmitted. (App A Objective 6.18.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should control and protect access to and transmission of information to avoid loss or damage and do the following: - Establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices and cloud services. - Define and implement… (II.C.13 Control of Information, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. (AC-4(8) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Enforce information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Enforce information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should use security policy filters as a basis for flow control decisions. (App F § AC-4(8), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system enforces information flow control using {organizationally documented security policy filters} as a basis for flow control decisions for {organizationally documented information flows}. (AC-4(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system, when transferring information between different security domains, decomposes information into {organizationally documented policy-relevant subcomponents} for submission to policy enforcement mechanisms. (AC-4(13), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. (AC-4(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system enforces information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system enforces dynamic information flow control based on [Assignment: organization-defined policies]. (AC-4(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. (AC-4(13) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. (AC-4(13) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce [Assignment: organization-defined information flow control policies]. (AC-4(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and (AC-4(8)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. (AC-4(13) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Enforce information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Enforce [Assignment: organization-defined information flow control policies]. (AC-4(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and (AC-4(8)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system enforces information flow control based on [Assignment: organization-defined metadata]. (AC-4(6) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)