Control requirements

Additional IBM Cloud for Financial Services specifications

The organization "service delivery" and "corporate" environments must be maintained as separate environments. That is, clear physical and/or logical boundaries separating the two environments must exist.

If Voice over Internet Protocol (VoIP) technology is in use, (a) establish usage restrictions and implementation guidance based on the potential to cause damage to the information system if used maliciously; and (b) authorize, monitor, and control the use of VoIP within the information system.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• IBM Cloud account setup

• Connectivity to IBM Cloud services with Satellite Link

• Ensuring isolation between Satellite management functions and workload functions

• Accessing external resources from the Satellite location

• Consumer connectivity to workload resources

• Creating and connecting the management and workload VPCs

• Accessing the public internet

• Connecting application provider to the management VPC

• Connectivity to IBM Cloud services with private endpoints

• Consumer connectivity to workload VPC

NIST supplemental guidance

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).