IVS-09: Segmentation

Control Statement

Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure system and network components, shall be designed, developed, deployed, and configured such that provider and customer (tenant) user access is appropriately segmented from other tenant users, based on the following considerations:

• Established policies and procedures
• Isolation of business critical assets and/or sensitive user data, and sessions that mandate stronger internal controls and high levels of assurance
• Compliance with legal, statutory, and regulatory compliance obligations