SC-07-727 Boundary Protection

Boundary Protection

SC-07-727
Boundary Protection
System and Communications Protection
LOW, MOD, HIGH
P1
Yes
May 20, 2016

The Agency's network defense systems shall monitor and control inbound and outbound traffic to each segment of the Agency's network. Information resources with any degree of sensitivity shall employ host-based firewalls to control inbound and outbound traffic to the specific resource.

Computer connections and information flows breach access control policy as a result of inconsistencies with network routing configurations.
The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
The system boundary is explicitly defined and protection by a combination of hardware mechanisms (i.e., defense in depth).
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
Obtain system and communications protection policy; procedures addressing boundary protection; list of key internal boundaries of the information system; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; information system hardware and software; information system architecture; list of mediation vehicles for allowing public access to the organization’s internal networks; other relevant documents or records and ascertain if: (I)the organization defines key internal boundaries of the information system. (ii)the information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. (iii)the organization physically allocates publicly accessible information system components to separate sub networks with separate, physical network interfaces. (iv)the organization defines the mediation necessary for public access to the organization’s internal networks. (v)the organization prevents public access into the organization’s internal networks except as appropriately mediated. (vi)the organization limits the number of access points to the information system to allow for better monitoring of inbound and outbound network traffic. (vii)the organization implements a managed interface (boundary protection devices in an effective security architecture) with any external telecommunication service, implementing controls appropriate to the required protection of the confidentiality and integrity of the information being transmitted. (viii)the information system denies network traffic by default and allows network traffic by exception. (ix)the information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.