SC-7 - Boundary Protection
Control requirements
The information system:
- SC-7 (a)
- Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
- SC-7 (b)
- Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
- SC-7 (c)
- Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Additional IBM Cloud for Financial Services specifications
- The organization "service delivery" and "corporate" environments must be maintained as separate environments. That is, clear physical and/or logical boundaries separating the two environments must exist.
Implementation guidance
See the resources that follow to learn more about how to implement this control.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
Requirement ID | Rules |
---|---|
SC-7 (a) |
|
SC-7 (b) |
|
SC-7 (c) |
|
NIST supplemental guidance
Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.