ID.AM-3: Organizational communication and data flows are mapped
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AC-4: Information Flow Enforcement
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].
CA-3: Information Exchange
Approve and manage the exchange of information between the system and other systems using [Assignment (one or more): interconnection security agreements, information exchange security agreements, memoranda of understanding or agreement, service level agreements, user agreements, nondisclosure agreements, [Assignment: organization-defined type of agreement] ]; Document, as part of each exchange agreement, the interface characteristics, security and…
CA-9: Internal System Connections
Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; Terminate internal system connections after [Assignment: organization-defined conditions]; and Review [Assignment: organization-defined frequency] the continued need for each internal connection.
PL-8: Security and Privacy Architectures
Develop security and privacy architectures for the system that: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; Describe how the architectures are integrated into and support…
SA-17: Developer Security and Privacy Architecture and Design
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture; Accurately and completely describes the required security and privacy functionality, and the allocation of controls…
NIST Special Publication 800-171 Revision 2
3.1.3: Control the flow of CUI in accordance with approved authorizations
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export- controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to…
3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or…
Cloud Controls Matrix v3.0.1
DSI-02: Data Inventory / Flows
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service’s geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory,…
Critical Security Controls Version 8
3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
NIST Special Publication 800-53 Revision 4
AC-4: Information Flow Enforcement
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
CA-3: System Interconnections
The organization: Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
CA-9: Internal System Connections
The organization: Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
PL-8: Information Security Architecture
The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about,…
Critical Security Controls Version 7.1
11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
15: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.